diff --git a/components/bt/CMakeLists.txt b/components/bt/CMakeLists.txt index a480217f73..7937c14244 100644 --- a/components/bt/CMakeLists.txt +++ b/components/bt/CMakeLists.txt @@ -41,10 +41,6 @@ set(ble_mesh_include_dirs "esp_ble_mesh/api" ) -set(ble_mesh_tinycrypt_dirs - "esp_ble_mesh/common/tinycrypt/include" -) - set(ble_mesh_v11_include_dirs "esp_ble_mesh/lib/include" "esp_ble_mesh/v1.1/api/core/include" @@ -525,6 +521,13 @@ if(CONFIG_BT_ENABLED) endif() if(CONFIG_BLE_MESH) + + if(CONFIG_BLE_MESH_USE_UNIFIED_CRYPTO) + message(WARNING "This configuration path is deprecated and will be removed" + "in a future version. Please use the corresponding Kconfig" + "options under $IDF_PATH/components/bt/common/Kconfig.") + endif() + list(APPEND include_dirs ${ble_mesh_include_dirs}) list(APPEND srcs "esp_ble_mesh/api/core/esp_ble_mesh_ble_api.c" @@ -558,8 +561,7 @@ if(CONFIG_BT_ENABLED) "esp_ble_mesh/common/utils.c") # Select crypto implementation based on config - if(CONFIG_BT_SMP_CRYPTO_STACK_TINYCRYPT OR - CONFIG_BT_SMP_CRYPTO_STACK_NATIVE) + if(CONFIG_BT_SMP_CRYPTO_STACK_TINYCRYPT) list(APPEND srcs "esp_ble_mesh/common/crypto_tc.c") elseif(CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) if(CONFIG_MBEDTLS_VER_4_X_SUPPORT) @@ -611,25 +613,6 @@ if(CONFIG_BT_ENABLED) "esp_ble_mesh/models/server/state_transition.c" "esp_ble_mesh/models/server/time_scene_server.c") - if(CONFIG_BT_SMP_CRYPTO_STACK_NATIVE) - list(APPEND include_dirs ${ble_mesh_tinycrypt_dirs}) - list(APPEND srcs - "esp_ble_mesh/common/tinycrypt/src/aes_decrypt.c" - "esp_ble_mesh/common/tinycrypt/src/aes_encrypt.c" - "esp_ble_mesh/common/tinycrypt/src/cbc_mode.c" - "esp_ble_mesh/common/tinycrypt/src/ccm_mode.c" - "esp_ble_mesh/common/tinycrypt/src/cmac_mode.c" - "esp_ble_mesh/common/tinycrypt/src/ctr_mode.c" - "esp_ble_mesh/common/tinycrypt/src/ctr_prng.c" - "esp_ble_mesh/common/tinycrypt/src/ecc_dh.c" - "esp_ble_mesh/common/tinycrypt/src/ecc_dsa.c" - "esp_ble_mesh/common/tinycrypt/src/ecc_platform_specific.c" - "esp_ble_mesh/common/tinycrypt/src/ecc.c" - "esp_ble_mesh/common/tinycrypt/src/hmac_prng.c" - "esp_ble_mesh/common/tinycrypt/src/hmac.c" - "esp_ble_mesh/common/tinycrypt/src/sha256.c" - "esp_ble_mesh/common/tinycrypt/src/utils.c") - endif() if(CONFIG_BLE_MESH_V11_SUPPORT) list(APPEND include_dirs ${ble_mesh_v11_include_dirs}) @@ -745,8 +728,7 @@ if(CONFIG_BT_ENABLED) # 1. Controller uses TinyCrypt (not mbedTLS), OR # 2. NimBLE uses TinyCrypt (not mbedTLS), OR # 3. Bluedroid Host SMP uses TinyCrypt - if(CONFIG_BT_SMP_CRYPTO_STACK_TINYCRYPT OR - (NOT CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS AND NOT CONFIG_BT_NIMBLE_CRYPTO_STACK_MBEDTLS)) + if(CONFIG_BT_SMP_CRYPTO_STACK_TINYCRYPT OR NOT CONFIG_BT_NIMBLE_CRYPTO_STACK_MBEDTLS) list(APPEND include_dirs common/tinycrypt/include common/tinycrypt/port diff --git a/components/bt/common/Kconfig.in b/components/bt/common/Kconfig.in index 654e11b391..f1551b22f0 100644 --- a/components/bt/common/Kconfig.in +++ b/components/bt/common/Kconfig.in @@ -8,19 +8,11 @@ config BT_ALARM_MAX_NUM choice BT_SMP_CRYPTO_STACK prompt "SMP cryptographic stack" - depends on (BT_BLE_SMP_ENABLE || BT_SMP_ENABLE || BT_NIMBLE_SECURITY_ENABLE) + depends on (BT_BLE_SMP_ENABLE || BT_SMP_ENABLE || BT_NIMBLE_SECURITY_ENABLE || BT_LE_SECURITY_ENABLE) default BT_SMP_CRYPTO_STACK_TINYCRYPT help Select the cryptographic library to use for SMP operations (AES, AES-CMAC, ECDH P-256). - config BT_SMP_CRYPTO_STACK_NATIVE - bool "Native Bluedroid implementation" - depends on (BT_BLE_SMP_ENABLE || BT_SMP_ENABLE) - help - Use the built-in Bluedroid cryptographic implementation. - This provides compatibility with all features. - This option is only available for Bluedroid host. - config BT_SMP_CRYPTO_STACK_TINYCRYPT bool "TinyCrypt" help diff --git a/components/bt/controller/esp32c2/Kconfig.in b/components/bt/controller/esp32c2/Kconfig.in index 36db52c46c..a6b86e07a0 100644 --- a/components/bt/controller/esp32c2/Kconfig.in +++ b/components/bt/controller/esp32c2/Kconfig.in @@ -431,15 +431,6 @@ config BT_LE_LL_CFG_FEAT_LE_ENCRYPTION help Enable encryption connection -config BT_LE_CRYPTO_STACK_MBEDTLS - bool "Override TinyCrypt with mbedTLS for crypto computations" - default y - depends on !BT_NIMBLE_ENABLED - select MBEDTLS_CMAC_C - help - Enable this option to choose mbedTLS instead of TinyCrypt for crypto - computations. - config BT_LE_WHITELIST_SIZE int "BLE white list size" range 1 31 diff --git a/components/bt/controller/esp32c2/bt.c b/components/bt/controller/esp32c2/bt.c index ce5d61d9ce..3b65d50f9a 100644 --- a/components/bt/controller/esp32c2/bt.c +++ b/components/bt/controller/esp32c2/bt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -232,10 +232,10 @@ static void esp_bt_ctrl_log_partition_get_and_erase_first_block(void); #if CONFIG_FREERTOS_USE_TICKLESS_IDLE static bool esp_bt_check_wakeup_by_bt(void); #endif // CONFIG_FREERTOS_USE_TICKLESS_IDLE -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) #include "tinycrypt/ecc.h" static int ecc_rand_func(uint8_t *dst, unsigned int len); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) /* Local variable definition *************************************************************************** */ @@ -1028,9 +1028,9 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) ESP_LOGW(NIMBLE_PORT_LOG_TAG, "hci transport init failed %d", ret); goto free_controller; } -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) uECC_set_rng(ecc_rand_func); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) return ESP_OK; free_controller: hci_transport_deinit(); @@ -1443,7 +1443,7 @@ uint8_t esp_ble_get_chip_rev_version(void) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS #include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC #include "mbedtls/cipher.h" @@ -1488,7 +1488,7 @@ static int ecc_rand_func(uint8_t *dst, unsigned int len) #endif // CONFIG_BT_CONTROLLER_ONLY #endif // CONFIG_BT_LE_SM_SC -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Based on Core Specification 4.2 Vol 3. Part H 2.3.5.6.1 */ static const uint8_t ble_sm_alg_dbg_priv_key[32] = { @@ -1509,7 +1509,7 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS struct mbedtls_ecp_point pt = {0}, Q = {0}; mbedtls_mpi z = {0}, d = {0}; mbedtls_ctr_drbg_context ctr_drbg = {0}; @@ -1586,13 +1586,13 @@ exit: if (rc == TC_CRYPTO_FAIL) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS swap_buf(out_dhkey, dh, 32); return 0; } -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; @@ -1637,7 +1637,7 @@ exit: return 0; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /** * pub: 64 bytes @@ -1653,7 +1653,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) uint8_t pk[64]; do { -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS if (mbedtls_gen_keypair(pk, priv) != 0) { return BLE_SM_KEY_ERR; } @@ -1661,7 +1661,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) if (uECC_make_key(pk, priv, uECC_secp256r1()) != TC_CRYPTO_SUCCESS) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); diff --git a/components/bt/controller/esp32c5/Kconfig.in b/components/bt/controller/esp32c5/Kconfig.in index 1cf2122f27..05343cee41 100644 --- a/components/bt/controller/esp32c5/Kconfig.in +++ b/components/bt/controller/esp32c5/Kconfig.in @@ -501,15 +501,6 @@ config BT_LE_LL_CFG_FEAT_LE_ENCRYPTION help Enable encryption connection -config BT_LE_CRYPTO_STACK_MBEDTLS - bool "Override TinyCrypt with mbedTLS for crypto computations" - default y - depends on !BT_NIMBLE_ENABLED - select MBEDTLS_CMAC_C - help - Enable this option to choose mbedTLS instead of TinyCrypt for crypto - computations. - config BT_LE_WHITELIST_SIZE int "BLE white list size" range 1 31 diff --git a/components/bt/controller/esp32c5/bt.c b/components/bt/controller/esp32c5/bt.c index d16dcddc65..708d04f1f1 100644 --- a/components/bt/controller/esp32c5/bt.c +++ b/components/bt/controller/esp32c5/bt.c @@ -221,10 +221,10 @@ static void esp_bt_ctrl_log_partition_get_and_erase_first_block(void); #if CONFIG_FREERTOS_USE_TICKLESS_IDLE static bool esp_bt_check_wakeup_by_bt(void); #endif // CONFIG_FREERTOS_USE_TICKLESS_IDLE -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) #include "tinycrypt/ecc.h" static int ecc_rand_func(uint8_t *dst, unsigned int len); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) /* Local variable definition *************************************************************************** */ @@ -1128,9 +1128,9 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) ESP_LOGW(NIMBLE_PORT_LOG_TAG, "Controller lib version mismatch!"); } -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) uECC_set_rng(ecc_rand_func); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) return ESP_OK; free_controller: hci_transport_deinit(); @@ -1583,7 +1583,7 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS #include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC #include "mbedtls/cipher.h" @@ -1625,7 +1625,7 @@ static int ecc_rand_func(uint8_t *dst, unsigned int len) } #endif // CONFIG_BT_CONTROLLER_ONLY #endif // CONFIG_BT_LE_SM_SC -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Based on Core Specification 4.2 Vol 3. Part H 2.3.5.6.1 */ static const uint8_t ble_sm_alg_dbg_priv_key[32] = { @@ -1646,7 +1646,7 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS struct mbedtls_ecp_point pt = {0}, Q = {0}; mbedtls_mpi z = {0}, d = {0}; mbedtls_ctr_drbg_context ctr_drbg = {0}; @@ -1723,13 +1723,13 @@ exit: if (rc == TC_CRYPTO_FAIL) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS swap_buf(out_dhkey, dh, 32); return 0; } -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; @@ -1774,7 +1774,7 @@ exit: return 0; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /** * pub: 64 bytes @@ -1790,7 +1790,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) uint8_t pk[64]; do { -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS if (mbedtls_gen_keypair(pk, priv) != 0) { return BLE_SM_KEY_ERR; } @@ -1798,7 +1798,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) if (uECC_make_key(pk, priv, uECC_secp256r1()) != TC_CRYPTO_SUCCESS) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); diff --git a/components/bt/controller/esp32c6/Kconfig.in b/components/bt/controller/esp32c6/Kconfig.in index 8b430c96a7..ce16ee80a3 100644 --- a/components/bt/controller/esp32c6/Kconfig.in +++ b/components/bt/controller/esp32c6/Kconfig.in @@ -532,15 +532,6 @@ config BT_LE_LL_CFG_FEAT_LE_ENCRYPTION help Enable encryption connection -config BT_LE_CRYPTO_STACK_MBEDTLS - bool "Override TinyCrypt with mbedTLS for crypto computations" - default y - depends on !BT_NIMBLE_ENABLED - select MBEDTLS_CMAC_C - help - Enable this option to choose mbedTLS instead of TinyCrypt for crypto - computations. - config BT_LE_WHITELIST_SIZE int "BLE white list size" range 1 31 diff --git a/components/bt/controller/esp32c6/bt.c b/components/bt/controller/esp32c6/bt.c index 6531b7059f..7b669a6b17 100644 --- a/components/bt/controller/esp32c6/bt.c +++ b/components/bt/controller/esp32c6/bt.c @@ -236,10 +236,10 @@ static void esp_bt_ctrl_log_partition_get_and_erase_first_block(void); static bool esp_bt_check_wakeup_by_bt(void); #endif // CONFIG_FREERTOS_USE_TICKLESS_IDLE -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) #include "tinycrypt/ecc.h" static int ecc_rand_func(uint8_t *dst, unsigned int len); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) /* Local variable definition *************************************************************************** */ @@ -1211,9 +1211,9 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) ESP_LOGW(NIMBLE_PORT_LOG_TAG, "Controller lib version mismatch!"); } -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) uECC_set_rng(ecc_rand_func); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) return ESP_OK; free_controller: hci_transport_deinit(); @@ -1665,7 +1665,7 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS #include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC #include "mbedtls/cipher.h" @@ -1708,7 +1708,7 @@ static int ecc_rand_func(uint8_t *dst, unsigned int len) } #endif // CONFIG_BT_CONTROLLER_ONLY #endif // CONFIG_BT_LE_SM_SC -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Based on Core Specification 4.2 Vol 3. Part H 2.3.5.6.1 */ static const uint8_t ble_sm_alg_dbg_priv_key[32] = { @@ -1729,7 +1729,7 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS struct mbedtls_ecp_point pt = {0}, Q = {0}; mbedtls_mpi z = {0}, d = {0}; mbedtls_ctr_drbg_context ctr_drbg = {0}; @@ -1806,13 +1806,13 @@ exit: if (rc == TC_CRYPTO_FAIL) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS swap_buf(out_dhkey, dh, 32); return 0; } -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; @@ -1857,7 +1857,7 @@ exit: return 0; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /** * pub: 64 bytes @@ -1873,7 +1873,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) uint8_t pk[64]; do { -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS if (mbedtls_gen_keypair(pk, priv) != 0) { return BLE_SM_KEY_ERR; } @@ -1881,7 +1881,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) if (uECC_make_key(pk, priv, uECC_secp256r1()) != TC_CRYPTO_SUCCESS) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); diff --git a/components/bt/controller/esp32h2/Kconfig.in b/components/bt/controller/esp32h2/Kconfig.in index 8f92508aba..e1d856813a 100644 --- a/components/bt/controller/esp32h2/Kconfig.in +++ b/components/bt/controller/esp32h2/Kconfig.in @@ -526,15 +526,6 @@ config BT_LE_LL_CFG_FEAT_LE_ENCRYPTION help Enable encryption connection -config BT_LE_CRYPTO_STACK_MBEDTLS - bool "Override TinyCrypt with mbedTLS for crypto computations" - default y - depends on !BT_NIMBLE_ENABLED - select MBEDTLS_CMAC_C - help - Enable this option to choose mbedTLS instead of TinyCrypt for crypto - computations. - config BT_LE_WHITELIST_SIZE int "BLE white list size" range 1 31 diff --git a/components/bt/controller/esp32h2/bt.c b/components/bt/controller/esp32h2/bt.c index b266cb5279..03bba58d7e 100644 --- a/components/bt/controller/esp32h2/bt.c +++ b/components/bt/controller/esp32h2/bt.c @@ -229,10 +229,10 @@ static void esp_bt_ctrl_log_partition_get_and_erase_first_block(void); #if CONFIG_FREERTOS_USE_TICKLESS_IDLE static bool esp_bt_check_wakeup_by_bt(void); #endif // CONFIG_FREERTOS_USE_TICKLESS_IDLE -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) #include "tinycrypt/ecc.h" static int ecc_rand_func(uint8_t *dst, unsigned int len); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) /* Local variable definition *************************************************************************** */ @@ -1163,9 +1163,9 @@ esp_err_t esp_bt_controller_init(esp_bt_controller_config_t *cfg) ESP_LOGW(NIMBLE_PORT_LOG_TAG, "Controller lib version mismatch!"); } -#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#if (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) uECC_set_rng(ecc_rand_func); -#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS) +#endif // (CONFIG_BT_CONTROLLER_ONLY) && (CONFIG_BT_LE_SM_SC) && (!CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS) return ESP_OK; free_controller: hci_transport_deinit(); @@ -1615,7 +1615,7 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS #include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC #include "mbedtls/cipher.h" @@ -1658,7 +1658,7 @@ static int ecc_rand_func(uint8_t *dst, unsigned int len) } #endif // CONFIG_BT_CONTROLLER_ONLY #endif // CONFIG_BT_LE_SM_SC -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Based on Core Specification 4.2 Vol 3. Part H 2.3.5.6.1 */ static const uint8_t ble_sm_alg_dbg_priv_key[32] = { @@ -1679,7 +1679,7 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS struct mbedtls_ecp_point pt = {0}, Q = {0}; mbedtls_mpi z = {0}, d = {0}; mbedtls_ctr_drbg_context ctr_drbg = {0}; @@ -1756,13 +1756,13 @@ exit: if (rc == TC_CRYPTO_FAIL) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS swap_buf(out_dhkey, dh, 32); return 0; } -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; @@ -1807,7 +1807,7 @@ exit: return 0; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /** * pub: 64 bytes @@ -1823,7 +1823,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) uint8_t pk[64]; do { -#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#if CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS if (mbedtls_gen_keypair(pk, priv) != 0) { return BLE_SM_KEY_ERR; } @@ -1831,7 +1831,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) if (uECC_make_key(pk, priv, uECC_secp256r1()) != TC_CRYPTO_SUCCESS) { return BLE_SM_KEY_ERR; } -#endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS +#endif // CONFIG_BT_SMP_CRYPTO_STACK_MBEDTLS /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); diff --git a/components/bt/esp_ble_mesh/Kconfig.in b/components/bt/esp_ble_mesh/Kconfig.in index 896b3541c5..27989394c5 100644 --- a/components/bt/esp_ble_mesh/Kconfig.in +++ b/components/bt/esp_ble_mesh/Kconfig.in @@ -23,13 +23,12 @@ if BLE_MESH advertising packets. config BLE_MESH_USE_UNIFIED_CRYPTO - bool "Use the unified BLE tinycrypt implementation" - depends on !BT_LE_CRYPTO_STACK_MBEDTLS && !BT_NIMBLE_CRYPTO_STACK_MBEDTLS - default y if BT_SMP_CRYPTO_STACK_TINYCRYPT + bool "Use the unified BLE tinycrypt implementation(Deprecated)" default n help - Enable this option to use the unified BLE tinycrypt solution - instead of the default one in BLE Mesh stack. + This configuration path is deprecated and will be removed + in a future version. Please use the corresponding Kconfig + options under $IDF_PATH/components/bt/common/Kconfig. menuconfig BLE_MESH_USE_BLE_50 bool "Support using BLE 5.0 APIs for BLE Mesh" diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/aes.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/aes.h deleted file mode 100644 index aa636c7d4f..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/aes.h +++ /dev/null @@ -1,130 +0,0 @@ -/* aes.h - TinyCrypt interface to an AES-128 implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief -- Interface to an AES-128 implementation. - * - * Overview: AES-128 is a NIST approved block cipher specified in - * FIPS 197. Block ciphers are deterministic algorithms that - * perform a transformation specified by a symmetric key in fixed- - * length data sets, also called blocks. - * - * Security: AES-128 provides approximately 128 bits of security. - * - * Usage: 1) call tc_aes128_set_encrypt/decrypt_key to set the key. - * - * 2) call tc_aes_encrypt/decrypt to process the data. - */ - -#ifndef __BLE_MESH_TC_AES_H__ -#define __BLE_MESH_TC_AES_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#define Nb (4) /* number of columns (32-bit words) comprising the state */ -#define Nk (4) /* number of 32-bit words comprising the key */ -#define Nr (10) /* number of rounds */ -#define TC_AES_BLOCK_SIZE (Nb*Nk) -#define TC_AES_KEY_SIZE (Nb*Nk) - -typedef struct tc_aes_key_sched_struct { - unsigned int words[Nb * (Nr + 1)]; -} *TCAesKeySched_t; - -/** - * @brief Set AES-128 encryption key - * Uses key k to initialize s - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: s == NULL or k == NULL - * @note This implementation skips the additional steps required for keys - * larger than 128 bits, and must not be used for AES-192 or - * AES-256 key schedule -- see FIPS 197 for details - * @param s IN/OUT -- initialized struct tc_aes_key_sched_struct - * @param k IN -- points to the AES key - */ -int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k); - -/** - * @brief AES-128 Encryption procedure - * Encrypts contents of in buffer into out buffer under key; - * schedule s - * @note Assumes s was initialized by aes_set_encrypt_key; - * out and in point to 16 byte buffers - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: out == NULL or in == NULL or s == NULL - * @param out IN/OUT -- buffer to receive ciphertext block - * @param in IN -- a plaintext block to encrypt - * @param s IN -- initialized AES key schedule - */ -int tc_aes_encrypt(uint8_t *out, const uint8_t *in, - const TCAesKeySched_t s); - -/** - * @brief Set the AES-128 decryption key - * Uses key k to initialize s - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: s == NULL or k == NULL - * @note This is the implementation of the straightforward inverse cipher - * using the cipher documented in FIPS-197 figure 12, not the - * equivalent inverse cipher presented in Figure 15 - * @warning This routine skips the additional steps required for keys larger - * than 128, and must not be used for AES-192 or AES-256 key - * schedule -- see FIPS 197 for details - * @param s IN/OUT -- initialized struct tc_aes_key_sched_struct - * @param k IN -- points to the AES key - */ -int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k); - -/** - * @brief AES-128 Encryption procedure - * Decrypts in buffer into out buffer under key schedule s - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: out is NULL or in is NULL or s is NULL - * @note Assumes s was initialized by aes_set_encrypt_key - * out and in point to 16 byte buffers - * @param out IN/OUT -- buffer to receive ciphertext block - * @param in IN -- a plaintext block to encrypt - * @param s IN -- initialized AES key schedule - */ -int tc_aes_decrypt(uint8_t *out, const uint8_t *in, - const TCAesKeySched_t s); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_AES_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cbc_mode.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cbc_mode.h deleted file mode 100644 index 4be3d95e56..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cbc_mode.h +++ /dev/null @@ -1,151 +0,0 @@ -/* cbc_mode.h - TinyCrypt interface to a CBC mode implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to a CBC mode implementation. - * - * Overview: CBC (for "cipher block chaining") mode is a NIST approved mode of - * operation defined in SP 800-38a. It can be used with any block - * cipher to provide confidentiality of strings whose lengths are - * multiples of the block_size of the underlying block cipher. - * TinyCrypt hard codes AES as the block cipher. - * - * Security: CBC mode provides data confidentiality given that the maximum - * number q of blocks encrypted under a single key satisfies - * q < 2^63, which is not a practical constraint (it is considered a - * good practice to replace the encryption when q == 2^56). CBC mode - * provides NO data integrity. - * - * CBC mode assumes that the IV value input into the - * tc_cbc_mode_encrypt is randomly generated. The TinyCrypt library - * provides HMAC-PRNG module, which generates suitable IVs. Other - * methods for generating IVs are acceptable, provided that the - * values of the IVs generated appear random to any adversary, - * including someone with complete knowledge of the system design. - * - * The randomness property on which CBC mode's security depends is - * the unpredictability of the IV. Since it is unpredictable, this - * means in practice that CBC mode requires that the IV is stored - * somehow with the ciphertext in order to recover the plaintext. - * - * TinyCrypt CBC encryption prepends the IV to the ciphertext, - * because this affords a more efficient (few buffers) decryption. - * Hence tc_cbc_mode_encrypt assumes the ciphertext buffer is always - * 16 bytes larger than the plaintext buffer. - * - * Requires: AES-128 - * - * Usage: 1) call tc_cbc_mode_encrypt to encrypt data. - * - * 2) call tc_cbc_mode_decrypt to decrypt data. - * - */ - -#ifndef __BLE_MESH_TC_CBC_MODE_H__ -#define __BLE_MESH_TC_CBC_MODE_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * @brief CBC encryption procedure - * CBC encrypts inlen bytes of the in buffer into the out buffer - * using the encryption key schedule provided, prepends iv to out - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * in == NULL or - * ctr == NULL or - * sched == NULL or - * inlen == 0 or - * (inlen % TC_AES_BLOCK_SIZE) != 0 or - * (outlen % TC_AES_BLOCK_SIZE) != 0 or - * outlen != inlen + TC_AES_BLOCK_SIZE - * @note Assumes: - sched has been configured by aes_set_encrypt_key - * - iv contains a 16 byte random string - * - out buffer is large enough to hold the ciphertext + iv - * - out buffer is a contiguous buffer - * - in holds the plaintext and is a contiguous buffer - * - inlen gives the number of bytes in the in buffer - * @param out IN/OUT -- buffer to receive the ciphertext - * @param outlen IN -- length of ciphertext buffer in bytes - * @param in IN -- plaintext to encrypt - * @param inlen IN -- length of plaintext buffer in bytes - * @param iv IN -- the IV for the this encrypt/decrypt - * @param sched IN -- AES key schedule for this encrypt - */ -int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, const uint8_t *iv, - const TCAesKeySched_t sched); - -/** - * @brief CBC decryption procedure - * CBC decrypts inlen bytes of the in buffer into the out buffer - * using the provided encryption key schedule - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * in == NULL or - * sched == NULL or - * inlen == 0 or - * outlen == 0 or - * (inlen % TC_AES_BLOCK_SIZE) != 0 or - * (outlen % TC_AES_BLOCK_SIZE) != 0 or - * outlen != inlen + TC_AES_BLOCK_SIZE - * @note Assumes:- in == iv + ciphertext, i.e. the iv and the ciphertext are - * contiguous. This allows for a very efficient decryption - * algorithm that would not otherwise be possible - * - sched was configured by aes_set_decrypt_key - * - out buffer is large enough to hold the decrypted plaintext - * and is a contiguous buffer - * - inlen gives the number of bytes in the in buffer - * @param out IN/OUT -- buffer to receive decrypted data - * @param outlen IN -- length of plaintext buffer in bytes - * @param in IN -- ciphertext to decrypt, including IV - * @param inlen IN -- length of ciphertext buffer in bytes - * @param iv IN -- the IV for the this encrypt/decrypt - * @param sched IN -- AES key schedule for this decrypt - * - */ -int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, const uint8_t *iv, - const TCAesKeySched_t sched); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CBC_MODE_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ccm_mode.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ccm_mode.h deleted file mode 100644 index 1f85c76e61..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ccm_mode.h +++ /dev/null @@ -1,211 +0,0 @@ -/* ccm_mode.h - TinyCrypt interface to a CCM mode implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to a CCM mode implementation. - * - * Overview: CCM (for "Counter with CBC-MAC") mode is a NIST approved mode of - * operation defined in SP 800-38C. - * - * TinyCrypt CCM implementation accepts: - * - * 1) Both non-empty payload and associated data (it encrypts and - * authenticates the payload and also authenticates the associated - * data); - * 2) Non-empty payload and empty associated data (it encrypts and - * authenticates the payload); - * 3) Non-empty associated data and empty payload (it degenerates to - * an authentication mode on the associated data). - * - * TinyCrypt CCM implementation accepts associated data of any length - * between 0 and (2^16 - 2^8) bytes. - * - * Security: The mac length parameter is an important parameter to estimate the - * security against collision attacks (that aim at finding different - * messages that produce the same authentication tag). TinyCrypt CCM - * implementation accepts any even integer between 4 and 16, as - * suggested in SP 800-38C. - * - * RFC-3610, which also specifies CCM, presents a few relevant - * security suggestions, such as: it is recommended for most - * applications to use a mac length greater than 8. Besides, the - * usage of the same nonce for two different messages which are - * encrypted with the same key destroys the security of CCM mode. - * - * Requires: AES-128 - * - * Usage: 1) call tc_ccm_config to configure. - * - * 2) call tc_ccm_mode_encrypt to encrypt data and generate tag. - * - * 3) call tc_ccm_mode_decrypt to decrypt data and verify tag. - */ - -#ifndef __BLE_MESH_TC_CCM_MODE_H__ -#define __BLE_MESH_TC_CCM_MODE_H__ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* max additional authenticated size in bytes: 2^16 - 2^8 = 65280 */ -#define TC_CCM_AAD_MAX_BYTES 0xff00 - -/* max message size in bytes: 2^(8L) = 2^16 = 65536 */ -#define TC_CCM_PAYLOAD_MAX_BYTES 0x10000 - -/* struct tc_ccm_mode_struct represents the state of a CCM computation */ -typedef struct tc_ccm_mode_struct { - TCAesKeySched_t sched; /* AES key schedule */ - uint8_t *nonce; /* nonce required by CCM */ - unsigned int mlen; /* mac length in bytes (parameter t in SP-800 38C) */ -} *TCCcmMode_t; - -/** - * @brief CCM configuration procedure - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * c == NULL or - * sched == NULL or - * nonce == NULL or - * mlen != {4, 6, 8, 10, 12, 16} - * @param c -- CCM state - * @param sched IN -- AES key schedule - * @param nonce IN - nonce - * @param nlen -- nonce length in bytes - * @param mlen -- mac length in bytes (parameter t in SP-800 38C) - */ -int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, - unsigned int nlen, unsigned int mlen); - -/** - * @brief CCM tag generation and encryption procedure - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * c == NULL or - * ((plen > 0) and (payload == NULL)) or - * ((alen > 0) and (associated_data == NULL)) or - * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or - * (olen < plen + maclength) - * - * @param out OUT -- encrypted data - * @param olen IN -- output length in bytes - * @param associated_data IN -- associated data - * @param alen IN -- associated data length in bytes - * @param payload IN -- payload - * @param plen IN -- payload length in bytes - * @param c IN -- CCM state - * - * @note: out buffer should be at least (plen + c->mlen) bytes long. - * - * @note: The sequence b for encryption is formatted as follows: - * b = [FLAGS | nonce | counter ], where: - * FLAGS is 1 byte long - * nonce is 13 bytes long - * counter is 2 bytes long - * The byte FLAGS is composed by the following 8 bits: - * 0-2 bits: used to represent the value of q-1 - * 3-7 btis: always 0's - * - * @note: The sequence b for authentication is formatted as follows: - * b = [FLAGS | nonce | length(mac length)], where: - * FLAGS is 1 byte long - * nonce is 13 bytes long - * length(mac length) is 2 bytes long - * The byte FLAGS is composed by the following 8 bits: - * 0-2 bits: used to represent the value of q-1 - * 3-5 bits: mac length (encoded as: (mlen-2)/2) - * 6: Adata (0 if alen == 0, and 1 otherwise) - * 7: always 0 - */ -int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen, - const uint8_t *associated_data, - unsigned int alen, const uint8_t *payload, - unsigned int plen, TCCcmMode_t c); - -/** - * @brief CCM decryption and tag verification procedure - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * c == NULL or - * ((plen > 0) and (payload == NULL)) or - * ((alen > 0) and (associated_data == NULL)) or - * (alen >= TC_CCM_AAD_MAX_BYTES) or - * (plen >= TC_CCM_PAYLOAD_MAX_BYTES) or - * (olen < plen - c->mlen) - * - * @param out OUT -- decrypted data - * @param associated_data IN -- associated data - * @param alen IN -- associated data length in bytes - * @param payload IN -- payload - * @param plen IN -- payload length in bytes - * @param c IN -- CCM state - * - * @note: out buffer should be at least (plen - c->mlen) bytes long. - * - * @note: The sequence b for encryption is formatted as follows: - * b = [FLAGS | nonce | counter ], where: - * FLAGS is 1 byte long - * nonce is 13 bytes long - * counter is 2 bytes long - * The byte FLAGS is composed by the following 8 bits: - * 0-2 bits: used to represent the value of q-1 - * 3-7 btis: always 0's - * - * @note: The sequence b for authentication is formatted as follows: - * b = [FLAGS | nonce | length(mac length)], where: - * FLAGS is 1 byte long - * nonce is 13 bytes long - * length(mac length) is 2 bytes long - * The byte FLAGS is composed by the following 8 bits: - * 0-2 bits: used to represent the value of q-1 - * 3-5 bits: mac length (encoded as: (mlen-2)/2) - * 6: Adata (0 if alen == 0, and 1 otherwise) - * 7: always 0 - */ -int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen, - const uint8_t *associated_data, - unsigned int alen, const uint8_t *payload, unsigned int plen, - TCCcmMode_t c); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CCM_MODE_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cmac_mode.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cmac_mode.h deleted file mode 100644 index cf0b3601b2..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cmac_mode.h +++ /dev/null @@ -1,194 +0,0 @@ -/* cmac_mode.h -- interface to a CMAC implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to a CMAC implementation. - * - * Overview: CMAC is defined NIST in SP 800-38B, and is the standard algorithm - * for computing a MAC using a block cipher. It can compute the MAC - * for a byte string of any length. It is distinguished from CBC-MAC - * in the processing of the final message block; CMAC uses a - * different technique to compute the final message block is full - * size or only partial, while CBC-MAC uses the same technique for - * both. This difference permits CMAC to be applied to variable - * length messages, while all messages authenticated by CBC-MAC must - * be the same length. - * - * Security: AES128-CMAC mode of operation offers 64 bits of security against - * collision attacks. Note however that an external attacker cannot - * generate the tags him/herself without knowing the MAC key. In this - * sense, to attack the collision property of AES128-CMAC, an - * external attacker would need the cooperation of the legal user to - * produce an exponentially high number of tags (e.g. 2^64) to - * finally be able to look for collisions and benefit from them. As - * an extra precaution, the current implementation allows to at most - * 2^48 calls to the tc_cmac_update function before re-calling - * tc_cmac_setup (allowing a new key to be set), as suggested in - * Appendix B of SP 800-38B. - * - * Requires: AES-128 - * - * Usage: This implementation provides a "scatter-gather" interface, so that - * the CMAC value can be computed incrementally over a message - * scattered in different segments throughout memory. Experience shows - * this style of interface tends to minimize the burden of programming - * correctly. Like all symmetric key operations, it is session - * oriented. - * - * To begin a CMAC session, use tc_cmac_setup to initialize a struct - * tc_cmac_struct with encryption key and buffer. Our implementation - * always assume that the AES key to be the same size as the block - * cipher block size. Once setup, this data structure can be used for - * many CMAC computations. - * - * Once the state has been setup with a key, computing the CMAC of - * some data requires three steps: - * - * (1) first use tc_cmac_init to initialize a new CMAC computation. - * (2) next mix all of the data into the CMAC computation state using - * tc_cmac_update. If all of the data resides in a single data - * segment then only one tc_cmac_update call is needed; if data - * is scattered throughout memory in n data segments, then n calls - * will be needed. CMAC IS ORDER SENSITIVE, to be able to detect - * attacks that swap bytes, so the order in which data is mixed - * into the state is critical! - * (3) Once all of the data for a message has been mixed, use - * tc_cmac_final to compute the CMAC tag value. - * - * Steps (1)-(3) can be repeated as many times as you want to CMAC - * multiple messages. A practical limit is 2^48 1K messages before you - * have to change the key. - * - * Once you are done computing CMAC with a key, it is a good idea to - * destroy the state so an attacker cannot recover the key; use - * tc_cmac_erase to accomplish this. - */ - -#ifndef __BLE_MESH_TC_CMAC_MODE_H__ -#define __BLE_MESH_TC_CMAC_MODE_H__ - -#include - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* padding for last message block */ -#define TC_CMAC_PADDING 0x80 - -/* struct tc_cmac_struct represents the state of a CMAC computation */ -typedef struct tc_cmac_struct { - /* initialization vector */ - uint8_t iv[TC_AES_BLOCK_SIZE]; - /* used if message length is a multiple of block_size bytes */ - uint8_t K1[TC_AES_BLOCK_SIZE]; - /* used if message length isn't a multiple block_size bytes */ - uint8_t K2[TC_AES_BLOCK_SIZE]; - /* where to put bytes that didn't fill a block */ - uint8_t leftover[TC_AES_BLOCK_SIZE]; - /* identifies the encryption key */ - unsigned int keyid; - /* next available leftover location */ - unsigned int leftover_offset; - /* AES key schedule */ - TCAesKeySched_t sched; - /* calls to tc_cmac_update left before re-key */ - uint64_t countdown; -} *TCCmacState_t; - -/** - * @brief Configures the CMAC state to use the given AES key - * @return returns TC_CRYPTO_SUCCESS (1) after having configured the CMAC state - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL or - * key == NULL - * - * @param s IN/OUT -- the state to set up - * @param key IN -- the key to use - * @param sched IN -- AES key schedule - */ -int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, - TCAesKeySched_t sched); - -/** - * @brief Erases the CMAC state - * @return returns TC_CRYPTO_SUCCESS (1) after having configured the CMAC state - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL - * - * @param s IN/OUT -- the state to erase - */ -int tc_cmac_erase(TCCmacState_t s); - -/** - * @brief Initializes a new CMAC computation - * @return returns TC_CRYPTO_SUCCESS (1) after having initialized the CMAC state - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL - * - * @param s IN/OUT -- the state to initialize - */ -int tc_cmac_init(TCCmacState_t s); - -/** - * @brief Incrementally computes CMAC over the next data segment - * @return returns TC_CRYPTO_SUCCESS (1) after successfully updating the CMAC state - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL or - * if data == NULL when dlen > 0 - * - * @param s IN/OUT -- the CMAC state - * @param data IN -- the next data segment to MAC - * @param dlen IN -- the length of data in bytes - */ -int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t dlen); - -/** - * @brief Generates the tag from the CMAC state - * @return returns TC_CRYPTO_SUCCESS (1) after successfully generating the tag - * returns TC_CRYPTO_FAIL (0) if: - * tag == NULL or - * s == NULL - * - * @param tag OUT -- the CMAC tag - * @param s IN -- CMAC state - */ -int tc_cmac_final(uint8_t *tag, TCCmacState_t s); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CMAC_MODE_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/constants.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/constants.h deleted file mode 100644 index 0abb01a15a..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/constants.h +++ /dev/null @@ -1,61 +0,0 @@ -/* constants.h - TinyCrypt interface to constants */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief -- Interface to constants. - * - */ - -#ifndef __BLE_MESH_TC_CONSTANTS_H__ -#define __BLE_MESH_TC_CONSTANTS_H__ - -#ifdef __cplusplus -extern "C" { -#endif - -#include - -#ifndef NULL -#define NULL ((void *)0) -#endif - -#define TC_CRYPTO_SUCCESS 1 -#define TC_CRYPTO_FAIL 0 - -#define TC_ZERO_BYTE 0x00 - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CONSTANTS_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_mode.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_mode.h deleted file mode 100644 index 039f58c86c..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_mode.h +++ /dev/null @@ -1,108 +0,0 @@ -/* ctr_mode.h - TinyCrypt interface to CTR mode */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to CTR mode. - * - * Overview: CTR (pronounced "counter") mode is a NIST approved mode of - * operation defined in SP 800-38a. It can be used with any - * block cipher to provide confidentiality of strings of any - * length. TinyCrypt hard codes AES128 as the block cipher. - * - * Security: CTR mode achieves confidentiality only if the counter value is - * never reused with a same encryption key. If the counter is - * repeated, than an adversary might be able to defeat the scheme. - * - * A usual method to ensure different counter values refers to - * initialize the counter in a given value (0, for example) and - * increases it every time a new block is enciphered. This naturally - * leaves to a limitation on the number q of blocks that can be - * enciphered using a same key: q < 2^(counter size). - * - * TinyCrypt uses a counter of 32 bits. This means that after 2^32 - * block encryptions, the counter will be reused (thus losing CBC - * security). 2^32 block encryptions should be enough for most of - * applications targeting constrained devices. Applications intended - * to encrypt a larger number of blocks must replace the key after - * 2^32 block encryptions. - * - * CTR mode provides NO data integrity. - * - * Requires: AES-128 - * - * Usage: 1) call tc_ctr_mode to process the data to encrypt/decrypt. - * - */ - -#ifndef __BLE_MESH_TC_CTR_MODE_H__ -#define __BLE_MESH_TC_CTR_MODE_H__ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * @brief CTR mode encryption/decryption procedure. - * CTR mode encrypts (or decrypts) inlen bytes from in buffer into out buffer - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL or - * in == NULL or - * ctr == NULL or - * sched == NULL or - * inlen == 0 or - * outlen == 0 or - * inlen != outlen - * @note Assumes:- The current value in ctr has NOT been used with sched - * - out points to inlen bytes - * - in points to inlen bytes - * - ctr is an integer counter in littleEndian format - * - sched was initialized by aes_set_encrypt_key - * @param out OUT -- produced ciphertext (plaintext) - * @param outlen IN -- length of ciphertext buffer in bytes - * @param in IN -- data to encrypt (or decrypt) - * @param inlen IN -- length of input data in bytes - * @param ctr IN/OUT -- the current counter value - * @param sched IN -- an initialized AES key schedule - */ -int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CTR_MODE_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_prng.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_prng.h deleted file mode 100644 index 04e070d3ee..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_prng.h +++ /dev/null @@ -1,166 +0,0 @@ -/* ctr_prng.h - TinyCrypt interface to a CTR-PRNG implementation */ - -/* - * Copyright (c) 2016, Chris Morrison - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to a CTR-PRNG implementation. - * - * Overview: A pseudo-random number generator (PRNG) generates a sequence - * of numbers that have a distribution close to the one expected - * for a sequence of truly random numbers. The NIST Special - * Publication 800-90A specifies several mechanisms to generate - * sequences of pseudo random numbers, including the CTR-PRNG one - * which is based on AES. TinyCrypt implements CTR-PRNG with - * AES-128. - * - * Security: A cryptographically secure PRNG depends on the existence of an - * entropy source to provide a truly random seed as well as the - * security of the primitives used as the building blocks (AES-128 - * in this instance). - * - * Requires: - AES-128 - * - * Usage: 1) call tc_ctr_prng_init to seed the prng context - * - * 2) call tc_ctr_prng_reseed to mix in additional entropy into - * the prng context - * - * 3) call tc_ctr_prng_generate to output the pseudo-random data - * - * 4) call tc_ctr_prng_uninstantiate to zero out the prng context - */ - -#ifndef __BLE_MESH_TC_CTR_PRNG_H__ -#define __BLE_MESH_TC_CTR_PRNG_H__ - -#include - -#define TC_CTR_PRNG_RESEED_REQ -1 - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct { - /* updated each time another BLOCKLEN_BYTES bytes are produced */ - uint8_t V[TC_AES_BLOCK_SIZE]; - - /* updated whenever the PRNG is reseeded */ - struct tc_aes_key_sched_struct key; - - /* number of requests since initialization/reseeding */ - uint64_t reseedCount; -} TCCtrPrng_t; - - -/** - * @brief CTR-PRNG initialization procedure - * Initializes prng context with entropy and personalization string (if any) - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * ctx == NULL, - * entropy == NULL, - * entropyLen < (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE) - * @note Only the first (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE) bytes of - * both the entropy and personalization inputs are used - - * supplying additional bytes has no effect. - * @param ctx IN/OUT -- the PRNG context to initialize - * @param entropy IN -- entropy used to seed the PRNG - * @param entropyLen IN -- entropy length in bytes - * @param personalization IN -- personalization string used to seed the PRNG - * (may be null) - * @param plen IN -- personalization length in bytes - * - */ -int tc_ctr_prng_init(TCCtrPrng_t *const ctx, - uint8_t const *const entropy, - unsigned int entropyLen, - uint8_t const *const personalization, - unsigned int pLen); - -/** - * @brief CTR-PRNG reseed procedure - * Mixes entropy and additional_input into the prng context - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * ctx == NULL, - * entropy == NULL, - * entropylen < (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE) - * @note It is better to reseed an existing prng context rather than - * re-initialise, so that any existing entropy in the context is - * presereved. This offers some protection against undetected failures - * of the entropy source. - * @note Assumes tc_ctr_prng_init has been called for ctx - * @param ctx IN/OUT -- the PRNG state - * @param entropy IN -- entropy to mix into the prng - * @param entropylen IN -- length of entropy in bytes - * @param additional_input IN -- additional input to the prng (may be null) - * @param additionallen IN -- additional input length in bytes - */ -int tc_ctr_prng_reseed(TCCtrPrng_t *const ctx, - uint8_t const *const entropy, - unsigned int entropyLen, - uint8_t const *const additional_input, - unsigned int additionallen); - -/** - * @brief CTR-PRNG generate procedure - * Generates outlen pseudo-random bytes into out buffer, updates prng - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CTR_PRNG_RESEED_REQ (-1) if a reseed is needed - * returns TC_CRYPTO_FAIL (0) if: - * ctx == NULL, - * out == NULL, - * outlen >= 2^16 - * @note Assumes tc_ctr_prng_init has been called for ctx - * @param ctx IN/OUT -- the PRNG context - * @param additional_input IN -- additional input to the prng (may be null) - * @param additionallen IN -- additional input length in bytes - * @param out IN/OUT -- buffer to receive output - * @param outlen IN -- size of out buffer in bytes - */ -int tc_ctr_prng_generate(TCCtrPrng_t *const ctx, - uint8_t const *const additional_input, - unsigned int additionallen, - uint8_t *const out, - unsigned int outlen); - -/** - * @brief CTR-PRNG uninstantiate procedure - * Zeroes the internal state of the supplied prng context - * @return none - * @param ctx IN/OUT -- the PRNG context - */ -void tc_ctr_prng_uninstantiate(TCCtrPrng_t *const ctx); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_CTR_PRNG_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc.h deleted file mode 100644 index 72ba652f26..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc.h +++ /dev/null @@ -1,545 +0,0 @@ -/* ecc.h - TinyCrypt interface to common ECC functions */ - -/* Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief -- Interface to common ECC functions. - * - * Overview: This software is an implementation of common functions - * necessary to elliptic curve cryptography. This implementation uses - * curve NIST p-256. - * - * Security: The curve NIST p-256 provides approximately 128 bits of security. - * - */ - -#ifndef __BLE_MESH_TC_UECC_H__ -#define __BLE_MESH_TC_UECC_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/* Word size (4 bytes considering 32-bits architectures) */ -#define uECC_WORD_SIZE 4 - -/* setting max number of calls to prng: */ -#ifndef uECC_RNG_MAX_TRIES -#define uECC_RNG_MAX_TRIES 64 -#endif - -/* defining data types to store word and bit counts: */ -typedef int8_t wordcount_t; -typedef int16_t bitcount_t; -/* defining data type for comparison result: */ -typedef int8_t cmpresult_t; -/* defining data type to store ECC coordinate/point in 32bits words: */ -typedef unsigned int uECC_word_t; -/* defining data type to store an ECC coordinate/point in 64bits words: */ -typedef uint64_t uECC_dword_t; - -/* defining masks useful for ecc computations: */ -#define HIGH_BIT_SET 0x80000000 -#define uECC_WORD_BITS 32 -#define uECC_WORD_BITS_SHIFT 5 -#define uECC_WORD_BITS_MASK 0x01F - -/* Number of words of 32 bits to represent an element of the the curve p-256: */ -#define NUM_ECC_WORDS 8 -/* Number of bytes to represent an element of the the curve p-256: */ -#define NUM_ECC_BYTES (uECC_WORD_SIZE*NUM_ECC_WORDS) - -/* structure that represents an elliptic curve (e.g. p256):*/ -struct uECC_Curve_t; -typedef const struct uECC_Curve_t *uECC_Curve; -struct uECC_Curve_t { - wordcount_t num_words; - wordcount_t num_bytes; - bitcount_t num_n_bits; - uECC_word_t p[NUM_ECC_WORDS]; - uECC_word_t n[NUM_ECC_WORDS]; - uECC_word_t G[NUM_ECC_WORDS * 2]; - uECC_word_t b[NUM_ECC_WORDS]; - void (*double_jacobian)(uECC_word_t *X1, uECC_word_t *Y1, uECC_word_t *Z1, - uECC_Curve curve); - void (*x_side)(uECC_word_t *result, const uECC_word_t *x, uECC_Curve curve); - void (*mmod_fast)(uECC_word_t *result, uECC_word_t *product); -}; - -/* - * @brief computes doubling of point ion jacobian coordinates, in place. - * @param X1 IN/OUT -- x coordinate - * @param Y1 IN/OUT -- y coordinate - * @param Z1 IN/OUT -- z coordinate - * @param curve IN -- elliptic curve - */ -void double_jacobian_default(uECC_word_t *X1, uECC_word_t *Y1, - uECC_word_t *Z1, uECC_Curve curve); - -/* - * @brief Computes x^3 + ax + b. result must not overlap x. - * @param result OUT -- x^3 + ax + b - * @param x IN -- value of x - * @param curve IN -- elliptic curve - */ -void x_side_default(uECC_word_t *result, const uECC_word_t *x, - uECC_Curve curve); - -/* - * @brief Computes result = product % curve_p - * from http://www.nsa.gov/ia/_files/nist-routines.pdf - * @param result OUT -- product % curve_p - * @param product IN -- value to be reduced mod curve_p - */ -void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int *product); - -/* Bytes to words ordering: */ -#define BYTES_TO_WORDS_8(a, b, c, d, e, f, g, h) 0x##d##c##b##a, 0x##h##g##f##e -#define BYTES_TO_WORDS_4(a, b, c, d) 0x##d##c##b##a -#define BITS_TO_WORDS(num_bits) \ - ((num_bits + ((uECC_WORD_SIZE * 8) - 1)) / (uECC_WORD_SIZE * 8)) -#define BITS_TO_BYTES(num_bits) ((num_bits + 7) / 8) - -/* definition of curve NIST p-256: */ -static const struct uECC_Curve_t curve_secp256r1 = { - NUM_ECC_WORDS, - NUM_ECC_BYTES, - 256, /* num_n_bits */ { - BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF), - BYTES_TO_WORDS_8(FF, FF, FF, FF, 00, 00, 00, 00), - BYTES_TO_WORDS_8(00, 00, 00, 00, 00, 00, 00, 00), - BYTES_TO_WORDS_8(01, 00, 00, 00, FF, FF, FF, FF) - }, { - BYTES_TO_WORDS_8(51, 25, 63, FC, C2, CA, B9, F3), - BYTES_TO_WORDS_8(84, 9E, 17, A7, AD, FA, E6, BC), - BYTES_TO_WORDS_8(FF, FF, FF, FF, FF, FF, FF, FF), - BYTES_TO_WORDS_8(00, 00, 00, 00, FF, FF, FF, FF) - }, { - BYTES_TO_WORDS_8(96, C2, 98, D8, 45, 39, A1, F4), - BYTES_TO_WORDS_8(A0, 33, EB, 2D, 81, 7D, 03, 77), - BYTES_TO_WORDS_8(F2, 40, A4, 63, E5, E6, BC, F8), - BYTES_TO_WORDS_8(47, 42, 2C, E1, F2, D1, 17, 6B), - - BYTES_TO_WORDS_8(F5, 51, BF, 37, 68, 40, B6, CB), - BYTES_TO_WORDS_8(CE, 5E, 31, 6B, 57, 33, CE, 2B), - BYTES_TO_WORDS_8(16, 9E, 0F, 7C, 4A, EB, E7, 8E), - BYTES_TO_WORDS_8(9B, 7F, 1A, FE, E2, 42, E3, 4F) - }, { - BYTES_TO_WORDS_8(4B, 60, D2, 27, 3E, 3C, CE, 3B), - BYTES_TO_WORDS_8(F6, B0, 53, CC, B0, 06, 1D, 65), - BYTES_TO_WORDS_8(BC, 86, 98, 76, 55, BD, EB, B3), - BYTES_TO_WORDS_8(E7, 93, 3A, AA, D8, 35, C6, 5A) - }, - &double_jacobian_default, - &x_side_default, - &vli_mmod_fast_secp256r1 -}; - -uECC_Curve uECC_secp256r1(void); - -/* - * @brief Generates a random integer in the range 0 < random < top. - * Both random and top have num_words words. - * @param random OUT -- random integer in the range 0 < random < top - * @param top IN -- upper limit - * @param num_words IN -- number of words - * @return a random integer in the range 0 < random < top - */ -int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, - wordcount_t num_words); - - -/* uECC_RNG_Function type - * The RNG function should fill 'size' random bytes into 'dest'. It should - * return 1 if 'dest' was filled with random data, or 0 if the random data could - * not be generated. The filled-in values should be either truly random, or from - * a cryptographically-secure PRNG. - * - * A correctly functioning RNG function must be set (using uECC_set_rng()) - * before calling uECC_make_key() or uECC_sign(). - * - * Setting a correctly functioning RNG function improves the resistance to - * side-channel attacks for uECC_shared_secret(). - * - * A correct RNG function is set by default. If you are building on another - * POSIX-compliant system that supports /dev/random or /dev/urandom, you can - * define uECC_POSIX to use the predefined RNG. - */ -typedef int(*uECC_RNG_Function)(uint8_t *dest, unsigned int size); - -/* - * @brief Set the function that will be used to generate random bytes. The RNG - * function should return 1 if the random data was generated, or 0 if the random - * data could not be generated. - * - * @note On platforms where there is no predefined RNG function, this must be - * called before uECC_make_key() or uECC_sign() are used. - * - * @param rng_function IN -- function that will be used to generate random bytes - */ -void uECC_set_rng(uECC_RNG_Function rng_function); - -/* - * @brief provides current uECC_RNG_Function. - * @return Returns the function that will be used to generate random bytes. - */ -uECC_RNG_Function uECC_get_rng(void); - -/* - * @brief computes the size of a private key for the curve in bytes. - * @param curve IN -- elliptic curve - * @return size of a private key for the curve in bytes. - */ -int uECC_curve_private_key_size(uECC_Curve curve); - -/* - * @brief computes the size of a public key for the curve in bytes. - * @param curve IN -- elliptic curve - * @return the size of a public key for the curve in bytes. - */ -int uECC_curve_public_key_size(uECC_Curve curve); - -/* - * @brief Compute the corresponding public key for a private key. - * @param private_key IN -- The private key to compute the public key for - * @param public_key OUT -- Will be filled in with the corresponding public key - * @param curve - * @return Returns 1 if key was computed successfully, 0 if an error occurred. - */ -int uECC_compute_public_key(const uint8_t *private_key, - uint8_t *public_key, uECC_Curve curve); - -/* - * @brief Compute public-key. - * @return corresponding public-key. - * @param result OUT -- public-key - * @param private_key IN -- private-key - * @param curve IN -- elliptic curve - */ -uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, - uECC_word_t *private_key, uECC_Curve curve); - -/* - * @brief Regularize the bitcount for the private key so that attackers cannot - * use a side channel attack to learn the number of leading zeros. - * @return Regularized k - * @param k IN -- private-key - * @param k0 IN/OUT -- regularized k - * @param k1 IN/OUT -- regularized k - * @param curve IN -- elliptic curve - */ -uECC_word_t regularize_k(const uECC_word_t *const k, uECC_word_t *k0, - uECC_word_t *k1, uECC_Curve curve); - -/* - * @brief Point multiplication algorithm using Montgomery's ladder with co-Z - * coordinates. See http://eprint.iacr.org/2011/338.pdf. - * @note Result may overlap point. - * @param result OUT -- returns scalar*point - * @param point IN -- elliptic curve point - * @param scalar IN -- scalar - * @param initial_Z IN -- initial value for z - * @param num_bits IN -- number of bits in scalar - * @param curve IN -- elliptic curve - */ -void EccPoint_mult(uECC_word_t *result, const uECC_word_t *point, - const uECC_word_t *scalar, const uECC_word_t *initial_Z, - bitcount_t num_bits, uECC_Curve curve); - -/* - * @brief Constant-time comparison to zero - secure way to compare long integers - * @param vli IN -- very long integer - * @param num_words IN -- number of words in the vli - * @return 1 if vli == 0, 0 otherwise. - */ -uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words); - -/* - * @brief Check if 'point' is the point at infinity - * @param point IN -- elliptic curve point - * @param curve IN -- elliptic curve - * @return if 'point' is the point at infinity, 0 otherwise. - */ -uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve); - -/* - * @brief computes the sign of left - right, in constant time. - * @param left IN -- left term to be compared - * @param right IN -- right term to be compared - * @param num_words IN -- number of words - * @return the sign of left - right - */ -cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right, - wordcount_t num_words); - -/* - * @brief computes sign of left - right, not in constant time. - * @note should not be used if inputs are part of a secret - * @param left IN -- left term to be compared - * @param right IN -- right term to be compared - * @param num_words IN -- number of words - * @return the sign of left - right - */ -cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left, const uECC_word_t *right, - wordcount_t num_words); - -/* - * @brief Computes result = (left - right) % mod. - * @note Assumes that (left < mod) and (right < mod), and that result does not - * overlap mod. - * @param result OUT -- (left - right) % mod - * @param left IN -- leftright term in modular subtraction - * @param right IN -- right term in modular subtraction - * @param mod IN -- mod - * @param num_words IN -- number of words - */ -void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words); - -/* - * @brief Computes P' = (x1', y1', Z3), P + Q = (x3, y3, Z3) or - * P => P', Q => P + Q - * @note assumes Input P = (x1, y1, Z), Q = (x2, y2, Z) - * @param X1 IN -- x coordinate of P - * @param Y1 IN -- y coordinate of P - * @param X2 IN -- x coordinate of Q - * @param Y2 IN -- y coordinate of Q - * @param curve IN -- elliptic curve - */ -void XYcZ_add(uECC_word_t *X1, uECC_word_t *Y1, uECC_word_t *X2, - uECC_word_t *Y2, uECC_Curve curve); - -/* - * @brief Computes (x1 * z^2, y1 * z^3) - * @param X1 IN -- previous x1 coordinate - * @param Y1 IN -- previous y1 coordinate - * @param Z IN -- z value - * @param curve IN -- elliptic curve - */ -void apply_z(uECC_word_t *X1, uECC_word_t *Y1, const uECC_word_t *const Z, - uECC_Curve curve); - -/* - * @brief Check if bit is set. - * @return Returns nonzero if bit 'bit' of vli is set. - * @warning It is assumed that the value provided in 'bit' is within the - * boundaries of the word-array 'vli'. - * @note The bit ordering layout assumed for vli is: {31, 30, ..., 0}, - * {63, 62, ..., 32}, {95, 94, ..., 64}, {127, 126,..., 96} for a vli consisting - * of 4 uECC_word_t elements. - */ -uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit); - -/* - * @brief Computes result = product % mod, where product is 2N words long. - * @param result OUT -- product % mod - * @param mod IN -- module - * @param num_words IN -- number of words - * @warning Currently only designed to work for curve_p or curve_n. - */ -void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, - const uECC_word_t *mod, wordcount_t num_words); - -/* - * @brief Computes modular product (using curve->mmod_fast) - * @param result OUT -- (left * right) mod % curve_p - * @param left IN -- left term in product - * @param right IN -- right term in product - * @param curve IN -- elliptic curve - */ -void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, uECC_Curve curve); - -/* - * @brief Computes result = left - right. - * @note Can modify in place. - * @param result OUT -- left - right - * @param left IN -- left term in subtraction - * @param right IN -- right term in subtraction - * @param num_words IN -- number of words - * @return borrow - */ -uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, wordcount_t num_words); - -/* - * @brief Constant-time comparison function(secure way to compare long ints) - * @param left IN -- left term in comparison - * @param right IN -- right term in comparison - * @param num_words IN -- number of words - * @return Returns 0 if left == right, 1 otherwise. - */ -uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right, - wordcount_t num_words); - -/* - * @brief Computes (left * right) % mod - * @param result OUT -- (left * right) % mod - * @param left IN -- left term in product - * @param right IN -- right term in product - * @param mod IN -- mod - * @param num_words IN -- number of words - */ -void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words); - -/* - * @brief Computes (1 / input) % mod - * @note All VLIs are the same size. - * @note See "Euclid's GCD to Montgomery Multiplication to the Great Divide" - * @param result OUT -- (1 / input) % mod - * @param input IN -- value to be modular inverted - * @param mod IN -- mod - * @param num_words -- number of words - */ -void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, - const uECC_word_t *mod, wordcount_t num_words); - -/* - * @brief Sets dest = src. - * @param dest OUT -- destination buffer - * @param src IN -- origin buffer - * @param num_words IN -- number of words - */ -void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src, - wordcount_t num_words); - -/* - * @brief Computes (left + right) % mod. - * @note Assumes that (left < mod) and right < mod), and that result does not - * overlap mod. - * @param result OUT -- (left + right) % mod. - * @param left IN -- left term in addition - * @param right IN -- right term in addition - * @param mod IN -- mod - * @param num_words IN -- number of words - */ -void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words); - -/* - * @brief Counts the number of bits required to represent vli. - * @param vli IN -- very long integer - * @param max_words IN -- number of words - * @return number of bits in given vli - */ -bitcount_t uECC_vli_numBits(const uECC_word_t *vli, - const wordcount_t max_words); - -/* - * @brief Erases (set to 0) vli - * @param vli IN -- very long integer - * @param num_words IN -- number of words - */ -void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words); - -/* - * @brief check if it is a valid point in the curve - * @param point IN -- point to be checked - * @param curve IN -- elliptic curve - * @return 0 if point is valid - * @exception returns -1 if it is a point at infinity - * @exception returns -2 if x or y is smaller than p, - * @exception returns -3 if y^2 != x^3 + ax + b. - */ -int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve); - -/* - * @brief Check if a public key is valid. - * @param public_key IN -- The public key to be checked. - * @return returns 0 if the public key is valid - * @exception returns -1 if it is a point at infinity - * @exception returns -2 if x or y is smaller than p, - * @exception returns -3 if y^2 != x^3 + ax + b. - * @exception returns -4 if public key is the group generator. - * - * @note Note that you are not required to check for a valid public key before - * using any other uECC functions. However, you may wish to avoid spending CPU - * time computing a shared secret or verifying a signature using an invalid - * public key. - */ -int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve); - -/* - * @brief Converts an integer in uECC native format to big-endian bytes. - * @param bytes OUT -- bytes representation - * @param num_bytes IN -- number of bytes - * @param native IN -- uECC native representation - */ -void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, - const unsigned int *native); - -/* - * @brief Converts big-endian bytes to an integer in uECC native format. - * @param native OUT -- uECC native representation - * @param bytes IN -- bytes representation - * @param num_bytes IN -- number of bytes - */ -void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, - int num_bytes); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_UECC_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dh.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dh.h deleted file mode 100644 index ba9a0ebb2d..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dh.h +++ /dev/null @@ -1,131 +0,0 @@ -/* ecc_dh.h - TinyCrypt interface to EC-DH implementation */ - -/* - * Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief -- Interface to EC-DH implementation. - * - * Overview: This software is an implementation of EC-DH. This implementation - * uses curve NIST p-256. - * - * Security: The curve NIST p-256 provides approximately 128 bits of security. - */ - -#ifndef __BLE_MESH_TC_ECC_DH_H__ -#define __BLE_MESH_TC_ECC_DH_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * @brief Create a public/private key pair. - * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully - * returns TC_CRYPTO_FAIL (0) if error while generating key pair - * - * @param p_public_key OUT -- Will be filled in with the public key. Must be at - * least 2 * the curve size (in bytes) long. For curve secp256r1, p_public_key - * must be 64 bytes long. - * @param p_private_key OUT -- Will be filled in with the private key. Must be as - * long as the curve order (for secp256r1, p_private_key must be 32 bytes long). - * - * @note side-channel countermeasure: algorithm strengthened against timing - * attack. - * @warning A cryptographically-secure PRNG function must be set (using - * uECC_set_rng()) before calling uECC_make_key(). - */ -int uECC_make_key(uint8_t *p_public_key, uint8_t *p_private_key, uECC_Curve curve); - -#ifdef ENABLE_TESTS - -/** - * @brief Create a public/private key pair given a specific d. - * - * @note THIS FUNCTION SHOULD BE CALLED ONLY FOR TEST PURPOSES. Refer to - * uECC_make_key() function for real applications. - */ -int uECC_make_key_with_d(uint8_t *p_public_key, uint8_t *p_private_key, - unsigned int *d, uECC_Curve curve); -#endif - -/** - * @brief Compute a shared secret given your secret key and someone else's - * public key. - * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully - * returns TC_CRYPTO_FAIL (0) otherwise - * - * @param p_secret OUT -- Will be filled in with the shared secret value. Must be - * the same size as the curve size (for curve secp256r1, secret must be 32 bytes - * long. - * @param p_public_key IN -- The public key of the remote party. - * @param p_private_key IN -- Your private key. - * - * @warning It is recommended to use the output of uECC_shared_secret() as the - * input of a recommended Key Derivation Function (see NIST SP 800-108) in - * order to produce a cryptographically secure symmetric key. - */ -int uECC_shared_secret(const uint8_t *p_public_key, const uint8_t *p_private_key, - uint8_t *p_secret, uECC_Curve curve); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_ECC_DH_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dsa.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dsa.h deleted file mode 100644 index cfada859d3..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dsa.h +++ /dev/null @@ -1,139 +0,0 @@ -/* ecc_dh.h - TinyCrypt interface to EC-DSA implementation */ - -/* - * Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief -- Interface to EC-DSA implementation. - * - * Overview: This software is an implementation of EC-DSA. This implementation - * uses curve NIST p-256. - * - * Security: The curve NIST p-256 provides approximately 128 bits of security. - * - * Usage: - To sign: Compute a hash of the data you wish to sign (SHA-2 is - * recommended) and pass it in to ecdsa_sign function along with your - * private key and a random number. You must use a new non-predictable - * random number to generate each new signature. - * - To verify a signature: Compute the hash of the signed data using - * the same hash as the signer and pass it to this function along with - * the signer's public key and the signature values (r and s). - */ - -#ifndef __BLE_MESH_TC_ECC_DSA_H__ -#define __BLE_MESH_TC_ECC_DSA_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * @brief Generate an ECDSA signature for a given hash value. - * @return returns TC_CRYPTO_SUCCESS (1) if the signature generated successfully - * returns TC_CRYPTO_FAIL (0) if an error occurred. - * - * @param p_private_key IN -- Your private key. - * @param p_message_hash IN -- The hash of the message to sign. - * @param p_hash_size IN -- The size of p_message_hash in bytes. - * @param p_signature OUT -- Will be filled in with the signature value. Must be - * at least 2 * curve size long (for secp256r1, signature must be 64 bytes long). - * - * @warning A cryptographically-secure PRNG function must be set (using - * uECC_set_rng()) before calling uECC_sign(). - * @note Usage: Compute a hash of the data you wish to sign (SHA-2 is - * recommended) and pass it in to this function along with your private key. - * @note side-channel countermeasure: algorithm strengthened against timing - * attack. - */ -int uECC_sign(const uint8_t *p_private_key, const uint8_t *p_message_hash, - unsigned p_hash_size, uint8_t *p_signature, uECC_Curve curve); - -#ifdef ENABLE_TESTS -/* - * THIS FUNCTION SHOULD BE CALLED FOR TEST PURPOSES ONLY. - * Refer to uECC_sign() function for real applications. - */ -int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, - unsigned int hash_size, uECC_word_t *k, uint8_t *signature, - uECC_Curve curve); -#endif - -/** - * @brief Verify an ECDSA signature. - * @return returns TC_SUCCESS (1) if the signature is valid - * returns TC_FAIL (0) if the signature is invalid. - * - * @param p_public_key IN -- The signer's public key. - * @param p_message_hash IN -- The hash of the signed data. - * @param p_hash_size IN -- The size of p_message_hash in bytes. - * @param p_signature IN -- The signature values. - * - * @note Usage: Compute the hash of the signed data using the same hash as the - * signer and pass it to this function along with the signer's public key and - * the signature values (hash_size and signature). - */ -int uECC_verify(const uint8_t *p_public_key, const uint8_t *p_message_hash, - unsigned int p_hash_size, const uint8_t *p_signature, uECC_Curve curve); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_ECC_DSA_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_platform_specific.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_platform_specific.h deleted file mode 100644 index 972e5f7fee..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_platform_specific.h +++ /dev/null @@ -1,81 +0,0 @@ -/* uECC_platform_specific.h - Interface to platform specific functions*/ - -/* Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE.*/ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * uECC_platform_specific.h -- Interface to platform specific functions - */ - -#ifndef __BLE_MESH_UECC_PLATFORM_SPECIFIC_H_ -#define __BLE_MESH_UECC_PLATFORM_SPECIFIC_H_ - -/* - * The RNG function should fill 'size' random bytes into 'dest'. It should - * return 1 if 'dest' was filled with random data, or 0 if the random data could - * not be generated. The filled-in values should be either truly random, or from - * a cryptographically-secure PRNG. - * - * A cryptographically-secure PRNG function must be set (using uECC_set_rng()) - * before calling uECC_make_key() or uECC_sign(). - * - * Setting a cryptographically-secure PRNG function improves the resistance to - * side-channel attacks for uECC_shared_secret(). - * - * A correct PRNG function is set by default (default_RNG_defined = 1) and works - * for some platforms, such as Unix and Linux. For other platforms, you may need - * to provide another PRNG function. -*/ -#define default_RNG_defined 0 - -int default_CSPRNG(uint8_t *dest, unsigned int size); - -#endif /* __BLE_MESH_UECC_PLATFORM_SPECIFIC_H_ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac.h deleted file mode 100644 index cb399d8d5c..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac.h +++ /dev/null @@ -1,139 +0,0 @@ -/* hmac.h - TinyCrypt interface to an HMAC implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to an HMAC implementation. - * - * Overview: HMAC is a message authentication code based on hash functions. - * TinyCrypt hard codes SHA-256 as the hash function. A message - * authentication code based on hash functions is also called a - * keyed cryptographic hash function since it performs a - * transformation specified by a key in an arbitrary length data - * set into a fixed length data set (also called tag). - * - * Security: The security of the HMAC depends on the length of the key and - * on the security of the hash function. Note that HMAC primitives - * are much less affected by collision attacks than their - * corresponding hash functions. - * - * Requires: SHA-256 - * - * Usage: 1) call tc_hmac_set_key to set the HMAC key. - * - * 2) call tc_hmac_init to initialize a struct hash_state before - * processing the data. - * - * 3) call tc_hmac_update to process the next input segment; - * tc_hmac_update can be called as many times as needed to process - * all of the segments of the input; the order is important. - * - * 4) call tc_hmac_final to out put the tag. - */ - -#ifndef __BLE_MESH_TC_HMAC_H__ -#define __BLE_MESH_TC_HMAC_H__ - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -struct tc_hmac_state_struct { - /* the internal state required by h */ - struct tc_sha256_state_struct hash_state; - /* HMAC key schedule */ - uint8_t key[2 * TC_SHA256_BLOCK_SIZE]; -}; -typedef struct tc_hmac_state_struct *TCHmacState_t; - -/** - * @brief HMAC set key procedure - * Configures ctx to use key - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if - * ctx == NULL or - * key == NULL or - * key_size == 0 - * @param ctx IN/OUT -- the struct tc_hmac_state_struct to initial - * @param key IN -- the HMAC key to configure - * @param key_size IN -- the HMAC key size - */ -int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key, - unsigned int key_size); - -/** - * @brief HMAC init procedure - * Initializes ctx to begin the next HMAC operation - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: ctx == NULL or key == NULL - * @param ctx IN/OUT -- struct tc_hmac_state_struct buffer to init - */ -int tc_hmac_init(TCHmacState_t ctx); - -/** - * @brief HMAC update procedure - * Mixes data_length bytes addressed by data into state - * @return returns TC_CRYPTO_SUCCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: ctx == NULL or key == NULL - * @note Assumes state has been initialized by tc_hmac_init - * @param ctx IN/OUT -- state of HMAC computation so far - * @param data IN -- data to incorporate into state - * @param data_length IN -- size of data in bytes - */ -int tc_hmac_update(TCHmacState_t ctx, const void *data, - unsigned int data_length); - -/** - * @brief HMAC final procedure - * Writes the HMAC tag into the tag buffer - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * tag == NULL or - * ctx == NULL or - * key == NULL or - * taglen != TC_SHA256_DIGEST_SIZE - * @note ctx is erased before exiting. This should never be changed/removed. - * @note Assumes the tag bufer is at least sizeof(hmac_tag_size(state)) bytes - * state has been initialized by tc_hmac_init - * @param tag IN/OUT -- buffer to receive computed HMAC tag - * @param taglen IN -- size of tag in bytes - * @param ctx IN/OUT -- the HMAC state for computing tag - */ -int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx); - -#ifdef __cplusplus -} -#endif - -#endif /*__BLE_MESH_TC_HMAC_H__*/ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac_prng.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac_prng.h deleted file mode 100644 index f7f9001021..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac_prng.h +++ /dev/null @@ -1,164 +0,0 @@ -/* hmac_prng.h - TinyCrypt interface to an HMAC-PRNG implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to an HMAC-PRNG implementation. - * - * Overview: A pseudo-random number generator (PRNG) generates a sequence - * of numbers that have a distribution close to the one expected - * for a sequence of truly random numbers. The NIST Special - * Publication 800-90A specifies several mechanisms to generate - * sequences of pseudo random numbers, including the HMAC-PRNG one - * which is based on HMAC. TinyCrypt implements HMAC-PRNG with - * certain modifications from the NIST SP 800-90A spec. - * - * Security: A cryptographically secure PRNG depends on the existence of an - * entropy source to provide a truly random seed as well as the - * security of the primitives used as the building blocks (HMAC and - * SHA256, for TinyCrypt). - * - * The NIST SP 800-90A standard tolerates a null personalization, - * while TinyCrypt requires a non-null personalization. This is - * because a personalization string (the host name concatenated - * with a time stamp, for example) is easily computed and might be - * the last line of defense against failure of the entropy source. - * - * Requires: - SHA-256 - * - HMAC - * - * Usage: 1) call tc_hmac_prng_init to set the HMAC key and process the - * personalization data. - * - * 2) call tc_hmac_prng_reseed to process the seed and additional - * input. - * - * 3) call tc_hmac_prng_generate to out put the pseudo-random data. - */ - -#ifndef __BLE_MESH_TC_HMAC_PRNG_H__ -#define __BLE_MESH_TC_HMAC_PRNG_H__ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#define TC_HMAC_PRNG_RESEED_REQ -1 - -struct tc_hmac_prng_struct { - /* the HMAC instance for this PRNG */ - struct tc_hmac_state_struct h; - /* the PRNG key */ - uint8_t key[TC_SHA256_DIGEST_SIZE]; - /* PRNG state */ - uint8_t v[TC_SHA256_DIGEST_SIZE]; - /* calls to tc_hmac_prng_generate left before re-seed */ - unsigned int countdown; -}; - -typedef struct tc_hmac_prng_struct *TCHmacPrng_t; - -/** - * @brief HMAC-PRNG initialization procedure - * Initializes prng with personalization, disables tc_hmac_prng_generate - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * prng == NULL, - * personalization == NULL, - * plen > MAX_PLEN - * @note Assumes: - personalization != NULL. - * The personalization is a platform unique string (e.g., the host - * name) and is the last line of defense against failure of the - * entropy source - * @warning NIST SP 800-90A specifies 3 items as seed material during - * initialization: entropy seed, personalization, and an optional - * nonce. TinyCrypts requires instead a non-null personalization - * (which is easily computed) and indirectly requires an entropy - * seed (since the reseed function is mandatorily called after - * init) - * @param prng IN/OUT -- the PRNG state to initialize - * @param personalization IN -- personalization string - * @param plen IN -- personalization length in bytes - */ -int tc_hmac_prng_init(TCHmacPrng_t prng, - const uint8_t *personalization, - unsigned int plen); - -/** - * @brief HMAC-PRNG reseed procedure - * Mixes seed into prng, enables tc_hmac_prng_generate - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * prng == NULL, - * seed == NULL, - * seedlen < MIN_SLEN, - * seendlen > MAX_SLEN, - * additional_input != (const uint8_t *) 0 && additionallen == 0, - * additional_input != (const uint8_t *) 0 && additionallen > MAX_ALEN - * @note Assumes:- tc_hmac_prng_init has been called for prng - * - seed has sufficient entropy. - * - * @param prng IN/OUT -- the PRNG state - * @param seed IN -- entropy to mix into the prng - * @param seedlen IN -- length of seed in bytes - * @param additional_input IN -- additional input to the prng - * @param additionallen IN -- additional input length in bytes - */ -int tc_hmac_prng_reseed(TCHmacPrng_t prng, const uint8_t *seed, - unsigned int seedlen, const uint8_t *additional_input, - unsigned int additionallen); - -/** - * @brief HMAC-PRNG generate procedure - * Generates outlen pseudo-random bytes into out buffer, updates prng - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_HMAC_PRNG_RESEED_REQ (-1) if a reseed is needed - * returns TC_CRYPTO_FAIL (0) if: - * out == NULL, - * prng == NULL, - * outlen == 0, - * outlen >= MAX_OUT - * @note Assumes tc_hmac_prng_init has been called for prng - * @param out IN/OUT -- buffer to receive output - * @param outlen IN -- size of out buffer in bytes - * @param prng IN/OUT -- the PRNG state - */ -int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_HMAC_PRNG_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/sha256.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/sha256.h deleted file mode 100644 index c57cb00cad..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/sha256.h +++ /dev/null @@ -1,129 +0,0 @@ -/* sha256.h - TinyCrypt interface to a SHA-256 implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to a SHA-256 implementation. - * - * Overview: SHA-256 is a NIST approved cryptographic hashing algorithm - * specified in FIPS 180. A hash algorithm maps data of arbitrary - * size to data of fixed length. - * - * Security: SHA-256 provides 128 bits of security against collision attacks - * and 256 bits of security against pre-image attacks. SHA-256 does - * NOT behave like a random oracle, but it can be used as one if - * the string being hashed is prefix-free encoded before hashing. - * - * Usage: 1) call tc_sha256_init to initialize a struct - * tc_sha256_state_struct before hashing a new string. - * - * 2) call tc_sha256_update to hash the next string segment; - * tc_sha256_update can be called as many times as needed to hash - * all of the segments of a string; the order is important. - * - * 3) call tc_sha256_final to out put the digest from a hashing - * operation. - */ - -#ifndef __BLE_MESH_TC_SHA256_H__ -#define __BLE_MESH_TC_SHA256_H__ - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#define TC_SHA256_BLOCK_SIZE (64) -#define TC_SHA256_DIGEST_SIZE (32) -#define TC_SHA256_STATE_BLOCKS (TC_SHA256_DIGEST_SIZE/4) - -struct tc_sha256_state_struct { - unsigned int iv[TC_SHA256_STATE_BLOCKS]; - uint64_t bits_hashed; - uint8_t leftover[TC_SHA256_BLOCK_SIZE]; - size_t leftover_offset; -}; - -typedef struct tc_sha256_state_struct *TCSha256State_t; - -/** - * @brief SHA256 initialization procedure - * Initializes s - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if s == NULL - * @param s Sha256 state struct - */ -int tc_sha256_init(TCSha256State_t s); - -/** - * @brief SHA256 update procedure - * Hashes data_length bytes addressed by data into state s - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL, - * s->iv == NULL, - * data == NULL - * @note Assumes s has been initialized by tc_sha256_init - * @warning The state buffer 'leftover' is left in memory after processing - * If your application intends to have sensitive data in this - * buffer, remind to erase it after the data has been processed - * @param s Sha256 state struct - * @param data message to hash - * @param datalen length of message to hash - */ -int tc_sha256_update (TCSha256State_t s, const uint8_t *data, size_t datalen); - -/** - * @brief SHA256 final procedure - * Inserts the completed hash computation into digest - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * s == NULL, - * s->iv == NULL, - * digest == NULL - * @note Assumes: s has been initialized by tc_sha256_init - * digest points to at least TC_SHA256_DIGEST_SIZE bytes - * @warning The state buffer 'leftover' is left in memory after processing - * If your application intends to have sensitive data in this - * buffer, remind to erase it after the data has been processed - * @param digest unsigned eight bit integer - * @param Sha256 state struct - */ -int tc_sha256_final(uint8_t *digest, TCSha256State_t s); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_SHA256_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/utils.h b/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/utils.h deleted file mode 100644 index 422892390f..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/utils.h +++ /dev/null @@ -1,121 +0,0 @@ -/* utils.h - TinyCrypt interface to platform-dependent run-time operations */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * @file - * @brief Interface to platform-dependent run-time operations. - * - */ - -#ifndef __BLE_MESH_TC_UTILS_H__ -#define __BLE_MESH_TC_UTILS_H__ - -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -/** - * @brief Copy the the buffer 'from' to the buffer 'to'. - * @return returns TC_CRYPTO_SUCCESS (1) - * returns TC_CRYPTO_FAIL (0) if: - * from_len > to_len. - * - * @param to OUT -- destination buffer - * @param to_len IN -- length of destination buffer - * @param from IN -- origin buffer - * @param from_len IN -- length of origin buffer - */ -unsigned int _copy(uint8_t *to, unsigned int to_len, - const uint8_t *from, unsigned int from_len); - -/** - * @brief Set the value 'val' into the buffer 'to', 'len' times. - * - * @param to OUT -- destination buffer - * @param val IN -- value to be set in 'to' - * @param len IN -- number of times the value will be copied - */ -void _set(void *to, uint8_t val, unsigned int len); - -/** - * @brief Set the value 'val' into the buffer 'to', 'len' times, in a way - * which does not risk getting optimized out by the compiler - * In cases where the compiler does not set __GNUC__ and where the - * optimization level removes the memset, it may be necessary to - * implement a _set_secure function and define the - * TINYCRYPT_ARCH_HAS_SET_SECURE, which then can ensure that the - * memset does not get optimized out. - * - * @param to OUT -- destination buffer - * @param val IN -- value to be set in 'to' - * @param len IN -- number of times the value will be copied - */ -#ifdef TINYCRYPT_ARCH_HAS_SET_SECURE -extern void _set_secure(void *to, uint8_t val, unsigned int len); -#else /* ! TINYCRYPT_ARCH_HAS_SET_SECURE */ -static inline void _set_secure(void *to, uint8_t val, unsigned int len) -{ - (void) memset(to, val, len); -#ifdef __GNUC__ - __asm__ __volatile__("" :: "g"(to) : "memory"); -#endif /* __GNUC__ */ -} -#endif /* TINYCRYPT_ARCH_HAS_SET_SECURE */ - -/* - * @brief AES specific doubling function, which utilizes - * the finite field used by AES. - * @return Returns a^2 - * - * @param a IN/OUT -- value to be doubled - */ -uint8_t _double_byte(uint8_t a); - -/* - * @brief Constant-time algorithm to compare if two sequences of bytes are equal - * @return Returns 0 if equal, and non-zero otherwise - * - * @param a IN -- sequence of bytes a - * @param b IN -- sequence of bytes b - * @param size IN -- size of sequences a and b - */ -int _compare(const uint8_t *a, const uint8_t *b, size_t size); - -#ifdef __cplusplus -} -#endif - -#endif /* __BLE_MESH_TC_UTILS_H__ */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_decrypt.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_decrypt.c deleted file mode 100644 index 8972643422..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_decrypt.c +++ /dev/null @@ -1,164 +0,0 @@ -/* aes_decrypt.c - TinyCrypt implementation of AES decryption procedure */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -static const uint8_t inv_sbox[256] = { - 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, - 0x81, 0xf3, 0xd7, 0xfb, 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, - 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb, 0x54, 0x7b, 0x94, 0x32, - 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e, - 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, - 0x6d, 0x8b, 0xd1, 0x25, 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, - 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92, 0x6c, 0x70, 0x48, 0x50, - 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84, - 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, - 0xb8, 0xb3, 0x45, 0x06, 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, - 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b, 0x3a, 0x91, 0x11, 0x41, - 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73, - 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, - 0x1c, 0x75, 0xdf, 0x6e, 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, - 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b, 0xfc, 0x56, 0x3e, 0x4b, - 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4, - 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, - 0x27, 0x80, 0xec, 0x5f, 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, - 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef, 0xa0, 0xe0, 0x3b, 0x4d, - 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61, - 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, - 0x55, 0x21, 0x0c, 0x7d -}; - -int tc_aes128_set_decrypt_key(TCAesKeySched_t s, const uint8_t *k) -{ - return tc_aes128_set_encrypt_key(s, k); -} - -#define mult8(a)(_double_byte(_double_byte(_double_byte(a)))) -#define mult9(a)(mult8(a)^(a)) -#define multb(a)(mult8(a)^_double_byte(a)^(a)) -#define multd(a)(mult8(a)^_double_byte(_double_byte(a))^(a)) -#define multe(a)(mult8(a)^_double_byte(_double_byte(a))^_double_byte(a)) - -static inline void mult_row_column(uint8_t *out, const uint8_t *in) -{ - out[0] = multe(in[0]) ^ multb(in[1]) ^ multd(in[2]) ^ mult9(in[3]); - out[1] = mult9(in[0]) ^ multe(in[1]) ^ multb(in[2]) ^ multd(in[3]); - out[2] = multd(in[0]) ^ mult9(in[1]) ^ multe(in[2]) ^ multb(in[3]); - out[3] = multb(in[0]) ^ multd(in[1]) ^ mult9(in[2]) ^ multe(in[3]); -} - -static inline void inv_mix_columns(uint8_t *s) -{ - uint8_t t[Nb * Nk]; - - mult_row_column(t, s); - mult_row_column(&t[Nb], s + Nb); - mult_row_column(&t[2 * Nb], s + (2 * Nb)); - mult_row_column(&t[3 * Nb], s + (3 * Nb)); - (void)_copy(s, sizeof(t), t, sizeof(t)); -} - -static inline void add_round_key(uint8_t *s, const unsigned int *k) -{ - s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16); - s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]); - s[4] ^= (uint8_t)(k[1] >> 24); s[5] ^= (uint8_t)(k[1] >> 16); - s[6] ^= (uint8_t)(k[1] >> 8); s[7] ^= (uint8_t)(k[1]); - s[8] ^= (uint8_t)(k[2] >> 24); s[9] ^= (uint8_t)(k[2] >> 16); - s[10] ^= (uint8_t)(k[2] >> 8); s[11] ^= (uint8_t)(k[2]); - s[12] ^= (uint8_t)(k[3] >> 24); s[13] ^= (uint8_t)(k[3] >> 16); - s[14] ^= (uint8_t)(k[3] >> 8); s[15] ^= (uint8_t)(k[3]); -} - -static inline void inv_sub_bytes(uint8_t *s) -{ - unsigned int i; - - for (i = 0; i < (Nb * Nk); ++i) { - s[i] = inv_sbox[s[i]]; - } -} - -/* - * This inv_shift_rows also implements the matrix flip required for - * inv_mix_columns, but performs it here to reduce the number of memory - * operations. - */ -static inline void inv_shift_rows(uint8_t *s) -{ - uint8_t t[Nb * Nk]; - - t[0] = s[0]; t[1] = s[13]; t[2] = s[10]; t[3] = s[7]; - t[4] = s[4]; t[5] = s[1]; t[6] = s[14]; t[7] = s[11]; - t[8] = s[8]; t[9] = s[5]; t[10] = s[2]; t[11] = s[15]; - t[12] = s[12]; t[13] = s[9]; t[14] = s[6]; t[15] = s[3]; - (void)_copy(s, sizeof(t), t, sizeof(t)); -} - -int tc_aes_decrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) -{ - uint8_t state[Nk * Nb]; - unsigned int i; - - if (out == (uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } else if (in == (const uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } else if (s == (TCAesKeySched_t) 0) { - return TC_CRYPTO_FAIL; - } - - (void)_copy(state, sizeof(state), in, sizeof(state)); - - add_round_key(state, s->words + Nb * Nr); - - for (i = Nr - 1; i > 0; --i) { - inv_shift_rows(state); - inv_sub_bytes(state); - add_round_key(state, s->words + Nb * i); - inv_mix_columns(state); - } - - inv_shift_rows(state); - inv_sub_bytes(state); - add_round_key(state, s->words); - - (void)_copy(out, sizeof(state), state, sizeof(state)); - - /*zeroing out the state buffer */ - _set(state, TC_ZERO_BYTE, sizeof(state)); - - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_encrypt.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_encrypt.c deleted file mode 100644 index 33c5707952..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/aes_encrypt.c +++ /dev/null @@ -1,191 +0,0 @@ -/* aes_encrypt.c - TinyCrypt implementation of AES encryption procedure */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -static const uint8_t sbox[256] = { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, - 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, - 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, - 0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed, - 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, - 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec, - 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, - 0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, - 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, - 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, - 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, - 0xb0, 0x54, 0xbb, 0x16 -}; - -static inline unsigned int rotword(unsigned int a) -{ - return (((a) >> 24) | ((a) << 8)); -} - -#define subbyte(a, o)(sbox[((a) >> (o))&0xff] << (o)) -#define subword(a)(subbyte(a, 24)|subbyte(a, 16)|subbyte(a, 8)|subbyte(a, 0)) - -int tc_aes128_set_encrypt_key(TCAesKeySched_t s, const uint8_t *k) -{ - const unsigned int rconst[11] = { - 0x00000000, 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, - 0x20000000, 0x40000000, 0x80000000, 0x1b000000, 0x36000000 - }; - unsigned int i; - unsigned int t; - - if (s == (TCAesKeySched_t) 0) { - return TC_CRYPTO_FAIL; - } else if (k == (const uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } - - for (i = 0; i < Nk; ++i) { - s->words[i] = (k[Nb * i] << 24) | (k[Nb * i + 1] << 16) | - (k[Nb * i + 2] << 8) | (k[Nb * i + 3]); - } - - for (; i < (Nb * (Nr + 1)); ++i) { - t = s->words[i - 1]; - if ((i % Nk) == 0) { - t = subword(rotword(t)) ^ rconst[i / Nk]; - } - s->words[i] = s->words[i - Nk] ^ t; - } - - return TC_CRYPTO_SUCCESS; -} - -static inline void add_round_key(uint8_t *s, const unsigned int *k) -{ - s[0] ^= (uint8_t)(k[0] >> 24); s[1] ^= (uint8_t)(k[0] >> 16); - s[2] ^= (uint8_t)(k[0] >> 8); s[3] ^= (uint8_t)(k[0]); - s[4] ^= (uint8_t)(k[1] >> 24); s[5] ^= (uint8_t)(k[1] >> 16); - s[6] ^= (uint8_t)(k[1] >> 8); s[7] ^= (uint8_t)(k[1]); - s[8] ^= (uint8_t)(k[2] >> 24); s[9] ^= (uint8_t)(k[2] >> 16); - s[10] ^= (uint8_t)(k[2] >> 8); s[11] ^= (uint8_t)(k[2]); - s[12] ^= (uint8_t)(k[3] >> 24); s[13] ^= (uint8_t)(k[3] >> 16); - s[14] ^= (uint8_t)(k[3] >> 8); s[15] ^= (uint8_t)(k[3]); -} - -static inline void sub_bytes(uint8_t *s) -{ - unsigned int i; - - for (i = 0; i < (Nb * Nk); ++i) { - s[i] = sbox[s[i]]; - } -} - -#define triple(a)(_double_byte(a)^(a)) - -static inline void mult_row_column(uint8_t *out, const uint8_t *in) -{ - out[0] = _double_byte(in[0]) ^ triple(in[1]) ^ in[2] ^ in[3]; - out[1] = in[0] ^ _double_byte(in[1]) ^ triple(in[2]) ^ in[3]; - out[2] = in[0] ^ in[1] ^ _double_byte(in[2]) ^ triple(in[3]); - out[3] = triple(in[0]) ^ in[1] ^ in[2] ^ _double_byte(in[3]); -} - -static inline void mix_columns(uint8_t *s) -{ - uint8_t t[Nb * Nk]; - - mult_row_column(t, s); - mult_row_column(&t[Nb], s + Nb); - mult_row_column(&t[2 * Nb], s + (2 * Nb)); - mult_row_column(&t[3 * Nb], s + (3 * Nb)); - (void) _copy(s, sizeof(t), t, sizeof(t)); -} - -/* - * This shift_rows also implements the matrix flip required for mix_columns, but - * performs it here to reduce the number of memory operations. - */ -static inline void shift_rows(uint8_t *s) -{ - uint8_t t[Nb * Nk]; - - t[0] = s[0]; t[1] = s[5]; t[2] = s[10]; t[3] = s[15]; - t[4] = s[4]; t[5] = s[9]; t[6] = s[14]; t[7] = s[3]; - t[8] = s[8]; t[9] = s[13]; t[10] = s[2]; t[11] = s[7]; - t[12] = s[12]; t[13] = s[1]; t[14] = s[6]; t[15] = s[11]; - (void) _copy(s, sizeof(t), t, sizeof(t)); -} - -int tc_aes_encrypt(uint8_t *out, const uint8_t *in, const TCAesKeySched_t s) -{ - uint8_t state[Nk * Nb]; - unsigned int i; - - if (out == (uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } else if (in == (const uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } else if (s == (TCAesKeySched_t) 0) { - return TC_CRYPTO_FAIL; - } - - (void)_copy(state, sizeof(state), in, sizeof(state)); - add_round_key(state, s->words); - - for (i = 0; i < (Nr - 1); ++i) { - sub_bytes(state); - shift_rows(state); - mix_columns(state); - add_round_key(state, s->words + Nb * (i + 1)); - } - - sub_bytes(state); - shift_rows(state); - add_round_key(state, s->words + Nb * (i + 1)); - - (void)_copy(out, sizeof(state), state, sizeof(state)); - - /* zeroing out the state buffer */ - _set(state, TC_ZERO_BYTE, sizeof(state)); - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/cbc_mode.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/cbc_mode.c deleted file mode 100644 index 674f9c5de6..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/cbc_mode.c +++ /dev/null @@ -1,114 +0,0 @@ -/* cbc_mode.c - TinyCrypt implementation of CBC mode encryption & decryption */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -int tc_cbc_mode_encrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, const uint8_t *iv, - const TCAesKeySched_t sched) -{ - - uint8_t buffer[TC_AES_BLOCK_SIZE]; - unsigned int n, m; - - /* input sanity check: */ - if (out == (uint8_t *) 0 || - in == (const uint8_t *) 0 || - sched == (TCAesKeySched_t) 0 || - inlen == 0 || - outlen == 0 || - (inlen % TC_AES_BLOCK_SIZE) != 0 || - (outlen % TC_AES_BLOCK_SIZE) != 0 || - outlen != inlen + TC_AES_BLOCK_SIZE) { - return TC_CRYPTO_FAIL; - } - - /* copy iv to the buffer */ - (void)_copy(buffer, TC_AES_BLOCK_SIZE, iv, TC_AES_BLOCK_SIZE); - /* copy iv to the output buffer */ - (void)_copy(out, TC_AES_BLOCK_SIZE, iv, TC_AES_BLOCK_SIZE); - out += TC_AES_BLOCK_SIZE; - - for (n = m = 0; n < inlen; ++n) { - buffer[m++] ^= *in++; - if (m == TC_AES_BLOCK_SIZE) { - (void)tc_aes_encrypt(buffer, buffer, sched); - (void)_copy(out, TC_AES_BLOCK_SIZE, - buffer, TC_AES_BLOCK_SIZE); - out += TC_AES_BLOCK_SIZE; - m = 0; - } - } - - return TC_CRYPTO_SUCCESS; -} - -int tc_cbc_mode_decrypt(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, const uint8_t *iv, - const TCAesKeySched_t sched) -{ - - uint8_t buffer[TC_AES_BLOCK_SIZE]; - const uint8_t *p; - unsigned int n, m; - - /* sanity check the inputs */ - if (out == (uint8_t *) 0 || - in == (const uint8_t *) 0 || - sched == (TCAesKeySched_t) 0 || - inlen == 0 || - outlen == 0 || - (inlen % TC_AES_BLOCK_SIZE) != 0 || - (outlen % TC_AES_BLOCK_SIZE) != 0 || - outlen != inlen) { - return TC_CRYPTO_FAIL; - } - - /* - * Note that in == iv + ciphertext, i.e. the iv and the ciphertext are - * contiguous. This allows for a very efficient decryption algorithm - * that would not otherwise be possible. - */ - p = iv; - for (n = m = 0; n < outlen; ++n) { - if ((n % TC_AES_BLOCK_SIZE) == 0) { - (void)tc_aes_decrypt(buffer, in, sched); - in += TC_AES_BLOCK_SIZE; - m = 0; - } - *out++ = buffer[m++] ^ *p++; - } - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ccm_mode.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ccm_mode.c deleted file mode 100644 index 37f75cfa27..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ccm_mode.c +++ /dev/null @@ -1,266 +0,0 @@ -/* ccm_mode.c - TinyCrypt implementation of CCM mode */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -#include - -int tc_ccm_config(TCCcmMode_t c, TCAesKeySched_t sched, uint8_t *nonce, - unsigned int nlen, unsigned int mlen) -{ - - /* input sanity check: */ - if (c == (TCCcmMode_t) 0 || - sched == (TCAesKeySched_t) 0 || - nonce == (uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } else if (nlen != 13) { - return TC_CRYPTO_FAIL; /* The allowed nonce size is: 13. See documentation.*/ - } else if ((mlen < 4) || (mlen > 16) || (mlen & 1)) { - return TC_CRYPTO_FAIL; /* The allowed mac sizes are: 4, 6, 8, 10, 12, 14, 16.*/ - } - - c->mlen = mlen; - c->sched = sched; - c->nonce = nonce; - - return TC_CRYPTO_SUCCESS; -} - -/** - * Variation of CBC-MAC mode used in CCM. - */ -static void ccm_cbc_mac(uint8_t *T, const uint8_t *data, unsigned int dlen, - unsigned int flag, TCAesKeySched_t sched) -{ - - unsigned int i; - - if (flag > 0) { - T[0] ^= (uint8_t)(dlen >> 8); - T[1] ^= (uint8_t)(dlen); - dlen += 2; i = 2; - } else { - i = 0; - } - - while (i < dlen) { - T[i++ % (Nb * Nk)] ^= *data++; - if (((i % (Nb * Nk)) == 0) || dlen == i) { - (void) tc_aes_encrypt(T, T, sched); - } - } -} - -/** - * Variation of CTR mode used in CCM. - * The CTR mode used by CCM is slightly different than the conventional CTR - * mode (the counter is increased before encryption, instead of after - * encryption). Besides, it is assumed that the counter is stored in the last - * 2 bytes of the nonce. - */ -static int ccm_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched) -{ - - uint8_t buffer[TC_AES_BLOCK_SIZE]; - uint8_t nonce[TC_AES_BLOCK_SIZE]; - uint16_t block_num; - unsigned int i; - - /* input sanity check: */ - if (out == (uint8_t *) 0 || - in == (uint8_t *) 0 || - ctr == (uint8_t *) 0 || - sched == (TCAesKeySched_t) 0 || - inlen == 0 || - outlen == 0 || - outlen != inlen) { - return TC_CRYPTO_FAIL; - } - - /* copy the counter to the nonce */ - (void) _copy(nonce, sizeof(nonce), ctr, sizeof(nonce)); - - /* select the last 2 bytes of the nonce to be incremented */ - block_num = (uint16_t) ((nonce[14] << 8) | (nonce[15])); - for (i = 0; i < inlen; ++i) { - if ((i % (TC_AES_BLOCK_SIZE)) == 0) { - block_num++; - nonce[14] = (uint8_t)(block_num >> 8); - nonce[15] = (uint8_t)(block_num); - if (!tc_aes_encrypt(buffer, nonce, sched)) { - return TC_CRYPTO_FAIL; - } - } - /* update the output */ - *out++ = buffer[i % (TC_AES_BLOCK_SIZE)] ^ *in++; - } - - /* update the counter */ - ctr[14] = nonce[14]; ctr[15] = nonce[15]; - - return TC_CRYPTO_SUCCESS; -} - -int tc_ccm_generation_encryption(uint8_t *out, unsigned int olen, - const uint8_t *associated_data, - unsigned int alen, const uint8_t *payload, - unsigned int plen, TCCcmMode_t c) -{ - - /* input sanity check: */ - if ((out == (uint8_t *) 0) || - (c == (TCCcmMode_t) 0) || - ((plen > 0) && (payload == (uint8_t *) 0)) || - ((alen > 0) && (associated_data == (uint8_t *) 0)) || - (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */ - (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */ - (olen < (plen + c->mlen))) { /* invalid output buffer size */ - return TC_CRYPTO_FAIL; - } - - uint8_t b[Nb * Nk]; - uint8_t tag[Nb * Nk]; - unsigned int i; - - /* GENERATING THE AUTHENTICATION TAG: */ - - /* formatting the sequence b for authentication: */ - b[0] = ((alen > 0) ? 0x40 : 0) | (((c->mlen - 2) / 2 << 3)) | (1); - for (i = 1; i <= 13; ++i) { - b[i] = c->nonce[i - 1]; - } - b[14] = (uint8_t)(plen >> 8); - b[15] = (uint8_t)(plen); - - /* computing the authentication tag using cbc-mac: */ - (void) tc_aes_encrypt(tag, b, c->sched); - if (alen > 0) { - ccm_cbc_mac(tag, associated_data, alen, 1, c->sched); - } - if (plen > 0) { - ccm_cbc_mac(tag, payload, plen, 0, c->sched); - } - - /* ENCRYPTION: */ - - /* formatting the sequence b for encryption: */ - b[0] = 1; /* q - 1 = 2 - 1 = 1 */ - b[14] = b[15] = TC_ZERO_BYTE; - - /* encrypting payload using ctr mode: */ - ccm_ctr_mode(out, plen, payload, plen, b, c->sched); - - b[14] = b[15] = TC_ZERO_BYTE; /* restoring initial counter for ctr_mode (0):*/ - - /* encrypting b and adding the tag to the output: */ - (void) tc_aes_encrypt(b, b, c->sched); - out += plen; - for (i = 0; i < c->mlen; ++i) { - *out++ = tag[i] ^ b[i]; - } - - return TC_CRYPTO_SUCCESS; -} - -int tc_ccm_decryption_verification(uint8_t *out, unsigned int olen, - const uint8_t *associated_data, - unsigned int alen, const uint8_t *payload, - unsigned int plen, TCCcmMode_t c) -{ - - /* input sanity check: */ - if ((out == (uint8_t *) 0) || - (c == (TCCcmMode_t) 0) || - ((plen > 0) && (payload == (uint8_t *) 0)) || - ((alen > 0) && (associated_data == (uint8_t *) 0)) || - (alen >= TC_CCM_AAD_MAX_BYTES) || /* associated data size unsupported */ - (plen >= TC_CCM_PAYLOAD_MAX_BYTES) || /* payload size unsupported */ - (olen < plen - c->mlen)) { /* invalid output buffer size */ - return TC_CRYPTO_FAIL; - } - - uint8_t b[Nb * Nk]; - uint8_t tag[Nb * Nk]; - unsigned int i; - - /* DECRYPTION: */ - - /* formatting the sequence b for decryption: */ - b[0] = 1; /* q - 1 = 2 - 1 = 1 */ - for (i = 1; i < 14; ++i) { - b[i] = c->nonce[i - 1]; - } - b[14] = b[15] = TC_ZERO_BYTE; /* initial counter value is 0 */ - - /* decrypting payload using ctr mode: */ - ccm_ctr_mode(out, plen - c->mlen, payload, plen - c->mlen, b, c->sched); - - b[14] = b[15] = TC_ZERO_BYTE; /* restoring initial counter value (0) */ - - /* encrypting b and restoring the tag from input: */ - (void) tc_aes_encrypt(b, b, c->sched); - for (i = 0; i < c->mlen; ++i) { - tag[i] = *(payload + plen - c->mlen + i) ^ b[i]; - } - - /* VERIFYING THE AUTHENTICATION TAG: */ - - /* formatting the sequence b for authentication: */ - b[0] = ((alen > 0) ? 0x40 : 0) | (((c->mlen - 2) / 2 << 3)) | (1); - for (i = 1; i < 14; ++i) { - b[i] = c->nonce[i - 1]; - } - b[14] = (uint8_t)((plen - c->mlen) >> 8); - b[15] = (uint8_t)(plen - c->mlen); - - /* computing the authentication tag using cbc-mac: */ - (void) tc_aes_encrypt(b, b, c->sched); - if (alen > 0) { - ccm_cbc_mac(b, associated_data, alen, 1, c->sched); - } - if (plen > 0) { - ccm_cbc_mac(b, out, plen - c->mlen, 0, c->sched); - } - - /* comparing the received tag and the computed one: */ - if (_compare(b, tag, c->mlen) == 0) { - return TC_CRYPTO_SUCCESS; - } else { - /* erase the decrypted buffer in case of mac validation failure: */ - _set(out, 0, plen - c->mlen); - return TC_CRYPTO_FAIL; - } -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/cmac_mode.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/cmac_mode.c deleted file mode 100644 index a4e040428f..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/cmac_mode.c +++ /dev/null @@ -1,254 +0,0 @@ -/* cmac_mode.c - TinyCrypt CMAC mode implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include -#include - -/* max number of calls until change the key (2^48).*/ -static const uint64_t MAX_CALLS = ((uint64_t)1 << 48); - -/* - * gf_wrap -- In our implementation, GF(2^128) is represented as a 16 byte - * array with byte 0 the most significant and byte 15 the least significant. - * High bit carry reduction is based on the primitive polynomial - * - * X^128 + X^7 + X^2 + X + 1, - * - * which leads to the reduction formula X^128 = X^7 + X^2 + X + 1. Indeed, - * since 0 = (X^128 + X^7 + X^2 + 1) mod (X^128 + X^7 + X^2 + X + 1) and since - * addition of polynomials with coefficients in Z/Z(2) is just XOR, we can - * add X^128 to both sides to get - * - * X^128 = (X^7 + X^2 + X + 1) mod (X^128 + X^7 + X^2 + X + 1) - * - * and the coefficients of the polynomial on the right hand side form the - * string 1000 0111 = 0x87, which is the value of gf_wrap. - * - * This gets used in the following way. Doubling in GF(2^128) is just a left - * shift by 1 bit, except when the most significant bit is 1. In the latter - * case, the relation X^128 = X^7 + X^2 + X + 1 says that the high order bit - * that overflows beyond 128 bits can be replaced by addition of - * X^7 + X^2 + X + 1 <--> 0x87 to the low order 128 bits. Since addition - * in GF(2^128) is represented by XOR, we therefore only have to XOR 0x87 - * into the low order byte after a left shift when the starting high order - * bit is 1. - */ -const unsigned char gf_wrap = 0x87; - -/* - * assumes: out != NULL and points to a GF(2^n) value to receive the - * doubled value; - * in != NULL and points to a 16 byte GF(2^n) value - * to double; - * the in and out buffers do not overlap. - * effects: doubles the GF(2^n) value pointed to by "in" and places - * the result in the GF(2^n) value pointed to by "out." - */ -void gf_double(uint8_t *out, uint8_t *in) -{ - - /* start with low order byte */ - uint8_t *x = in + (TC_AES_BLOCK_SIZE - 1); - - /* if msb == 1, we need to add the gf_wrap value, otherwise add 0 */ - uint8_t carry = (in[0] >> 7) ? gf_wrap : 0; - - out += (TC_AES_BLOCK_SIZE - 1); - for (;;) { - *out-- = (*x << 1) ^ carry; - if (x == in) { - break; - } - carry = *x-- >> 7; - } -} - -int tc_cmac_setup(TCCmacState_t s, const uint8_t *key, TCAesKeySched_t sched) -{ - - /* input sanity check: */ - if (s == (TCCmacState_t) 0 || - key == (const uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } - - /* put s into a known state */ - _set(s, 0, sizeof(*s)); - s->sched = sched; - - /* configure the encryption key used by the underlying block cipher */ - tc_aes128_set_encrypt_key(s->sched, key); - - /* compute s->K1 and s->K2 from s->iv using s->keyid */ - _set(s->iv, 0, TC_AES_BLOCK_SIZE); - tc_aes_encrypt(s->iv, s->iv, s->sched); - gf_double (s->K1, s->iv); - gf_double (s->K2, s->K1); - - /* reset s->iv to 0 in case someone wants to compute now */ - tc_cmac_init(s); - - return TC_CRYPTO_SUCCESS; -} - -int tc_cmac_erase(TCCmacState_t s) -{ - if (s == (TCCmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - /* destroy the current state */ - _set(s, 0, sizeof(*s)); - - return TC_CRYPTO_SUCCESS; -} - -int tc_cmac_init(TCCmacState_t s) -{ - /* input sanity check: */ - if (s == (TCCmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - /* CMAC starts with an all zero initialization vector */ - _set(s->iv, 0, TC_AES_BLOCK_SIZE); - - /* and the leftover buffer is empty */ - _set(s->leftover, 0, TC_AES_BLOCK_SIZE); - s->leftover_offset = 0; - - /* Set countdown to max number of calls allowed before re-keying: */ - s->countdown = MAX_CALLS; - - return TC_CRYPTO_SUCCESS; -} - -int tc_cmac_update(TCCmacState_t s, const uint8_t *data, size_t data_length) -{ - unsigned int i; - - /* input sanity check: */ - if (s == (TCCmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - if (data_length == 0) { - return TC_CRYPTO_SUCCESS; - } - if (data == (const uint8_t *) 0) { - return TC_CRYPTO_FAIL; - } - - if (s->countdown == 0) { - return TC_CRYPTO_FAIL; - } - - s->countdown--; - - if (s->leftover_offset > 0) { - /* last data added to s didn't end on a TC_AES_BLOCK_SIZE byte boundary */ - size_t remaining_space = TC_AES_BLOCK_SIZE - s->leftover_offset; - - if (data_length < remaining_space) { - /* still not enough data to encrypt this time either */ - _copy(&s->leftover[s->leftover_offset], data_length, data, data_length); - s->leftover_offset += data_length; - return TC_CRYPTO_SUCCESS; - } - /* leftover block is now full; encrypt it first */ - _copy(&s->leftover[s->leftover_offset], - remaining_space, - data, - remaining_space); - data_length -= remaining_space; - data += remaining_space; - s->leftover_offset = 0; - - for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { - s->iv[i] ^= s->leftover[i]; - } - tc_aes_encrypt(s->iv, s->iv, s->sched); - } - - /* CBC encrypt each (except the last) of the data blocks */ - while (data_length > TC_AES_BLOCK_SIZE) { - for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { - s->iv[i] ^= data[i]; - } - tc_aes_encrypt(s->iv, s->iv, s->sched); - data += TC_AES_BLOCK_SIZE; - data_length -= TC_AES_BLOCK_SIZE; - } - - if (data_length > 0) { - /* save leftover data for next time */ - _copy(s->leftover, data_length, data, data_length); - s->leftover_offset = data_length; - } - - return TC_CRYPTO_SUCCESS; -} - -int tc_cmac_final(uint8_t *tag, TCCmacState_t s) -{ - uint8_t *k; - unsigned int i; - - /* input sanity check: */ - if (tag == (uint8_t *) 0 || - s == (TCCmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - if (s->leftover_offset == TC_AES_BLOCK_SIZE) { - /* the last message block is a full-sized block */ - k = (uint8_t *) s->K1; - } else { - /* the final message block is not a full-sized block */ - size_t remaining = TC_AES_BLOCK_SIZE - s->leftover_offset; - - _set(&s->leftover[s->leftover_offset], 0, remaining); - s->leftover[s->leftover_offset] = TC_CMAC_PADDING; - k = (uint8_t *) s->K2; - } - for (i = 0; i < TC_AES_BLOCK_SIZE; ++i) { - s->iv[i] ^= s->leftover[i] ^ k[i]; - } - - tc_aes_encrypt(tag, s->iv, s->sched); - - /* erasing state: */ - tc_cmac_erase(s); - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_mode.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_mode.c deleted file mode 100644 index 1cb12bc8c6..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_mode.c +++ /dev/null @@ -1,85 +0,0 @@ -/* ctr_mode.c - TinyCrypt CTR mode implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -int tc_ctr_mode(uint8_t *out, unsigned int outlen, const uint8_t *in, - unsigned int inlen, uint8_t *ctr, const TCAesKeySched_t sched) -{ - - uint8_t buffer[TC_AES_BLOCK_SIZE]; - uint8_t nonce[TC_AES_BLOCK_SIZE]; - unsigned int block_num; - unsigned int i; - - /* input sanity check: */ - if (out == (uint8_t *) 0 || - in == (uint8_t *) 0 || - ctr == (uint8_t *) 0 || - sched == (TCAesKeySched_t) 0 || - inlen == 0 || - outlen == 0 || - outlen != inlen) { - return TC_CRYPTO_FAIL; - } - - /* copy the ctr to the nonce */ - (void)_copy(nonce, sizeof(nonce), ctr, sizeof(nonce)); - - /* select the last 4 bytes of the nonce to be incremented */ - block_num = (nonce[12] << 24) | (nonce[13] << 16) | - (nonce[14] << 8) | (nonce[15]); - for (i = 0; i < inlen; ++i) { - if ((i % (TC_AES_BLOCK_SIZE)) == 0) { - /* encrypt data using the current nonce */ - if (tc_aes_encrypt(buffer, nonce, sched)) { - block_num++; - nonce[12] = (uint8_t)(block_num >> 24); - nonce[13] = (uint8_t)(block_num >> 16); - nonce[14] = (uint8_t)(block_num >> 8); - nonce[15] = (uint8_t)(block_num); - } else { - return TC_CRYPTO_FAIL; - } - } - /* update the output */ - *out++ = buffer[i % (TC_AES_BLOCK_SIZE)] ^ *in++; - } - - /* update the counter */ - ctr[12] = nonce[12]; ctr[13] = nonce[13]; - ctr[14] = nonce[14]; ctr[15] = nonce[15]; - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_prng.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_prng.c deleted file mode 100644 index f273ee5555..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_prng.c +++ /dev/null @@ -1,279 +0,0 @@ -/* ctr_prng.c - TinyCrypt implementation of CTR-PRNG */ - -/* - * Copyright (c) 2016, Chris Morrison - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include -#include - -/* - * This PRNG is based on the CTR_DRBG described in Recommendation for Random - * Number Generation Using Deterministic Random Bit Generators, - * NIST SP 800-90A Rev. 1. - * - * Annotations to particular steps (e.g. 10.2.1.2 Step 1) refer to the steps - * described in that document. - * - */ - -/** - * @brief Array incrementer - * Treats the supplied array as one contiguous number (MSB in arr[0]), and - * increments it by one - * @return none - * @param arr IN/OUT -- array to be incremented - * @param len IN -- size of arr in bytes - */ -static void arrInc(uint8_t arr[], unsigned int len) -{ - unsigned int i; - if (0 != arr) { - for (i = len; i > 0U; i--) { - if (++arr[i - 1] != 0U) { - break; - } - } - } -} - -/** - * @brief CTR PRNG update - * Updates the internal state of supplied the CTR PRNG context - * increments it by one - * @return none - * @note Assumes: providedData is (TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE) bytes long - * @param ctx IN/OUT -- CTR PRNG state - * @param providedData IN -- data used when updating the internal state - */ -static void tc_ctr_prng_update(TCCtrPrng_t *const ctx, uint8_t const *const providedData) -{ - if (0 != ctx) { - /* 10.2.1.2 step 1 */ - uint8_t temp[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; - unsigned int len = 0U; - - /* 10.2.1.2 step 2 */ - while (len < sizeof temp) { - unsigned int blocklen = sizeof(temp) - len; - uint8_t output_block[TC_AES_BLOCK_SIZE]; - - /* 10.2.1.2 step 2.1 */ - arrInc(ctx->V, sizeof ctx->V); - - /* 10.2.1.2 step 2.2 */ - if (blocklen > TC_AES_BLOCK_SIZE) { - blocklen = TC_AES_BLOCK_SIZE; - } - (void)tc_aes_encrypt(output_block, ctx->V, &ctx->key); - - /* 10.2.1.2 step 2.3/step 3 */ - memcpy(&(temp[len]), output_block, blocklen); - - len += blocklen; - } - - /* 10.2.1.2 step 4 */ - if (0 != providedData) { - unsigned int i; - for (i = 0U; i < sizeof temp; i++) { - temp[i] ^= providedData[i]; - } - } - - /* 10.2.1.2 step 5 */ - (void)tc_aes128_set_encrypt_key(&ctx->key, temp); - - /* 10.2.1.2 step 6 */ - memcpy(ctx->V, &(temp[TC_AES_KEY_SIZE]), TC_AES_BLOCK_SIZE); - } -} - -int tc_ctr_prng_init(TCCtrPrng_t *const ctx, - uint8_t const *const entropy, - unsigned int entropyLen, - uint8_t const *const personalization, - unsigned int pLen) -{ - int result = TC_CRYPTO_FAIL; - unsigned int i; - uint8_t personalization_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; - uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; - uint8_t zeroArr[TC_AES_BLOCK_SIZE] = {0U}; - - if (0 != personalization) { - /* 10.2.1.3.1 step 1 */ - unsigned int len = pLen; - if (len > sizeof personalization_buf) { - len = sizeof personalization_buf; - } - - /* 10.2.1.3.1 step 2 */ - memcpy(personalization_buf, personalization, len); - } - - if ((0 != ctx) && (0 != entropy) && (entropyLen >= sizeof seed_material)) { - /* 10.2.1.3.1 step 3 */ - memcpy(seed_material, entropy, sizeof seed_material); - for (i = 0U; i < sizeof seed_material; i++) { - seed_material[i] ^= personalization_buf[i]; - } - - /* 10.2.1.3.1 step 4 */ - (void)tc_aes128_set_encrypt_key(&ctx->key, zeroArr); - - /* 10.2.1.3.1 step 5 */ - memset(ctx->V, 0x00, sizeof ctx->V); - - /* 10.2.1.3.1 step 6 */ - tc_ctr_prng_update(ctx, seed_material); - - /* 10.2.1.3.1 step 7 */ - ctx->reseedCount = 1U; - - result = TC_CRYPTO_SUCCESS; - } - return result; -} - -int tc_ctr_prng_reseed(TCCtrPrng_t *const ctx, - uint8_t const *const entropy, - unsigned int entropyLen, - uint8_t const *const additional_input, - unsigned int additionallen) -{ - unsigned int i; - int result = TC_CRYPTO_FAIL; - uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; - uint8_t seed_material[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE]; - - if (0 != additional_input) { - /* 10.2.1.4.1 step 1 */ - unsigned int len = additionallen; - if (len > sizeof additional_input_buf) { - len = sizeof additional_input_buf; - } - - /* 10.2.1.4.1 step 2 */ - memcpy(additional_input_buf, additional_input, len); - } - - unsigned int seedlen = (unsigned int)TC_AES_KEY_SIZE + (unsigned int)TC_AES_BLOCK_SIZE; - if ((0 != ctx) && (entropyLen >= seedlen)) { - /* 10.2.1.4.1 step 3 */ - memcpy(seed_material, entropy, sizeof seed_material); - for (i = 0U; i < sizeof seed_material; i++) { - seed_material[i] ^= additional_input_buf[i]; - } - - /* 10.2.1.4.1 step 4 */ - tc_ctr_prng_update(ctx, seed_material); - - /* 10.2.1.4.1 step 5 */ - ctx->reseedCount = 1U; - - result = TC_CRYPTO_SUCCESS; - } - return result; -} - -int tc_ctr_prng_generate(TCCtrPrng_t *const ctx, - uint8_t const *const additional_input, - unsigned int additionallen, - uint8_t *const out, - unsigned int outlen) -{ - /* 2^48 - see section 10.2.1 */ - static const uint64_t MAX_REQS_BEFORE_RESEED = 0x1000000000000ULL; - - /* 2^19 bits - see section 10.2.1 */ - static const unsigned int MAX_BYTES_PER_REQ = 65536U; - - unsigned int result = TC_CRYPTO_FAIL; - - if ((0 != ctx) && (0 != out) && (outlen < MAX_BYTES_PER_REQ)) { - /* 10.2.1.5.1 step 1 */ - if (ctx->reseedCount > MAX_REQS_BEFORE_RESEED) { - result = TC_CTR_PRNG_RESEED_REQ; - } else { - uint8_t additional_input_buf[TC_AES_KEY_SIZE + TC_AES_BLOCK_SIZE] = {0U}; - if (0 != additional_input) { - /* 10.2.1.5.1 step 2 */ - unsigned int len = additionallen; - if (len > sizeof additional_input_buf) { - len = sizeof additional_input_buf; - } - memcpy(additional_input_buf, additional_input, len); - tc_ctr_prng_update(ctx, additional_input_buf); - } - - /* 10.2.1.5.1 step 3 - implicit */ - - /* 10.2.1.5.1 step 4 */ - unsigned int len = 0U; - while (len < outlen) { - unsigned int blocklen = outlen - len; - uint8_t output_block[TC_AES_BLOCK_SIZE]; - - /* 10.2.1.5.1 step 4.1 */ - arrInc(ctx->V, sizeof ctx->V); - - /* 10.2.1.5.1 step 4.2 */ - (void)tc_aes_encrypt(output_block, ctx->V, &ctx->key); - - /* 10.2.1.5.1 step 4.3/step 5 */ - if (blocklen > TC_AES_BLOCK_SIZE) { - blocklen = TC_AES_BLOCK_SIZE; - } - memcpy(&(out[len]), output_block, blocklen); - - len += blocklen; - } - - /* 10.2.1.5.1 step 6 */ - tc_ctr_prng_update(ctx, additional_input_buf); - - /* 10.2.1.5.1 step 7 */ - ctx->reseedCount++; - - /* 10.2.1.5.1 step 8 */ - result = TC_CRYPTO_SUCCESS; - } - } - - return result; -} - -void tc_ctr_prng_uninstantiate(TCCtrPrng_t *const ctx) -{ - if (0 != ctx) { - memset(ctx->key.words, 0x00, sizeof ctx->key.words); - memset(ctx->V, 0x00, sizeof ctx->V); - ctx->reseedCount = 0U; - } -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc.c deleted file mode 100644 index 5606b67a9a..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc.c +++ /dev/null @@ -1,939 +0,0 @@ -/* ecc.c - TinyCrypt implementation of common ECC functions */ - -/* - * Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - * - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -/* IMPORTANT: Make sure a cryptographically-secure PRNG is set and the platform - * has access to enough entropy in order to feed the PRNG regularly. */ -#if default_RNG_defined -static uECC_RNG_Function g_rng_function = &default_CSPRNG; -#else -static uECC_RNG_Function g_rng_function = 0; -#endif - -void uECC_set_rng(uECC_RNG_Function rng_function) -{ - g_rng_function = rng_function; -} - -uECC_RNG_Function uECC_get_rng(void) -{ - return g_rng_function; -} - -int uECC_curve_private_key_size(uECC_Curve curve) -{ - return BITS_TO_BYTES(curve->num_n_bits); -} - -int uECC_curve_public_key_size(uECC_Curve curve) -{ - return 2 * curve->num_bytes; -} - -void uECC_vli_clear(uECC_word_t *vli, wordcount_t num_words) -{ - wordcount_t i; - for (i = 0; i < num_words; ++i) { - vli[i] = 0; - } -} - -uECC_word_t uECC_vli_isZero(const uECC_word_t *vli, wordcount_t num_words) -{ - uECC_word_t bits = 0; - wordcount_t i; - for (i = 0; i < num_words; ++i) { - bits |= vli[i]; - } - return (bits == 0); -} - -uECC_word_t uECC_vli_testBit(const uECC_word_t *vli, bitcount_t bit) -{ - return (vli[bit >> uECC_WORD_BITS_SHIFT] & - ((uECC_word_t)1 << (bit & uECC_WORD_BITS_MASK))); -} - -/* Counts the number of words in vli. */ -static wordcount_t vli_numDigits(const uECC_word_t *vli, - const wordcount_t max_words) -{ - - wordcount_t i; - /* Search from the end until we find a non-zero digit. We do it in reverse - * because we expect that most digits will be nonzero. */ - for (i = max_words - 1; i >= 0 && vli[i] == 0; --i) { - } - - return (i + 1); -} - -bitcount_t uECC_vli_numBits(const uECC_word_t *vli, - const wordcount_t max_words) -{ - - uECC_word_t i; - uECC_word_t digit; - - wordcount_t num_digits = vli_numDigits(vli, max_words); - if (num_digits == 0) { - return 0; - } - - digit = vli[num_digits - 1]; - for (i = 0; digit; ++i) { - digit >>= 1; - } - - return (((bitcount_t)(num_digits - 1) << uECC_WORD_BITS_SHIFT) + i); -} - -void uECC_vli_set(uECC_word_t *dest, const uECC_word_t *src, - wordcount_t num_words) -{ - wordcount_t i; - - for (i = 0; i < num_words; ++i) { - dest[i] = src[i]; - } -} - -cmpresult_t uECC_vli_cmp_unsafe(const uECC_word_t *left, - const uECC_word_t *right, - wordcount_t num_words) -{ - wordcount_t i; - - for (i = num_words - 1; i >= 0; --i) { - if (left[i] > right[i]) { - return 1; - } else if (left[i] < right[i]) { - return -1; - } - } - return 0; -} - -uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right, - wordcount_t num_words) -{ - - uECC_word_t diff = 0; - wordcount_t i; - - for (i = num_words - 1; i >= 0; --i) { - diff |= (left[i] ^ right[i]); - } - return !(diff == 0); -} - -uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond) -{ - return (p_true * (cond)) | (p_false * (!cond)); -} - -/* Computes result = left - right, returning borrow, in constant time. - * Can modify in place. */ -uECC_word_t uECC_vli_sub(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, wordcount_t num_words) -{ - uECC_word_t borrow = 0; - wordcount_t i; - for (i = 0; i < num_words; ++i) { - uECC_word_t diff = left[i] - right[i] - borrow; - uECC_word_t val = (diff > left[i]); - borrow = cond_set(val, borrow, (diff != left[i])); - - result[i] = diff; - } - return borrow; -} - -/* Computes result = left + right, returning carry, in constant time. - * Can modify in place. */ -static uECC_word_t uECC_vli_add(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, wordcount_t num_words) -{ - uECC_word_t carry = 0; - wordcount_t i; - for (i = 0; i < num_words; ++i) { - uECC_word_t sum = left[i] + right[i] + carry; - uECC_word_t val = (sum < left[i]); - carry = cond_set(val, carry, (sum != left[i])); - result[i] = sum; - } - return carry; -} - -cmpresult_t uECC_vli_cmp(const uECC_word_t *left, const uECC_word_t *right, - wordcount_t num_words) -{ - uECC_word_t tmp[NUM_ECC_WORDS]; - uECC_word_t neg = !!uECC_vli_sub(tmp, left, right, num_words); - uECC_word_t equal = uECC_vli_isZero(tmp, num_words); - return (!equal - 2 * neg); -} - -/* Computes vli = vli >> 1. */ -static void uECC_vli_rshift1(uECC_word_t *vli, wordcount_t num_words) -{ - uECC_word_t *end = vli; - uECC_word_t carry = 0; - - vli += num_words; - while (vli-- > end) { - uECC_word_t temp = *vli; - *vli = (temp >> 1) | carry; - carry = temp << (uECC_WORD_BITS - 1); - } -} - -static void muladd(uECC_word_t a, uECC_word_t b, uECC_word_t *r0, - uECC_word_t *r1, uECC_word_t *r2) -{ - - uECC_dword_t p = (uECC_dword_t)a * b; - uECC_dword_t r01 = ((uECC_dword_t)(*r1) << uECC_WORD_BITS) | *r0; - r01 += p; - *r2 += (r01 < p); - *r1 = r01 >> uECC_WORD_BITS; - *r0 = (uECC_word_t)r01; - -} - -/* Computes result = left * right. Result must be 2 * num_words long. */ -static void uECC_vli_mult(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, wordcount_t num_words) -{ - - uECC_word_t r0 = 0; - uECC_word_t r1 = 0; - uECC_word_t r2 = 0; - wordcount_t i, k; - - /* Compute each digit of result in sequence, maintaining the carries. */ - for (k = 0; k < num_words; ++k) { - - for (i = 0; i <= k; ++i) { - muladd(left[i], right[k - i], &r0, &r1, &r2); - } - - result[k] = r0; - r0 = r1; - r1 = r2; - r2 = 0; - } - - for (k = num_words; k < num_words * 2 - 1; ++k) { - - for (i = (k + 1) - num_words; i < num_words; ++i) { - muladd(left[i], right[k - i], &r0, &r1, &r2); - } - result[k] = r0; - r0 = r1; - r1 = r2; - r2 = 0; - } - result[num_words * 2 - 1] = r0; -} - -void uECC_vli_modAdd(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words) -{ - uECC_word_t carry = uECC_vli_add(result, left, right, num_words); - if (carry || uECC_vli_cmp_unsafe(mod, result, num_words) != 1) { - /* result > mod (result = mod + remainder), so subtract mod to get - * remainder. */ - uECC_vli_sub(result, result, mod, num_words); - } -} - -void uECC_vli_modSub(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words) -{ - uECC_word_t l_borrow = uECC_vli_sub(result, left, right, num_words); - if (l_borrow) { - /* In this case, result == -diff == (max int) - diff. Since -x % d == d - x, - * we can get the correct result from result + mod (with overflow). */ - uECC_vli_add(result, result, mod, num_words); - } -} - -/* Computes result = product % mod, where product is 2N words long. */ -/* Currently only designed to work for curve_p or curve_n. */ -void uECC_vli_mmod(uECC_word_t *result, uECC_word_t *product, - const uECC_word_t *mod, wordcount_t num_words) -{ - uECC_word_t mod_multiple[2 * NUM_ECC_WORDS]; - uECC_word_t tmp[2 * NUM_ECC_WORDS]; - uECC_word_t *v[2] = {tmp, product}; - uECC_word_t index; - - /* Shift mod so its highest set bit is at the maximum position. */ - bitcount_t shift = (num_words * 2 * uECC_WORD_BITS) - - uECC_vli_numBits(mod, num_words); - wordcount_t word_shift = shift / uECC_WORD_BITS; - wordcount_t bit_shift = shift % uECC_WORD_BITS; - uECC_word_t carry = 0; - uECC_vli_clear(mod_multiple, word_shift); - if (bit_shift > 0) { - for (index = 0; index < (uECC_word_t)num_words; ++index) { - mod_multiple[word_shift + index] = (mod[index] << bit_shift) | carry; - carry = mod[index] >> (uECC_WORD_BITS - bit_shift); - } - } else { - uECC_vli_set(mod_multiple + word_shift, mod, num_words); - } - - for (index = 1; shift >= 0; --shift) { - uECC_word_t borrow = 0; - wordcount_t i; - for (i = 0; i < num_words * 2; ++i) { - uECC_word_t diff = v[index][i] - mod_multiple[i] - borrow; - if (diff != v[index][i]) { - borrow = (diff > v[index][i]); - } - v[1 - index][i] = diff; - } - /* Swap the index if there was no borrow */ - index = !(index ^ borrow); - uECC_vli_rshift1(mod_multiple, num_words); - mod_multiple[num_words - 1] |= mod_multiple[num_words] << - (uECC_WORD_BITS - 1); - uECC_vli_rshift1(mod_multiple + num_words, num_words); - } - uECC_vli_set(result, v[index], num_words); -} - -void uECC_vli_modMult(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, const uECC_word_t *mod, - wordcount_t num_words) -{ - uECC_word_t product[2 * NUM_ECC_WORDS]; - uECC_vli_mult(product, left, right, num_words); - uECC_vli_mmod(result, product, mod, num_words); -} - -void uECC_vli_modMult_fast(uECC_word_t *result, const uECC_word_t *left, - const uECC_word_t *right, uECC_Curve curve) -{ - uECC_word_t product[2 * NUM_ECC_WORDS]; - uECC_vli_mult(product, left, right, curve->num_words); - - curve->mmod_fast(result, product); -} - -static void uECC_vli_modSquare_fast(uECC_word_t *result, - const uECC_word_t *left, - uECC_Curve curve) -{ - uECC_vli_modMult_fast(result, left, left, curve); -} - - -#define EVEN(vli) (!(vli[0] & 1)) - -static void vli_modInv_update(uECC_word_t *uv, - const uECC_word_t *mod, - wordcount_t num_words) -{ - - uECC_word_t carry = 0; - - if (!EVEN(uv)) { - carry = uECC_vli_add(uv, uv, mod, num_words); - } - uECC_vli_rshift1(uv, num_words); - if (carry) { - uv[num_words - 1] |= HIGH_BIT_SET; - } -} - -void uECC_vli_modInv(uECC_word_t *result, const uECC_word_t *input, - const uECC_word_t *mod, wordcount_t num_words) -{ - uECC_word_t a[NUM_ECC_WORDS], b[NUM_ECC_WORDS]; - uECC_word_t u[NUM_ECC_WORDS], v[NUM_ECC_WORDS]; - cmpresult_t cmpResult; - - if (uECC_vli_isZero(input, num_words)) { - uECC_vli_clear(result, num_words); - return; - } - - uECC_vli_set(a, input, num_words); - uECC_vli_set(b, mod, num_words); - uECC_vli_clear(u, num_words); - u[0] = 1; - uECC_vli_clear(v, num_words); - while ((cmpResult = uECC_vli_cmp_unsafe(a, b, num_words)) != 0) { - if (EVEN(a)) { - uECC_vli_rshift1(a, num_words); - vli_modInv_update(u, mod, num_words); - } else if (EVEN(b)) { - uECC_vli_rshift1(b, num_words); - vli_modInv_update(v, mod, num_words); - } else if (cmpResult > 0) { - uECC_vli_sub(a, a, b, num_words); - uECC_vli_rshift1(a, num_words); - if (uECC_vli_cmp_unsafe(u, v, num_words) < 0) { - uECC_vli_add(u, u, mod, num_words); - } - uECC_vli_sub(u, u, v, num_words); - vli_modInv_update(u, mod, num_words); - } else { - uECC_vli_sub(b, b, a, num_words); - uECC_vli_rshift1(b, num_words); - if (uECC_vli_cmp_unsafe(v, u, num_words) < 0) { - uECC_vli_add(v, v, mod, num_words); - } - uECC_vli_sub(v, v, u, num_words); - vli_modInv_update(v, mod, num_words); - } - } - uECC_vli_set(result, u, num_words); -} - -/* ------ Point operations ------ */ - -void double_jacobian_default(uECC_word_t *X1, uECC_word_t *Y1, - uECC_word_t *Z1, uECC_Curve curve) -{ - /* t1 = X, t2 = Y, t3 = Z */ - uECC_word_t t4[NUM_ECC_WORDS]; - uECC_word_t t5[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - - if (uECC_vli_isZero(Z1, num_words)) { - return; - } - - uECC_vli_modSquare_fast(t4, Y1, curve); /* t4 = y1^2 */ - uECC_vli_modMult_fast(t5, X1, t4, curve); /* t5 = x1*y1^2 = A */ - uECC_vli_modSquare_fast(t4, t4, curve); /* t4 = y1^4 */ - uECC_vli_modMult_fast(Y1, Y1, Z1, curve); /* t2 = y1*z1 = z3 */ - uECC_vli_modSquare_fast(Z1, Z1, curve); /* t3 = z1^2 */ - - uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = x1 + z1^2 */ - uECC_vli_modAdd(Z1, Z1, Z1, curve->p, num_words); /* t3 = 2*z1^2 */ - uECC_vli_modSub(Z1, X1, Z1, curve->p, num_words); /* t3 = x1 - z1^2 */ - uECC_vli_modMult_fast(X1, X1, Z1, curve); /* t1 = x1^2 - z1^4 */ - - uECC_vli_modAdd(Z1, X1, X1, curve->p, num_words); /* t3 = 2*(x1^2 - z1^4) */ - uECC_vli_modAdd(X1, X1, Z1, curve->p, num_words); /* t1 = 3*(x1^2 - z1^4) */ - if (uECC_vli_testBit(X1, 0)) { - uECC_word_t l_carry = uECC_vli_add(X1, X1, curve->p, num_words); - uECC_vli_rshift1(X1, num_words); - X1[num_words - 1] |= l_carry << (uECC_WORD_BITS - 1); - } else { - uECC_vli_rshift1(X1, num_words); - } - - /* t1 = 3/2*(x1^2 - z1^4) = B */ - uECC_vli_modSquare_fast(Z1, X1, curve); /* t3 = B^2 */ - uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - A */ - uECC_vli_modSub(Z1, Z1, t5, curve->p, num_words); /* t3 = B^2 - 2A = x3 */ - uECC_vli_modSub(t5, t5, Z1, curve->p, num_words); /* t5 = A - x3 */ - uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = B * (A - x3) */ - /* t4 = B * (A - x3) - y1^4 = y3: */ - uECC_vli_modSub(t4, X1, t4, curve->p, num_words); - - uECC_vli_set(X1, Z1, num_words); - uECC_vli_set(Z1, Y1, num_words); - uECC_vli_set(Y1, t4, num_words); -} - -void x_side_default(uECC_word_t *result, - const uECC_word_t *x, - uECC_Curve curve) -{ - uECC_word_t _3[NUM_ECC_WORDS] = {3}; /* -a = 3 */ - wordcount_t num_words = curve->num_words; - - uECC_vli_modSquare_fast(result, x, curve); /* r = x^2 */ - uECC_vli_modSub(result, result, _3, curve->p, num_words); /* r = x^2 - 3 */ - uECC_vli_modMult_fast(result, result, x, curve); /* r = x^3 - 3x */ - /* r = x^3 - 3x + b: */ - uECC_vli_modAdd(result, result, curve->b, curve->p, num_words); -} - -uECC_Curve uECC_secp256r1(void) -{ - return &curve_secp256r1; -} - -void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int *product) -{ - unsigned int tmp[NUM_ECC_WORDS]; - int carry; - - /* t */ - uECC_vli_set(result, product, NUM_ECC_WORDS); - - /* s1 */ - tmp[0] = tmp[1] = tmp[2] = 0; - tmp[3] = product[11]; - tmp[4] = product[12]; - tmp[5] = product[13]; - tmp[6] = product[14]; - tmp[7] = product[15]; - carry = uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS); - carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); - - /* s2 */ - tmp[3] = product[12]; - tmp[4] = product[13]; - tmp[5] = product[14]; - tmp[6] = product[15]; - tmp[7] = 0; - carry += uECC_vli_add(tmp, tmp, tmp, NUM_ECC_WORDS); - carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); - - /* s3 */ - tmp[0] = product[8]; - tmp[1] = product[9]; - tmp[2] = product[10]; - tmp[3] = tmp[4] = tmp[5] = 0; - tmp[6] = product[14]; - tmp[7] = product[15]; - carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); - - /* s4 */ - tmp[0] = product[9]; - tmp[1] = product[10]; - tmp[2] = product[11]; - tmp[3] = product[13]; - tmp[4] = product[14]; - tmp[5] = product[15]; - tmp[6] = product[13]; - tmp[7] = product[8]; - carry += uECC_vli_add(result, result, tmp, NUM_ECC_WORDS); - - /* d1 */ - tmp[0] = product[11]; - tmp[1] = product[12]; - tmp[2] = product[13]; - tmp[3] = tmp[4] = tmp[5] = 0; - tmp[6] = product[8]; - tmp[7] = product[10]; - carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); - - /* d2 */ - tmp[0] = product[12]; - tmp[1] = product[13]; - tmp[2] = product[14]; - tmp[3] = product[15]; - tmp[4] = tmp[5] = 0; - tmp[6] = product[9]; - tmp[7] = product[11]; - carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); - - /* d3 */ - tmp[0] = product[13]; - tmp[1] = product[14]; - tmp[2] = product[15]; - tmp[3] = product[8]; - tmp[4] = product[9]; - tmp[5] = product[10]; - tmp[6] = 0; - tmp[7] = product[12]; - carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); - - /* d4 */ - tmp[0] = product[14]; - tmp[1] = product[15]; - tmp[2] = 0; - tmp[3] = product[9]; - tmp[4] = product[10]; - tmp[5] = product[11]; - tmp[6] = 0; - tmp[7] = product[13]; - carry -= uECC_vli_sub(result, result, tmp, NUM_ECC_WORDS); - - if (carry < 0) { - do { - carry += uECC_vli_add(result, result, curve_secp256r1.p, NUM_ECC_WORDS); - } while (carry < 0); - } else { - while (carry || - uECC_vli_cmp_unsafe(curve_secp256r1.p, result, NUM_ECC_WORDS) != 1) { - carry -= uECC_vli_sub(result, result, curve_secp256r1.p, NUM_ECC_WORDS); - } - } -} - -uECC_word_t EccPoint_isZero(const uECC_word_t *point, uECC_Curve curve) -{ - return uECC_vli_isZero(point, curve->num_words * 2); -} - -void apply_z(uECC_word_t *X1, uECC_word_t *Y1, const uECC_word_t *const Z, - uECC_Curve curve) -{ - uECC_word_t t1[NUM_ECC_WORDS]; - - uECC_vli_modSquare_fast(t1, Z, curve); /* z^2 */ - uECC_vli_modMult_fast(X1, X1, t1, curve); /* x1 * z^2 */ - uECC_vli_modMult_fast(t1, t1, Z, curve); /* z^3 */ - uECC_vli_modMult_fast(Y1, Y1, t1, curve); /* y1 * z^3 */ -} - -/* P = (x1, y1) => 2P, (x2, y2) => P' */ -static void XYcZ_initial_double(uECC_word_t *X1, uECC_word_t *Y1, - uECC_word_t *X2, uECC_word_t *Y2, - const uECC_word_t *const initial_Z, - uECC_Curve curve) -{ - uECC_word_t z[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - if (initial_Z) { - uECC_vli_set(z, initial_Z, num_words); - } else { - uECC_vli_clear(z, num_words); - z[0] = 1; - } - - uECC_vli_set(X2, X1, num_words); - uECC_vli_set(Y2, Y1, num_words); - - apply_z(X1, Y1, z, curve); - curve->double_jacobian(X1, Y1, z, curve); - apply_z(X2, Y2, z, curve); -} - -void XYcZ_add(uECC_word_t *X1, uECC_word_t *Y1, - uECC_word_t *X2, uECC_word_t *Y2, - uECC_Curve curve) -{ - /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ - uECC_word_t t5[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - - uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */ - uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */ - uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */ - uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */ - uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */ - uECC_vli_modSquare_fast(t5, Y2, curve); /* t5 = (y2 - y1)^2 = D */ - - uECC_vli_modSub(t5, t5, X1, curve->p, num_words); /* t5 = D - B */ - uECC_vli_modSub(t5, t5, X2, curve->p, num_words); /* t5 = D - B - C = x3 */ - uECC_vli_modSub(X2, X2, X1, curve->p, num_words); /* t3 = C - B */ - uECC_vli_modMult_fast(Y1, Y1, X2, curve); /* t2 = y1*(C - B) */ - uECC_vli_modSub(X2, X1, t5, curve->p, num_words); /* t3 = B - x3 */ - uECC_vli_modMult_fast(Y2, Y2, X2, curve); /* t4 = (y2 - y1)*(B - x3) */ - uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y3 */ - - uECC_vli_set(X2, t5, num_words); -} - -/* Input P = (x1, y1, Z), Q = (x2, y2, Z) - Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3) - or P => P - Q, Q => P + Q - */ -static void XYcZ_addC(uECC_word_t *X1, uECC_word_t *Y1, - uECC_word_t *X2, uECC_word_t *Y2, - uECC_Curve curve) -{ - /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ - uECC_word_t t5[NUM_ECC_WORDS]; - uECC_word_t t6[NUM_ECC_WORDS]; - uECC_word_t t7[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - - uECC_vli_modSub(t5, X2, X1, curve->p, num_words); /* t5 = x2 - x1 */ - uECC_vli_modSquare_fast(t5, t5, curve); /* t5 = (x2 - x1)^2 = A */ - uECC_vli_modMult_fast(X1, X1, t5, curve); /* t1 = x1*A = B */ - uECC_vli_modMult_fast(X2, X2, t5, curve); /* t3 = x2*A = C */ - uECC_vli_modAdd(t5, Y2, Y1, curve->p, num_words); /* t5 = y2 + y1 */ - uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); /* t4 = y2 - y1 */ - - uECC_vli_modSub(t6, X2, X1, curve->p, num_words); /* t6 = C - B */ - uECC_vli_modMult_fast(Y1, Y1, t6, curve); /* t2 = y1 * (C - B) = E */ - uECC_vli_modAdd(t6, X1, X2, curve->p, num_words); /* t6 = B + C */ - uECC_vli_modSquare_fast(X2, Y2, curve); /* t3 = (y2 - y1)^2 = D */ - uECC_vli_modSub(X2, X2, t6, curve->p, num_words); /* t3 = D - (B + C) = x3 */ - - uECC_vli_modSub(t7, X1, X2, curve->p, num_words); /* t7 = B - x3 */ - uECC_vli_modMult_fast(Y2, Y2, t7, curve); /* t4 = (y2 - y1)*(B - x3) */ - /* t4 = (y2 - y1)*(B - x3) - E = y3: */ - uECC_vli_modSub(Y2, Y2, Y1, curve->p, num_words); - - uECC_vli_modSquare_fast(t7, t5, curve); /* t7 = (y2 + y1)^2 = F */ - uECC_vli_modSub(t7, t7, t6, curve->p, num_words); /* t7 = F - (B + C) = x3' */ - uECC_vli_modSub(t6, t7, X1, curve->p, num_words); /* t6 = x3' - B */ - uECC_vli_modMult_fast(t6, t6, t5, curve); /* t6 = (y2+y1)*(x3' - B) */ - /* t2 = (y2+y1)*(x3' - B) - E = y3': */ - uECC_vli_modSub(Y1, t6, Y1, curve->p, num_words); - - uECC_vli_set(X1, t7, num_words); -} - -void EccPoint_mult(uECC_word_t *result, const uECC_word_t *point, - const uECC_word_t *scalar, - const uECC_word_t *initial_Z, - bitcount_t num_bits, uECC_Curve curve) -{ - /* R0 and R1 */ - uECC_word_t Rx[2][NUM_ECC_WORDS]; - uECC_word_t Ry[2][NUM_ECC_WORDS]; - uECC_word_t z[NUM_ECC_WORDS]; - bitcount_t i; - uECC_word_t nb; - wordcount_t num_words = curve->num_words; - - uECC_vli_set(Rx[1], point, num_words); - uECC_vli_set(Ry[1], point + num_words, num_words); - - XYcZ_initial_double(Rx[1], Ry[1], Rx[0], Ry[0], initial_Z, curve); - - for (i = num_bits - 2; i > 0; --i) { - nb = !uECC_vli_testBit(scalar, i); - XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve); - XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve); - } - - nb = !uECC_vli_testBit(scalar, 0); - XYcZ_addC(Rx[1 - nb], Ry[1 - nb], Rx[nb], Ry[nb], curve); - - /* Find final 1/Z value. */ - uECC_vli_modSub(z, Rx[1], Rx[0], curve->p, num_words); /* X1 - X0 */ - uECC_vli_modMult_fast(z, z, Ry[1 - nb], curve); /* Yb * (X1 - X0) */ - uECC_vli_modMult_fast(z, z, point, curve); /* xP * Yb * (X1 - X0) */ - uECC_vli_modInv(z, z, curve->p, num_words); /* 1 / (xP * Yb * (X1 - X0))*/ - /* yP / (xP * Yb * (X1 - X0)) */ - uECC_vli_modMult_fast(z, z, point + num_words, curve); - /* Xb * yP / (xP * Yb * (X1 - X0)) */ - uECC_vli_modMult_fast(z, z, Rx[1 - nb], curve); - /* End 1/Z calculation */ - - XYcZ_add(Rx[nb], Ry[nb], Rx[1 - nb], Ry[1 - nb], curve); - apply_z(Rx[0], Ry[0], z, curve); - - uECC_vli_set(result, Rx[0], num_words); - uECC_vli_set(result + num_words, Ry[0], num_words); -} - -uECC_word_t regularize_k(const uECC_word_t *const k, uECC_word_t *k0, - uECC_word_t *k1, uECC_Curve curve) -{ - - wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); - - bitcount_t num_n_bits = curve->num_n_bits; - - uECC_word_t carry = uECC_vli_add(k0, k, curve->n, num_n_words) || - (num_n_bits < ((bitcount_t)num_n_words * uECC_WORD_SIZE * 8) && - uECC_vli_testBit(k0, num_n_bits)); - - uECC_vli_add(k1, k0, curve->n, num_n_words); - - return carry; -} - -uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, - uECC_word_t *private_key, - uECC_Curve curve) -{ - - uECC_word_t tmp1[NUM_ECC_WORDS]; - uECC_word_t tmp2[NUM_ECC_WORDS]; - uECC_word_t *p2[2] = {tmp1, tmp2}; - uECC_word_t carry; - - /* Regularize the bitcount for the private key so that attackers cannot - * use a side channel attack to learn the number of leading zeros. */ - carry = regularize_k(private_key, tmp1, tmp2, curve); - - EccPoint_mult(result, curve->G, p2[!carry], 0, curve->num_n_bits + 1, curve); - - if (EccPoint_isZero(result, curve)) { - return 0; - } - return 1; -} - -/* Converts an integer in uECC native format to big-endian bytes. */ -void uECC_vli_nativeToBytes(uint8_t *bytes, int num_bytes, - const unsigned int *native) -{ - wordcount_t i; - for (i = 0; i < num_bytes; ++i) { - unsigned b = num_bytes - 1 - i; - bytes[i] = native[b / uECC_WORD_SIZE] >> (8 * (b % uECC_WORD_SIZE)); - } -} - -/* Converts big-endian bytes to an integer in uECC native format. */ -void uECC_vli_bytesToNative(unsigned int *native, const uint8_t *bytes, - int num_bytes) -{ - wordcount_t i; - uECC_vli_clear(native, (num_bytes + (uECC_WORD_SIZE - 1)) / uECC_WORD_SIZE); - for (i = 0; i < num_bytes; ++i) { - unsigned b = num_bytes - 1 - i; - native[b / uECC_WORD_SIZE] |= - (uECC_word_t)bytes[i] << (8 * (b % uECC_WORD_SIZE)); - } -} - -int uECC_generate_random_int(uECC_word_t *random, const uECC_word_t *top, - wordcount_t num_words) -{ - uECC_word_t mask = (uECC_word_t) - 1; - uECC_word_t tries; - bitcount_t num_bits = uECC_vli_numBits(top, num_words); - - if (!g_rng_function) { - return 0; - } - - for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { - if (!g_rng_function((uint8_t *)random, num_words * uECC_WORD_SIZE)) { - return 0; - } - random[num_words - 1] &= - mask >> ((bitcount_t)(num_words * uECC_WORD_SIZE * 8 - num_bits)); - if (!uECC_vli_isZero(random, num_words) && - uECC_vli_cmp(top, random, num_words) == 1) { - return 1; - } - } - return 0; -} - - -int uECC_valid_point(const uECC_word_t *point, uECC_Curve curve) -{ - uECC_word_t tmp1[NUM_ECC_WORDS]; - uECC_word_t tmp2[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - - /* The point at infinity is invalid. */ - if (EccPoint_isZero(point, curve)) { - return -1; - } - - /* x and y must be smaller than p. */ - if (uECC_vli_cmp_unsafe(curve->p, point, num_words) != 1 || - uECC_vli_cmp_unsafe(curve->p, point + num_words, num_words) != 1) { - return -2; - } - - uECC_vli_modSquare_fast(tmp1, point + num_words, curve); - curve->x_side(tmp2, point, curve); /* tmp2 = x^3 + ax + b */ - - /* Make sure that y^2 == x^3 + ax + b */ - if (uECC_vli_equal(tmp1, tmp2, num_words) != 0) { - return -3; - } - - return 0; -} - -int uECC_valid_public_key(const uint8_t *public_key, uECC_Curve curve) -{ - - uECC_word_t _public[NUM_ECC_WORDS * 2]; - - uECC_vli_bytesToNative(_public, public_key, curve->num_bytes); - uECC_vli_bytesToNative( - _public + curve->num_words, - public_key + curve->num_bytes, - curve->num_bytes); - - if (uECC_vli_cmp_unsafe(_public, curve->G, NUM_ECC_WORDS * 2) == 0) { - return -4; - } - - return uECC_valid_point(_public, curve); -} - -int uECC_compute_public_key(const uint8_t *private_key, uint8_t *public_key, - uECC_Curve curve) -{ - - uECC_word_t _private[NUM_ECC_WORDS]; - uECC_word_t _public[NUM_ECC_WORDS * 2]; - - uECC_vli_bytesToNative( - _private, - private_key, - BITS_TO_BYTES(curve->num_n_bits)); - - /* Make sure the private key is in the range [1, n-1]. */ - if (uECC_vli_isZero(_private, BITS_TO_WORDS(curve->num_n_bits))) { - return 0; - } - - if (uECC_vli_cmp(curve->n, _private, BITS_TO_WORDS(curve->num_n_bits)) != 1) { - return 0; - } - - /* Compute public key. */ - if (!EccPoint_compute_public_key(_public, _private, curve)) { - return 0; - } - - uECC_vli_nativeToBytes(public_key, curve->num_bytes, _public); - uECC_vli_nativeToBytes( - public_key + - curve->num_bytes, curve->num_bytes, _public + curve->num_words); - return 1; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dh.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dh.c deleted file mode 100644 index f8cd70c4c1..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dh.c +++ /dev/null @@ -1,198 +0,0 @@ -/* ec_dh.c - TinyCrypt implementation of EC-DH */ - -/* - * Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ -#include -#include -#include -#include -#include - -#if default_RNG_defined -static uECC_RNG_Function g_rng_function = &default_CSPRNG; -#else -static uECC_RNG_Function g_rng_function = 0; -#endif - -int uECC_make_key_with_d(uint8_t *public_key, uint8_t *private_key, - unsigned int *d, uECC_Curve curve) -{ - - uECC_word_t _private[NUM_ECC_WORDS]; - uECC_word_t _public[NUM_ECC_WORDS * 2]; - - /* This function is designed for test purposes-only (such as validating NIST - * test vectors) as it uses a provided value for d instead of generating - * it uniformly at random. */ - memcpy (_private, d, NUM_ECC_BYTES); - - /* Computing public-key from private: */ - if (EccPoint_compute_public_key(_public, _private, curve)) { - - /* Converting buffers to correct bit order: */ - uECC_vli_nativeToBytes(private_key, - BITS_TO_BYTES(curve->num_n_bits), - _private); - uECC_vli_nativeToBytes(public_key, - curve->num_bytes, - _public); - uECC_vli_nativeToBytes(public_key + curve->num_bytes, - curve->num_bytes, - _public + curve->num_words); - - /* erasing temporary buffer used to store secret: */ - _set_secure(_private, 0, NUM_ECC_BYTES); - - return 1; - } - return 0; -} - -int uECC_make_key(uint8_t *public_key, uint8_t *private_key, uECC_Curve curve) -{ - - uECC_word_t _random[NUM_ECC_WORDS * 2]; - uECC_word_t _private[NUM_ECC_WORDS]; - uECC_word_t _public[NUM_ECC_WORDS * 2]; - uECC_word_t tries; - - for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { - /* Generating _private uniformly at random: */ - uECC_RNG_Function rng_function = uECC_get_rng(); - if (!rng_function || - !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS * uECC_WORD_SIZE)) { - return 0; - } - - /* computing modular reduction of _random (see FIPS 186.4 B.4.1): */ - uECC_vli_mmod(_private, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits)); - - /* Computing public-key from private: */ - if (EccPoint_compute_public_key(_public, _private, curve)) { - - /* Converting buffers to correct bit order: */ - uECC_vli_nativeToBytes(private_key, - BITS_TO_BYTES(curve->num_n_bits), - _private); - uECC_vli_nativeToBytes(public_key, - curve->num_bytes, - _public); - uECC_vli_nativeToBytes(public_key + curve->num_bytes, - curve->num_bytes, - _public + curve->num_words); - - /* erasing temporary buffer that stored secret: */ - _set_secure(_private, 0, NUM_ECC_BYTES); - - return 1; - } - } - return 0; -} - -int uECC_shared_secret(const uint8_t *public_key, const uint8_t *private_key, - uint8_t *secret, uECC_Curve curve) -{ - - uECC_word_t _public[NUM_ECC_WORDS * 2]; - uECC_word_t _private[NUM_ECC_WORDS]; - - uECC_word_t tmp[NUM_ECC_WORDS]; - uECC_word_t *p2[2] = {_private, tmp}; - uECC_word_t *initial_Z = 0; - uECC_word_t carry; - wordcount_t num_words = curve->num_words; - wordcount_t num_bytes = curve->num_bytes; - int r; - - /* Converting buffers to correct bit order: */ - uECC_vli_bytesToNative(_private, - private_key, - BITS_TO_BYTES(curve->num_n_bits)); - uECC_vli_bytesToNative(_public, - public_key, - num_bytes); - uECC_vli_bytesToNative(_public + num_words, - public_key + num_bytes, - num_bytes); - - /* Regularize the bitcount for the private key so that attackers cannot use a - * side channel attack to learn the number of leading zeros. */ - carry = regularize_k(_private, _private, tmp, curve); - - /* If an RNG function was specified, try to get a random initial Z value to - * improve protection against side-channel attacks. */ - if (g_rng_function) { - if (!uECC_generate_random_int(p2[carry], curve->p, num_words)) { - r = 0; - goto clear_and_out; - } - initial_Z = p2[carry]; - } - - EccPoint_mult(_public, _public, p2[!carry], initial_Z, curve->num_n_bits + 1, - curve); - - uECC_vli_nativeToBytes(secret, num_bytes, _public); - r = !EccPoint_isZero(_public, curve); - -clear_and_out: - /* erasing temporary buffer used to store secret: */ - _set_secure(p2, 0, sizeof(p2)); - _set_secure(tmp, 0, sizeof(tmp)); - _set_secure(_private, 0, sizeof(_private)); - - return r; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dsa.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dsa.c deleted file mode 100644 index 3b4d179096..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dsa.c +++ /dev/null @@ -1,293 +0,0 @@ -/* ec_dsa.c - TinyCrypt implementation of EC-DSA */ - -/* Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE.*/ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -#if default_RNG_defined -static uECC_RNG_Function g_rng_function = &default_CSPRNG; -#else -static uECC_RNG_Function g_rng_function = 0; -#endif - -static void bits2int(uECC_word_t *native, const uint8_t *bits, - unsigned bits_size, uECC_Curve curve) -{ - unsigned num_n_bytes = BITS_TO_BYTES(curve->num_n_bits); - unsigned num_n_words = BITS_TO_WORDS(curve->num_n_bits); - int shift; - uECC_word_t carry; - uECC_word_t *ptr; - - if (bits_size > num_n_bytes) { - bits_size = num_n_bytes; - } - - uECC_vli_clear(native, num_n_words); - uECC_vli_bytesToNative(native, bits, bits_size); - if (bits_size * 8 <= (unsigned)curve->num_n_bits) { - return; - } - shift = bits_size * 8 - curve->num_n_bits; - carry = 0; - ptr = native + num_n_words; - while (ptr-- > native) { - uECC_word_t temp = *ptr; - *ptr = (temp >> shift) | carry; - carry = temp << (uECC_WORD_BITS - shift); - } - - /* Reduce mod curve_n */ - if (uECC_vli_cmp_unsafe(curve->n, native, num_n_words) != 1) { - uECC_vli_sub(native, native, curve->n, num_n_words); - } -} - -int uECC_sign_with_k(const uint8_t *private_key, const uint8_t *message_hash, - unsigned hash_size, uECC_word_t *k, uint8_t *signature, - uECC_Curve curve) -{ - - uECC_word_t tmp[NUM_ECC_WORDS]; - uECC_word_t s[NUM_ECC_WORDS]; - uECC_word_t *k2[2] = {tmp, s}; - uECC_word_t p[NUM_ECC_WORDS * 2]; - uECC_word_t carry; - wordcount_t num_words = curve->num_words; - wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); - bitcount_t num_n_bits = curve->num_n_bits; - - /* Make sure 0 < k < curve_n */ - if (uECC_vli_isZero(k, num_words) || - uECC_vli_cmp(curve->n, k, num_n_words) != 1) { - return 0; - } - - carry = regularize_k(k, tmp, s, curve); - EccPoint_mult(p, curve->G, k2[!carry], 0, num_n_bits + 1, curve); - if (uECC_vli_isZero(p, num_words)) { - return 0; - } - - /* If an RNG function was specified, get a random number - to prevent side channel analysis of k. */ - if (!g_rng_function) { - uECC_vli_clear(tmp, num_n_words); - tmp[0] = 1; - } else if (!uECC_generate_random_int(tmp, curve->n, num_n_words)) { - return 0; - } - - /* Prevent side channel analysis of uECC_vli_modInv() to determine - bits of k / the private key by premultiplying by a random number */ - uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k' = rand * k */ - uECC_vli_modInv(k, k, curve->n, num_n_words); /* k = 1 / k' */ - uECC_vli_modMult(k, k, tmp, curve->n, num_n_words); /* k = 1 / k */ - - uECC_vli_nativeToBytes(signature, curve->num_bytes, p); /* store r */ - - /* tmp = d: */ - uECC_vli_bytesToNative(tmp, private_key, BITS_TO_BYTES(curve->num_n_bits)); - - s[num_n_words - 1] = 0; - uECC_vli_set(s, p, num_words); - uECC_vli_modMult(s, tmp, s, curve->n, num_n_words); /* s = r*d */ - - bits2int(tmp, message_hash, hash_size, curve); - uECC_vli_modAdd(s, tmp, s, curve->n, num_n_words); /* s = e + r*d */ - uECC_vli_modMult(s, s, k, curve->n, num_n_words); /* s = (e + r*d) / k */ - if (uECC_vli_numBits(s, num_n_words) > (bitcount_t)curve->num_bytes * 8) { - return 0; - } - - uECC_vli_nativeToBytes(signature + curve->num_bytes, curve->num_bytes, s); - return 1; -} - -int uECC_sign(const uint8_t *private_key, const uint8_t *message_hash, - unsigned hash_size, uint8_t *signature, uECC_Curve curve) -{ - uECC_word_t _random[2 * NUM_ECC_WORDS]; - uECC_word_t k[NUM_ECC_WORDS]; - uECC_word_t tries; - - for (tries = 0; tries < uECC_RNG_MAX_TRIES; ++tries) { - /* Generating _random uniformly at random: */ - uECC_RNG_Function rng_function = uECC_get_rng(); - if (!rng_function || - !rng_function((uint8_t *)_random, 2 * NUM_ECC_WORDS * uECC_WORD_SIZE)) { - return 0; - } - - // computing k as modular reduction of _random (see FIPS 186.4 B.5.1): - uECC_vli_mmod(k, _random, curve->n, BITS_TO_WORDS(curve->num_n_bits)); - - if (uECC_sign_with_k(private_key, message_hash, hash_size, k, signature, - curve)) { - return 1; - } - } - return 0; -} - -static bitcount_t smax(bitcount_t a, bitcount_t b) -{ - return (a > b ? a : b); -} - -int uECC_verify(const uint8_t *public_key, const uint8_t *message_hash, - unsigned hash_size, const uint8_t *signature, - uECC_Curve curve) -{ - - uECC_word_t u1[NUM_ECC_WORDS], u2[NUM_ECC_WORDS]; - uECC_word_t z[NUM_ECC_WORDS]; - uECC_word_t sum[NUM_ECC_WORDS * 2]; - uECC_word_t rx[NUM_ECC_WORDS]; - uECC_word_t ry[NUM_ECC_WORDS]; - uECC_word_t tx[NUM_ECC_WORDS]; - uECC_word_t ty[NUM_ECC_WORDS]; - uECC_word_t tz[NUM_ECC_WORDS]; - const uECC_word_t *points[4]; - const uECC_word_t *point; - bitcount_t num_bits; - bitcount_t i; - - uECC_word_t _public[NUM_ECC_WORDS * 2]; - uECC_word_t r[NUM_ECC_WORDS], s[NUM_ECC_WORDS]; - wordcount_t num_words = curve->num_words; - wordcount_t num_n_words = BITS_TO_WORDS(curve->num_n_bits); - - rx[num_n_words - 1] = 0; - r[num_n_words - 1] = 0; - s[num_n_words - 1] = 0; - - uECC_vli_bytesToNative(_public, public_key, curve->num_bytes); - uECC_vli_bytesToNative(_public + num_words, public_key + curve->num_bytes, - curve->num_bytes); - uECC_vli_bytesToNative(r, signature, curve->num_bytes); - uECC_vli_bytesToNative(s, signature + curve->num_bytes, curve->num_bytes); - - /* r, s must not be 0. */ - if (uECC_vli_isZero(r, num_words) || uECC_vli_isZero(s, num_words)) { - return 0; - } - - /* r, s must be < n. */ - if (uECC_vli_cmp_unsafe(curve->n, r, num_n_words) != 1 || - uECC_vli_cmp_unsafe(curve->n, s, num_n_words) != 1) { - return 0; - } - - /* Calculate u1 and u2. */ - uECC_vli_modInv(z, s, curve->n, num_n_words); /* z = 1/s */ - u1[num_n_words - 1] = 0; - bits2int(u1, message_hash, hash_size, curve); - uECC_vli_modMult(u1, u1, z, curve->n, num_n_words); /* u1 = e/s */ - uECC_vli_modMult(u2, r, z, curve->n, num_n_words); /* u2 = r/s */ - - /* Calculate sum = G + Q. */ - uECC_vli_set(sum, _public, num_words); - uECC_vli_set(sum + num_words, _public + num_words, num_words); - uECC_vli_set(tx, curve->G, num_words); - uECC_vli_set(ty, curve->G + num_words, num_words); - uECC_vli_modSub(z, sum, tx, curve->p, num_words); /* z = x2 - x1 */ - XYcZ_add(tx, ty, sum, sum + num_words, curve); - uECC_vli_modInv(z, z, curve->p, num_words); /* z = 1/z */ - apply_z(sum, sum + num_words, z, curve); - - /* Use Shamir's trick to calculate u1*G + u2*Q */ - points[0] = 0; - points[1] = curve->G; - points[2] = _public; - points[3] = sum; - num_bits = smax(uECC_vli_numBits(u1, num_n_words), - uECC_vli_numBits(u2, num_n_words)); - - point = points[(!!uECC_vli_testBit(u1, num_bits - 1)) | - ((!!uECC_vli_testBit(u2, num_bits - 1)) << 1)]; - uECC_vli_set(rx, point, num_words); - uECC_vli_set(ry, point + num_words, num_words); - uECC_vli_clear(z, num_words); - z[0] = 1; - - for (i = num_bits - 2; i >= 0; --i) { - uECC_word_t index; - curve->double_jacobian(rx, ry, z, curve); - - index = (!!uECC_vli_testBit(u1, i)) | ((!!uECC_vli_testBit(u2, i)) << 1); - point = points[index]; - if (point) { - uECC_vli_set(tx, point, num_words); - uECC_vli_set(ty, point + num_words, num_words); - apply_z(tx, ty, z, curve); - uECC_vli_modSub(tz, rx, tx, curve->p, num_words); /* Z = x2 - x1 */ - XYcZ_add(tx, ty, rx, ry, curve); - uECC_vli_modMult_fast(z, z, tz, curve); - } - } - - uECC_vli_modInv(z, z, curve->p, num_words); /* Z = 1/Z */ - apply_z(rx, ry, z, curve); - - /* v = x1 (mod n) */ - if (uECC_vli_cmp_unsafe(curve->n, rx, num_n_words) != 1) { - uECC_vli_sub(rx, rx, curve->n, num_n_words); - } - - /* Accept only if v == r. */ - return (int)(uECC_vli_equal(rx, r, num_words) == 0); -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_platform_specific.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_platform_specific.c deleted file mode 100644 index a15fe56d31..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_platform_specific.c +++ /dev/null @@ -1,106 +0,0 @@ -/* uECC_platform_specific.c - Implementation of platform specific functions*/ - -/* Copyright (c) 2014, Kenneth MacKay - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE.*/ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - * - * uECC_platform_specific.c -- Implementation of platform specific functions - */ - - -#if defined(unix) || defined(__linux__) || defined(__unix__) || \ - defined(__unix) | (defined(__APPLE__) && defined(__MACH__)) || \ - defined(uECC_POSIX) - -/* Some POSIX-like system with /dev/urandom or /dev/random. */ -#include -#include -#include - -#include - -#ifndef O_CLOEXEC -#define O_CLOEXEC 0 -#endif - -int default_CSPRNG(uint8_t *dest, unsigned int size) -{ - - /* input sanity check: */ - if (dest == (uint8_t *) 0 || (size <= 0)) { - return 0; - } - - int fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC); - if (fd == -1) { - fd = open("/dev/random", O_RDONLY | O_CLOEXEC); - if (fd == -1) { - return 0; - } - } - - char *ptr = (char *)dest; - size_t left = (size_t) size; - while (left > 0) { - ssize_t bytes_read = read(fd, ptr, left); - if (bytes_read <= 0) { // read failed - close(fd); - return 0; - } - left -= bytes_read; - ptr += bytes_read; - } - - close(fd); - return 1; -} - -#endif /* platform */ diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac.c deleted file mode 100644 index 83da669f72..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac.c +++ /dev/null @@ -1,147 +0,0 @@ -/* hmac.c - TinyCrypt implementation of the HMAC algorithm */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -static void rekey(uint8_t *key, const uint8_t *new_key, unsigned int key_size) -{ - const uint8_t inner_pad = (uint8_t) 0x36; - const uint8_t outer_pad = (uint8_t) 0x5c; - unsigned int i; - - for (i = 0; i < key_size; ++i) { - key[i] = inner_pad ^ new_key[i]; - key[i + TC_SHA256_BLOCK_SIZE] = outer_pad ^ new_key[i]; - } - for (; i < TC_SHA256_BLOCK_SIZE; ++i) { - key[i] = inner_pad; key[i + TC_SHA256_BLOCK_SIZE] = outer_pad; - } -} - -int tc_hmac_set_key(TCHmacState_t ctx, const uint8_t *key, - unsigned int key_size) -{ - /* Input sanity check */ - if (ctx == (TCHmacState_t) 0 || - key == (const uint8_t *) 0 || - key_size == 0) { - return TC_CRYPTO_FAIL; - } - - const uint8_t dummy_key[TC_SHA256_BLOCK_SIZE]; - struct tc_hmac_state_struct dummy_state; - - if (key_size <= TC_SHA256_BLOCK_SIZE) { - /* - * The next three calls are dummy calls just to avoid - * certain timing attacks. Without these dummy calls, - * adversaries would be able to learn whether the key_size is - * greater than TC_SHA256_BLOCK_SIZE by measuring the time - * consumed in this process. - */ - (void)tc_sha256_init(&dummy_state.hash_state); - (void)tc_sha256_update(&dummy_state.hash_state, - dummy_key, - key_size); - (void)tc_sha256_final(&dummy_state.key[TC_SHA256_DIGEST_SIZE], - &dummy_state.hash_state); - - /* Actual code for when key_size <= TC_SHA256_BLOCK_SIZE: */ - rekey(ctx->key, key, key_size); - } else { - (void)tc_sha256_init(&ctx->hash_state); - (void)tc_sha256_update(&ctx->hash_state, key, key_size); - (void)tc_sha256_final(&ctx->key[TC_SHA256_DIGEST_SIZE], - &ctx->hash_state); - rekey(ctx->key, - &ctx->key[TC_SHA256_DIGEST_SIZE], - TC_SHA256_DIGEST_SIZE); - } - - return TC_CRYPTO_SUCCESS; -} - -int tc_hmac_init(TCHmacState_t ctx) -{ - - /* input sanity check: */ - if (ctx == (TCHmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - (void) tc_sha256_init(&ctx->hash_state); - (void) tc_sha256_update(&ctx->hash_state, ctx->key, TC_SHA256_BLOCK_SIZE); - - return TC_CRYPTO_SUCCESS; -} - -int tc_hmac_update(TCHmacState_t ctx, - const void *data, - unsigned int data_length) -{ - - /* input sanity check: */ - if (ctx == (TCHmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - (void)tc_sha256_update(&ctx->hash_state, data, data_length); - - return TC_CRYPTO_SUCCESS; -} - -int tc_hmac_final(uint8_t *tag, unsigned int taglen, TCHmacState_t ctx) -{ - - /* input sanity check: */ - if (tag == (uint8_t *) 0 || - taglen != TC_SHA256_DIGEST_SIZE || - ctx == (TCHmacState_t) 0) { - return TC_CRYPTO_FAIL; - } - - (void) tc_sha256_final(tag, &ctx->hash_state); - - (void)tc_sha256_init(&ctx->hash_state); - (void)tc_sha256_update(&ctx->hash_state, - &ctx->key[TC_SHA256_BLOCK_SIZE], - TC_SHA256_BLOCK_SIZE); - (void)tc_sha256_update(&ctx->hash_state, tag, TC_SHA256_DIGEST_SIZE); - (void)tc_sha256_final(tag, &ctx->hash_state); - - /* destroy the current state */ - _set(ctx, 0, sizeof(*ctx)); - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac_prng.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac_prng.c deleted file mode 100644 index 6b2a6bfe20..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/hmac_prng.c +++ /dev/null @@ -1,234 +0,0 @@ -/* hmac_prng.c - TinyCrypt implementation of HMAC-PRNG */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include -#include - -/* - * min bytes in the seed string. - * MIN_SLEN*8 must be at least the expected security level. - */ -static const unsigned int MIN_SLEN = 32; - -/* - * max bytes in the seed string; - * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). - */ -static const unsigned int MAX_SLEN = UINT32_MAX; - -/* - * max bytes in the personalization string; - * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). - */ -static const unsigned int MAX_PLEN = UINT32_MAX; - -/* - * max bytes in the additional_info string; - * SP800-90A specifies a maximum of 2^35 bits (i.e., 2^32 bytes). - */ -static const unsigned int MAX_ALEN = UINT32_MAX; - -/* - * max number of generates between re-seeds; - * TinyCrypt accepts up to (2^32 - 1) which is the maximal value of - * a 32-bit unsigned int variable, while SP800-90A specifies a maximum of 2^48. - */ -static const unsigned int MAX_GENS = UINT32_MAX; - -/* - * maximum bytes per generate call; - * SP800-90A specifies a maximum up to 2^19. - */ -static const unsigned int MAX_OUT = (1 << 19); - -/* - * Assumes: prng != NULL - */ -static void update(TCHmacPrng_t prng, const uint8_t *data, unsigned int datalen, const uint8_t *additional_data, unsigned int additional_datalen) -{ - const uint8_t separator0 = 0x00; - const uint8_t separator1 = 0x01; - - /* configure the new prng key into the prng's instance of hmac */ - tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key)); - - /* use current state, e and separator 0 to compute a new prng key: */ - (void)tc_hmac_init(&prng->h); - (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v)); - (void)tc_hmac_update(&prng->h, &separator0, sizeof(separator0)); - - if (data && datalen) { - (void)tc_hmac_update(&prng->h, data, datalen); - } - if (additional_data && additional_datalen) { - (void)tc_hmac_update(&prng->h, additional_data, additional_datalen); - } - - (void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h); - - /* configure the new prng key into the prng's instance of hmac */ - (void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key)); - - /* use the new key to compute a new state variable v */ - (void)tc_hmac_init(&prng->h); - (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v)); - (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h); - - if (data == 0 || datalen == 0) { - return; - } - - /* configure the new prng key into the prng's instance of hmac */ - tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key)); - - /* use current state, e and separator 1 to compute a new prng key: */ - (void)tc_hmac_init(&prng->h); - (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v)); - (void)tc_hmac_update(&prng->h, &separator1, sizeof(separator1)); - (void)tc_hmac_update(&prng->h, data, datalen); - if (additional_data && additional_datalen) { - (void)tc_hmac_update(&prng->h, additional_data, additional_datalen); - } - (void)tc_hmac_final(prng->key, sizeof(prng->key), &prng->h); - - /* configure the new prng key into the prng's instance of hmac */ - (void)tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key)); - - /* use the new key to compute a new state variable v */ - (void)tc_hmac_init(&prng->h); - (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v)); - (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h); -} - -int tc_hmac_prng_init(TCHmacPrng_t prng, - const uint8_t *personalization, - unsigned int plen) -{ - - /* input sanity check: */ - if (prng == (TCHmacPrng_t) 0 || - personalization == (uint8_t *) 0 || - plen > MAX_PLEN) { - return TC_CRYPTO_FAIL; - } - - /* put the generator into a known state: */ - _set(prng->key, 0x00, sizeof(prng->key)); - _set(prng->v, 0x01, sizeof(prng->v)); - - update(prng, personalization, plen, 0, 0); - - /* force a reseed before allowing tc_hmac_prng_generate to succeed: */ - prng->countdown = 0; - - return TC_CRYPTO_SUCCESS; -} - -int tc_hmac_prng_reseed(TCHmacPrng_t prng, - const uint8_t *seed, - unsigned int seedlen, - const uint8_t *additional_input, - unsigned int additionallen) -{ - - /* input sanity check: */ - if (prng == (TCHmacPrng_t) 0 || - seed == (const uint8_t *) 0 || - seedlen < MIN_SLEN || - seedlen > MAX_SLEN) { - return TC_CRYPTO_FAIL; - } - - if (additional_input != (const uint8_t *) 0) { - /* - * Abort if additional_input is provided but has inappropriate - * length - */ - if (additionallen == 0 || - additionallen > MAX_ALEN) { - return TC_CRYPTO_FAIL; - } else { - /* call update for the seed and additional_input */ - update(prng, seed, seedlen, additional_input, additionallen); - } - } else { - /* call update only for the seed */ - update(prng, seed, seedlen, 0, 0); - } - - /* ... and enable hmac_prng_generate */ - prng->countdown = MAX_GENS; - - return TC_CRYPTO_SUCCESS; -} - -int tc_hmac_prng_generate(uint8_t *out, unsigned int outlen, TCHmacPrng_t prng) -{ - unsigned int bufferlen; - - /* input sanity check: */ - if (out == (uint8_t *) 0 || - prng == (TCHmacPrng_t) 0 || - outlen == 0 || - outlen > MAX_OUT) { - return TC_CRYPTO_FAIL; - } else if (prng->countdown == 0) { - return TC_HMAC_PRNG_RESEED_REQ; - } - - prng->countdown--; - - while (outlen != 0) { - /* configure the new prng key into the prng's instance of hmac */ - tc_hmac_set_key(&prng->h, prng->key, sizeof(prng->key)); - - /* operate HMAC in OFB mode to create "random" outputs */ - (void)tc_hmac_init(&prng->h); - (void)tc_hmac_update(&prng->h, prng->v, sizeof(prng->v)); - (void)tc_hmac_final(prng->v, sizeof(prng->v), &prng->h); - - bufferlen = (TC_SHA256_DIGEST_SIZE > outlen) ? - outlen : TC_SHA256_DIGEST_SIZE; - (void)_copy(out, bufferlen, prng->v, bufferlen); - - out += bufferlen; - outlen = (outlen > TC_SHA256_DIGEST_SIZE) ? - (outlen - TC_SHA256_DIGEST_SIZE) : 0; - } - - /* block future PRNG compromises from revealing past state */ - update(prng, 0, 0, 0, 0); - - return TC_CRYPTO_SUCCESS; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/sha256.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/sha256.c deleted file mode 100644 index 6b5b3fcb53..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/sha256.c +++ /dev/null @@ -1,217 +0,0 @@ -/* sha256.c - TinyCrypt SHA-256 crypto hash algorithm implementation */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include - -static void compress(unsigned int *iv, const uint8_t *data); - -int tc_sha256_init(TCSha256State_t s) -{ - /* input sanity check: */ - if (s == (TCSha256State_t) 0) { - return TC_CRYPTO_FAIL; - } - - /* - * Setting the initial state values. - * These values correspond to the first 32 bits of the fractional parts - * of the square roots of the first 8 primes: 2, 3, 5, 7, 11, 13, 17 - * and 19. - */ - _set((uint8_t *) s, 0x00, sizeof(*s)); - s->iv[0] = 0x6a09e667; - s->iv[1] = 0xbb67ae85; - s->iv[2] = 0x3c6ef372; - s->iv[3] = 0xa54ff53a; - s->iv[4] = 0x510e527f; - s->iv[5] = 0x9b05688c; - s->iv[6] = 0x1f83d9ab; - s->iv[7] = 0x5be0cd19; - - return TC_CRYPTO_SUCCESS; -} - -int tc_sha256_update(TCSha256State_t s, const uint8_t *data, size_t datalen) -{ - /* input sanity check: */ - if (s == (TCSha256State_t) 0 || - data == (void *) 0) { - return TC_CRYPTO_FAIL; - } else if (datalen == 0) { - return TC_CRYPTO_SUCCESS; - } - - while (datalen-- > 0) { - s->leftover[s->leftover_offset++] = *(data++); - if (s->leftover_offset >= TC_SHA256_BLOCK_SIZE) { - compress(s->iv, s->leftover); - s->leftover_offset = 0; - s->bits_hashed += (TC_SHA256_BLOCK_SIZE << 3); - } - } - - return TC_CRYPTO_SUCCESS; -} - -int tc_sha256_final(uint8_t *digest, TCSha256State_t s) -{ - unsigned int i; - - /* input sanity check: */ - if (digest == (uint8_t *) 0 || - s == (TCSha256State_t) 0) { - return TC_CRYPTO_FAIL; - } - - s->bits_hashed += (s->leftover_offset << 3); - - s->leftover[s->leftover_offset++] = 0x80; /* always room for one byte */ - if (s->leftover_offset > (sizeof(s->leftover) - 8)) { - /* there is not room for all the padding in this block */ - _set(s->leftover + s->leftover_offset, 0x00, - sizeof(s->leftover) - s->leftover_offset); - compress(s->iv, s->leftover); - s->leftover_offset = 0; - } - - /* add the padding and the length in big-Endian format */ - _set(s->leftover + s->leftover_offset, 0x00, - sizeof(s->leftover) - 8 - s->leftover_offset); - s->leftover[sizeof(s->leftover) - 1] = (uint8_t)(s->bits_hashed); - s->leftover[sizeof(s->leftover) - 2] = (uint8_t)(s->bits_hashed >> 8); - s->leftover[sizeof(s->leftover) - 3] = (uint8_t)(s->bits_hashed >> 16); - s->leftover[sizeof(s->leftover) - 4] = (uint8_t)(s->bits_hashed >> 24); - s->leftover[sizeof(s->leftover) - 5] = (uint8_t)(s->bits_hashed >> 32); - s->leftover[sizeof(s->leftover) - 6] = (uint8_t)(s->bits_hashed >> 40); - s->leftover[sizeof(s->leftover) - 7] = (uint8_t)(s->bits_hashed >> 48); - s->leftover[sizeof(s->leftover) - 8] = (uint8_t)(s->bits_hashed >> 56); - - /* hash the padding and length */ - compress(s->iv, s->leftover); - - /* copy the iv out to digest */ - for (i = 0; i < TC_SHA256_STATE_BLOCKS; ++i) { - unsigned int t = *((unsigned int *) &s->iv[i]); - *digest++ = (uint8_t)(t >> 24); - *digest++ = (uint8_t)(t >> 16); - *digest++ = (uint8_t)(t >> 8); - *digest++ = (uint8_t)(t); - } - - /* destroy the current state */ - _set(s, 0, sizeof(*s)); - - return TC_CRYPTO_SUCCESS; -} - -/* - * Initializing SHA-256 Hash constant words K. - * These values correspond to the first 32 bits of the fractional parts of the - * cube roots of the first 64 primes between 2 and 311. - */ -static const unsigned int k256[64] = { - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, - 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, - 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786, - 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, - 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, - 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b, - 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, - 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, - 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, - 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 -}; - -static inline unsigned int ROTR(unsigned int a, unsigned int n) -{ - return (((a) >> n) | ((a) << (32 - n))); -} - -#define Sigma0(a)(ROTR((a), 2) ^ ROTR((a), 13) ^ ROTR((a), 22)) -#define Sigma1(a)(ROTR((a), 6) ^ ROTR((a), 11) ^ ROTR((a), 25)) -#define sigma0(a)(ROTR((a), 7) ^ ROTR((a), 18) ^ ((a) >> 3)) -#define sigma1(a)(ROTR((a), 17) ^ ROTR((a), 19) ^ ((a) >> 10)) - -#define Ch(a, b, c)(((a) & (b)) ^ ((~(a)) & (c))) -#define Maj(a, b, c)(((a) & (b)) ^ ((a) & (c)) ^ ((b) & (c))) - -static inline unsigned int BigEndian(const uint8_t **c) -{ - unsigned int n = 0; - - n = (((unsigned int)(*((*c)++))) << 24); - n |= ((unsigned int)(*((*c)++)) << 16); - n |= ((unsigned int)(*((*c)++)) << 8); - n |= ((unsigned int)(*((*c)++))); - return n; -} - -static void compress(unsigned int *iv, const uint8_t *data) -{ - unsigned int a, b, c, d, e, f, g, h; - unsigned int s0, s1; - unsigned int t1, t2; - unsigned int work_space[16]; - unsigned int n; - unsigned int i; - - a = iv[0]; b = iv[1]; c = iv[2]; d = iv[3]; - e = iv[4]; f = iv[5]; g = iv[6]; h = iv[7]; - - for (i = 0; i < 16; ++i) { - n = BigEndian(&data); - t1 = work_space[i] = n; - t1 += h + Sigma1(e) + Ch(e, f, g) + k256[i]; - t2 = Sigma0(a) + Maj(a, b, c); - h = g; g = f; f = e; e = d + t1; - d = c; c = b; b = a; a = t1 + t2; - } - - for ( ; i < 64; ++i) { - s0 = work_space[(i + 1) & 0x0f]; - s0 = sigma0(s0); - s1 = work_space[(i + 14) & 0x0f]; - s1 = sigma1(s1); - - t1 = work_space[i & 0xf] += s0 + s1 + work_space[(i + 9) & 0xf]; - t1 += h + Sigma1(e) + Ch(e, f, g) + k256[i]; - t2 = Sigma0(a) + Maj(a, b, c); - h = g; g = f; f = e; e = d + t1; - d = c; c = b; b = a; a = t1 + t2; - } - - iv[0] += a; iv[1] += b; iv[2] += c; iv[3] += d; - iv[4] += e; iv[5] += f; iv[6] += g; iv[7] += h; -} diff --git a/components/bt/esp_ble_mesh/common/tinycrypt/src/utils.c b/components/bt/esp_ble_mesh/common/tinycrypt/src/utils.c deleted file mode 100644 index 117ad7f579..0000000000 --- a/components/bt/esp_ble_mesh/common/tinycrypt/src/utils.c +++ /dev/null @@ -1,74 +0,0 @@ -/* utils.c - TinyCrypt platform-dependent run-time operations */ - -/* - * Copyright (C) 2017 by Intel Corporation, All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * - Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * - Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * - Neither the name of Intel Corporation nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include - -#include - -#define MASK_TWENTY_SEVEN 0x1b - -unsigned int _copy(uint8_t *to, unsigned int to_len, - const uint8_t *from, unsigned int from_len) -{ - if (from_len <= to_len) { - (void)memcpy(to, from, from_len); - return from_len; - } else { - return TC_CRYPTO_FAIL; - } -} - -void _set(void *to, uint8_t val, unsigned int len) -{ - (void)memset(to, val, len); -} - -/* - * Doubles the value of a byte for values up to 127. - */ -uint8_t _double_byte(uint8_t a) -{ - return ((a << 1) ^ ((a >> 7) * MASK_TWENTY_SEVEN)); -} - -int _compare(const uint8_t *a, const uint8_t *b, size_t size) -{ - const uint8_t *tempa = a; - const uint8_t *tempb = b; - uint8_t result = 0; - - for (unsigned int i = 0; i < size; i++) { - result |= tempa[i] ^ tempb[i]; - } - return result; -} diff --git a/tools/ci/check_copyright_ignore.txt b/tools/ci/check_copyright_ignore.txt index a77699a92b..ff37eacffa 100644 --- a/tools/ci/check_copyright_ignore.txt +++ b/tools/ci/check_copyright_ignore.txt @@ -24,36 +24,6 @@ components/bt/common/osi/list.c components/bt/common/osi/mutex.c components/bt/common/osi/semaphore.c components/bt/common/osi/thread.c -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/aes.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cbc_mode.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ccm_mode.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/cmac_mode.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/constants.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_mode.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ctr_prng.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dh.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_dsa.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/ecc_platform_specific.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/hmac_prng.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/sha256.h -components/bt/esp_ble_mesh/common/tinycrypt/include/tinycrypt/utils.h -components/bt/esp_ble_mesh/common/tinycrypt/src/aes_decrypt.c -components/bt/esp_ble_mesh/common/tinycrypt/src/aes_encrypt.c -components/bt/esp_ble_mesh/common/tinycrypt/src/cbc_mode.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ccm_mode.c -components/bt/esp_ble_mesh/common/tinycrypt/src/cmac_mode.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_mode.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ctr_prng.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ecc.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dh.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_dsa.c -components/bt/esp_ble_mesh/common/tinycrypt/src/ecc_platform_specific.c -components/bt/esp_ble_mesh/common/tinycrypt/src/hmac.c -components/bt/esp_ble_mesh/common/tinycrypt/src/hmac_prng.c -components/bt/esp_ble_mesh/common/tinycrypt/src/sha256.c -components/bt/esp_ble_mesh/common/tinycrypt/src/utils.c components/bt/host/bluedroid/bta/ar/bta_ar.c components/bt/host/bluedroid/bta/ar/include/bta_ar_int.h components/bt/host/bluedroid/bta/av/bta_av_aact.c