xiaozhengsheng/HL-PDJ-1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

初始版本

Browse Source
This commit is contained in:
xiaozhengsheng
2025-08-19 09:49:41 +08:00
parent 10f1ddf1c1
commit 6df0f7d96e
2974 changed files with 1712873 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
external/nrf_oberon/include/mbedtls/ecjpake_alt.h vendored Normal file
View File

@@ -0,0 +1,86 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_mbed_tls_ecjpake Oberon Mbed ECJPAKE APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations for an alternate implementation of EC-JPAKE for mbed TLS.
*/
#ifndef ECJPAKE_ALT_H
#define ECJPAKE_ALT_H
#if defined(MBEDTLS_CONFIG_FILE)
#include MBEDTLS_CONFIG_FILE
#else
#include "mbedtls/config.h"
#endif
#include "mbedtls/ecp.h"
#include "mbedtls/md.h"
#ifdef __cplusplus
extern "C" {
#endif
#define OBERON_ECJPAKE_P256_SECRET_KEY_SIZE (32) //!< ECJPAKE P-256 secret key size in bytes.
#define OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE (64) //!< ECJPAKE P-256 public key size in bytes.
/* @brief Oberon replacement ECJPAKE context */
typedef struct mbedtls_ecjpake_context {
mbedtls_ecjpake_role role; //!< Role, either client or server.
int point_format; //!< Point format
unsigned char secret[OBERON_ECJPAKE_P256_SECRET_KEY_SIZE]; //!< Secret.
unsigned char s_key2[OBERON_ECJPAKE_P256_SECRET_KEY_SIZE]; //!< Secret key 2.
unsigned char p_key1[OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE]; //!< Public key 1.
unsigned char p_key2[OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE]; //!< Public key 2.
unsigned char r_key1[OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE]; //!< Remote key 1.
unsigned char r_key2[OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE]; //!< Remote key 2.
unsigned char r_key3[OBERON_ECJPAKE_P256_PUBLIC_KEY_SIZE]; //!< Remote key 3.
} mbedtls_ecjpake_context;
#ifdef __cplusplus
}
#endif
#endif /* #ifndef ECJPAKE_ALT_H */
/** @} */

77
external/nrf_oberon/include/mbedtls/sha1_alt.h vendored Normal file
View File

@@ -0,0 +1,77 @@
/**
* Copyright (c) 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_mbed_tls_sha1 Oberon Mbed TLS SHA-1 type declarations
* @ingroup nrf_oberon
* @{
* @brief Type declarations for an alternate implementation of SHA-1 for mbed TLS.
*/
#ifndef SHA1_ALT_H
#define SHA1_ALT_H
#include <stdint.h>
#if defined(MBEDTLS_CONFIG_FILE)
#include MBEDTLS_CONFIG_FILE
#else
#include "mbedtls/config.h"
#endif
#ifdef __cplusplus
extern "C" {
#endif
#define OBERON_SHA1_CONTEXT_SIZE_WORDS (24) //!< SHA-1 context size in words.
/* @brief Oberon replacement SHA-1 context */
typedef struct mbedtls_sha1_context {
uint32_t data[OBERON_SHA1_CONTEXT_SIZE_WORDS]; //!< Opaque SHA-1 context.
} mbedtls_sha1_context;
#ifdef __cplusplus
}
#endif
#endif /* #ifndef SHA1_ALT_H */
/** @} */

77
external/nrf_oberon/include/mbedtls/sha256_alt.h vendored Normal file
View File

@@ -0,0 +1,77 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_mbed_tls_sha256 Oberon Mbed TLS SHA-256 type declarations
* @ingroup nrf_oberon
* @{
* @brief Type declarations for an alternate implementation of SHA-256 for Mbed TLS.
*/
#ifndef SHA256_ALT_H
#define SHA256_ALT_H
#include <stdint.h>
#if defined(MBEDTLS_CONFIG_FILE)
#include MBEDTLS_CONFIG_FILE
#else
#include "mbedtls/config.h"
#endif
#ifdef __cplusplus
extern "C" {
#endif
#define OCRYPTO_SHA256_CONTEXT_SIZE_WORDS (27) //!< SHA-256 context size in words.
/* @brief Oberon replacement SHA-256 context */
typedef struct mbedtls_sha256_context {
uint32_t data[OCRYPTO_SHA256_CONTEXT_SIZE_WORDS]; //!< Opaque SHA-256 context.
} mbedtls_sha256_context;
#ifdef __cplusplus
}
#endif
#endif /* #ifndef SHA256_ALT_H */
/** @} */

100
external/nrf_oberon/include/ocrypto_aes_cbc.h vendored Normal file
View File

@@ -0,0 +1,100 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_cbc AES CBC APIs
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIS for AES CBC (AES Cipher Block Chaining)
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-CBC (AES Cipher Block Chaining) is an AES block cipher mode which avoids the problems of the
* ECB mode by xoring each plaintext block with the previous ciphertext block before being encrypted.
*/
#ifndef OCRYPTO_AES_CBC_H
#define OCRYPTO_AES_CBC_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* AES-CBC encryption.
*
* @param[out] ct Cyphertext.
* @param pt Plaintext.
* @param pt_len Plaintext length.
* @param key AES key.
* @param size Key size (16, 24, or 32).
* @param iv Initial vector.
*
* @remark @p ct may be same as @p pt.
*/
void ocrypto_aes_cbc_encrypt (
uint8_t* ct, const uint8_t* pt, size_t pt_len, const uint8_t *key, size_t size, const uint8_t iv[16]);
/**
* AES-CBC decryption.
*
* @param[out] pt Plaintext.
* @param ct Cyphertext.
* @param ct_len Cyphertext length.
* @param key AES key.
* @param size Key size (16, 24, or 32).
* @param iv Initial vector.
*
* @remark @p ct may be same as @p pt.
*/
void ocrypto_aes_cbc_decrypt (
uint8_t* pt, const uint8_t* ct, size_t ct_len, const uint8_t *key, size_t size, const uint8_t iv[16]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_CBC_H */
/** @} */

123
external/nrf_oberon/include/ocrypto_aes_ccm.h vendored Normal file
View File

@@ -0,0 +1,123 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_ccm AES CCM APIs
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIS for AES CCM (AES counter mode with CBC-MAC)
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-CCM (AES counter mode with CBC-MAC) is an AES mode which effectively turns the block
* cipher into a stream cipher. The AES block cipher primitive is used in CTR mode for
* encryption and decryption. In addition an AES CBC-MAC is used for authentication.
*/
#ifndef OCRYPTO_AES_CCM_H
#define OCRYPTO_AES_CCM_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* AES-CCM encryption.
*
* @param[out] ct Cyphertext.
* @param[out] tag Authentication tag.
* @param tag_len Tag length (4, 6, 8, 10, 12, 14, or 16).
* @param pt Plaintext.
* @param pt_len Plaintext length, 0 <= @p pt_len < 2^(8*(15-n_len)).
* @param key AES key.
* @param size Key size (16, 24, or 32).
* @param nonce Nonce.
* @param n_len Nonce length, 7 <= @p n_len <= 13.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @remark @p ct may be same as @p pt.
*/
void ocrypto_aes_ccm_encrypt (
uint8_t *ct,
uint8_t *tag, size_t tag_len,
const uint8_t *pt, size_t pt_len,
const uint8_t *key, size_t size,
const uint8_t *nonce, size_t n_len,
const uint8_t *aa, size_t aa_len);
/**
* AES-CCM decryption.
*
* @param[out] pt Plaintext.
* @param tag Authentication tag.
* @param tag_len Tag length (4, 6, 8, 10, 12, 14, or 16).
* @param ct Cyphertext.
* @param ct_len Cyphertext length, 0 <= @p ct_len < 2^(8*(15-n_len)).
* @param key AES key.
* @param size Key size (16, 24, or 32).
* @param nonce Nonce.
* @param n_len Nonce length, 7 <= @p n_len <= 13.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*
* @remark @p ct may be same as @p pt.
*/
int ocrypto_aes_ccm_decrypt (
uint8_t *pt,
const uint8_t *tag, size_t tag_len,
const uint8_t *ct, size_t ct_len,
const uint8_t *key, size_t size,
const uint8_t *nonce, size_t n_len,
const uint8_t *aa, size_t aa_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_CCM_H */
/** @} */

106
external/nrf_oberon/include/ocrypto_aes_cmac.h vendored Normal file
View File

@@ -0,0 +1,106 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_cmac AES CMAC APIs
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIS for AES CMAC (AES Cipher-based Message Authentication Code)
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-CMAC (AES Cipher-based Message Authentication Code) is a block cipher-based message
* authentication code algorithm. The AES block cipher primitive is used in variant of the
* CBC mode to get the authentication tag.
*/
#ifndef OCRYPTO_AES_CMAC_H
#define OCRYPTO_AES_CMAC_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of the pseudo random function.
*/
#define ocrypto_aes_cmac_prf128_BYTES (16)
/**
* AES-CMAC authentication algorithm.
*
* @param[out] tag Resulting tag.
* @param tag_len Tag length, 0 < @p tag_len <= 16.
* @param msg Message to authenticate.
* @param msg_len Message length.
* @param key AES key.
* @param size Key size (16, 24, or 32).
*/
void ocrypto_aes_cmac_authenticate (
uint8_t *tag, size_t tag_len,
const uint8_t *msg, size_t msg_len,
const uint8_t *key, size_t size);
/**
* AES-CMAC-PRF-128 pseudo random function algorithm.
*
* @param[out] prf 16 byte PRF output.
* @param msg Message input.
* @param msg_len Message length.
* @param key Key.
* @param key_len Key length.
*/
void ocrypto_aes_cmac_prf128 (
uint8_t prf[ocrypto_aes_cmac_prf128_BYTES],
const uint8_t *msg, size_t msg_len,
const uint8_t *key, size_t key_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_CMAC_H */
/** @} */

145
external/nrf_oberon/include/ocrypto_aes_ctr.h vendored Normal file
View File

@@ -0,0 +1,145 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes AES - Advanced Encryption Standard APIs
* @ingroup nrf_oberon
* @{
* @brief AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
* @}
*
* @defgroup nrf_oberon_aes_ctr AES-CTR - AES Counter Mode
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIs for AES-CTR (AES Counter mode).
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-CTR (AES counter mode) is an AES mode which effectively turns the block cipher into a stream
* cipher. The AES block encryption is used on a value which is incremented for each new block.
* The resulting cypher stream is then xor combined with the plaintext to get the ciphertext.
* In contrast to AES itself, encryption and decryption operations are identical for AES-CTR.
*/
#ifndef OCRYPTO_AES_CTR_H
#define OCRYPTO_AES_CTR_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**@cond */
typedef struct {
uint32_t xkey[60];
uint8_t counter[16];
uint8_t cypher[16];
uint8_t size; // Key size (16, 24, or 32 bytes).
uint32_t valid; // Valid bytes in cypher.
} ocrypto_aes_ctr_ctx;
/**@endcond */
/**@name Incremental AES-CTR encryption/decryption.
*
* This group of functions can be used to incrementally compute the
* AES-CTR encryption/decryption for a given message.
*/
/**@{*/
/**
* AES-CTR initialization.
*
* The context @p ctx is initialized using the given key @p key and initial vector @p iv.
*
* @param[out] ctx Context.
* @param key AES key.
* @param size Key size (16, 24, or 32 bytes).
* @param iv Initial vector.
*/
void ocrypto_aes_ctr_init(ocrypto_aes_ctr_ctx *ctx, const uint8_t *key, size_t size, const uint8_t iv[16]);
/**
* AES-CTR incremental encryption.
*
* The plaintext @p pt is encrypted to the ciphertext @p ct using the context @p ctx.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Context.
* @param[out] ct Ciphertext.
* @param pt Plaintext.
* @param pt_len Length of @p pt and @p ct.
*
* @remark @p ct and @p pt can point to the same address.
* @remark Initialization of the context @p ctx through
* @c ocrypto_aes_ctr_init is required before this function can be called.
*/
void ocrypto_aes_ctr_encrypt(ocrypto_aes_ctr_ctx *ctx, uint8_t* ct, const uint8_t* pt, size_t pt_len);
/**
* AES-CTR incremental decryption.
*
* The ciphertext @p ct is decrypted to the plaintext @p pt using the context @p ctx.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Context.
* @param[out] pt Plaintext.
* @param ct Ciphertext.
* @param ct_len Length of @p ct and @p pt.
*
* @remark @p ct and @p pt can point to the same address.
* @remark Initialization of the context @p ctx through
* @c ocrypto_aes_ctr_init is required before this function can be called.
*/
void ocrypto_aes_ctr_decrypt(ocrypto_aes_ctr_ctx *ctx, uint8_t* pt, const uint8_t* ct, size_t ct_len);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_CTR_H */
/** @} */

114
external/nrf_oberon/include/ocrypto_aes_eax.h vendored Normal file
View File

@@ -0,0 +1,114 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_eax AES EAX APIs
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIS for AES EAX (Encrypt-then-authenticate-then-translate)
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-EAX (encrypt-then-authenticate-then-translate) is an AES mode which effectively turns the
* block cipher into a stream cipher. The AES block cipher primitive is used in CTR mode for
* encryption and as OMAC for authentication over each block.
*/
#ifndef OCRYPTO_AES_EAX_H
#define OCRYPTO_AES_EAX_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* AES-EAX encryption.
*
* @param[out] ct Cyphertext.
* @param[out] tag Authentication tag.
* @param pt Plaintext.
* @param pt_len Plaintext length.
* @param key AES key.
* @param size Key size (16, 24, or 32 bytes).
* @param iv Initial vector.
* @param iv_len Initial vector length.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @remark @p ct and @p pt can point to the same address.
*/
void ocrypto_aes_eax_encrypt (
uint8_t* ct, uint8_t tag[16], const uint8_t* pt, size_t pt_len, const uint8_t *key, size_t size,
const uint8_t* iv, size_t iv_len, const uint8_t *aa, size_t aa_len);
/**
* AES-EAX decryption.
*
* @param[out] pt Plaintext.
* @param tag Authentication tag.
* @param ct Cyphertext.
* @param ct_len Cyphertext length.
* @param key AES key.
* @param size Key size (16, 24, or 32 bytes).
* @param iv Initial vector.
* @param iv_len Initial vector length.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @remark @p ct and @p pt can point to the same address.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*/
int ocrypto_aes_eax_decrypt (
uint8_t* pt, const uint8_t tag[16], const uint8_t* ct, size_t ct_len, const uint8_t *key, size_t size,
const uint8_t* iv, size_t iv_len, const uint8_t *aa, size_t aa_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_EAX_H */
/** @} */

113
external/nrf_oberon/include/ocrypto_aes_gcm.h vendored Normal file
View File

@@ -0,0 +1,113 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_gcm AES GCM - AES Galois/Counter Mode APIs
* @ingroup nrf_oberon_aes
* @{
* @brief Type definitions and APIs for AES-GCM (AES Galois/Counter Mode).
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*
* AES-GCM (AES Galois/Counter Mode) is an AES mode which effectively turns the block cipher into
* a stream cipher. The AES block cipher primitive is used in CTR mode for encryption and decryption.
* In addition, 128-bit Galois Field multiplication is used for authentication.
*/
#ifndef OCRYPTO_AES_GCM_H
#define OCRYPTO_AES_GCM_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* AES-GCM encryption.
*
* @param[out] ct Cyphertext.
* @param[out] tag Authentication tag.
* @param pt Plaintext.
* @param pt_len Plaintext length.
* @param key AES key.
* @param size Key size (16, 24, or 32 bytes).
* @param iv Initial vector.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @remark @p ct and @p pt can point to the same address.
*/
void ocrypto_aes_gcm_encrypt (
uint8_t* ct, uint8_t tag[16], const uint8_t* pt, size_t pt_len,
const uint8_t *key, size_t size, const uint8_t iv[12], const uint8_t *aa, size_t aa_len);
/**
* AES-GCM decryption.
*
* @param[out] pt Plaintext.
* @param tag Authentication tag.
* @param ct Cyphertext.
* @param ct_len Cyphertext length.
* @param key AES key.
* @param size Key size (16, 24, or 32 bytes).
* @param iv Initial vector.
* @param aa Additional authentication data.
* @param aa_len Additional authentication data length.
*
* @remark @p ct and @p pt can point to the same address.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*/
int ocrypto_aes_gcm_decrypt (
uint8_t* pt, const uint8_t tag[16], const uint8_t* ct, size_t ct_len,
const uint8_t *key, size_t size, const uint8_t iv[12], const uint8_t *aa, size_t aa_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_GCM_H */
/** @} */

70
external/nrf_oberon/include/ocrypto_aes_key.h vendored Normal file
View File

@@ -0,0 +1,70 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_aes_key AES key sizes
* @ingroup nrf_oberon_aes
* @{
* @brief Type definition of AES key sizes.
*
* AES (advanced encryption standard) is a symmetric encryption algorithm standardized by NIST.
* AES transfers a 128-bit block of data into an encrypted block of the same size.
*/
#ifndef OCRYPTO_AES_KEY_H
#define OCRYPTO_AES_KEY_H
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
#define ocrypto_aes128_KEY_BYTES ((size_t) 16) //!< AES-128 key size in bytes
#define ocrypto_aes192_KEY_BYTES ((size_t) 24) //!< AES-192 key size in bytes
#define ocrypto_aes256_KEY_BYTES ((size_t) 32) //!< AES-256 key size in bytes
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_AES_KEY_H */
/** @} */

145
external/nrf_oberon/include/ocrypto_chacha20.h vendored Normal file
View File

@@ -0,0 +1,145 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_chacha ChaCha20 APIs
* @ingroup nrf_oberon_chacha_poly
* @{
* @brief Type declaration and APIs for the Chacha20 stream cipher algorithm.
*
* ChaCha20 is a stream cipher developed by Daniel J. Bernstein based on the 20-round cipher
* Salsa20/20.
*
* A 256-bit key is expanded into 2^64 randomly accessible streams, each
* containing 2^64 randomly accessible 64-byte (512-bit) blocks.
*
* The changes from Salsa20/20 to ChaCha20 are designed to improve diffusion per
* round, conjecturally increasing resistance to cryptanalysis, while
* preserving - and often improving - time per round.
*
* @see [RFC 7539 - ChaCha20 and Poly1305 for IETF Protocols](http://tools.ietf.org/html/rfc7539)
* @see [The ChaCha family of stream ciphers](http://cr.yp.to/chacha.html)
*/
#ifndef OCRYPTO_CHACHA20_H
#define OCRYPTO_CHACHA20_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of the encryption key.
*/
#define ocrypto_chacha20_KEY_BYTES (32)
/**
* Maximum length of the nonce.
*/
#define ocrypto_chacha20_NONCE_BYTES_MAX (12)
/**
* ChaCha20 cipher stream generator.
*
* The encryption key @p k, the nonce @p n, and the initial block counter
* @p count are used to generate a pseudo random cipher stream.
*
* Possible applications include key generation and random number generation.
*
* @param[out] c Generated cipher stream.
* @param c_len Length of @p c.
* @param n Nonce.
* @param n_len Nonce length. 0 <= @p n_len <= @c ocrypto_chacha20_NONCE_BYTES_MAX.
* @param k Encryption key.
* @param count Initial block counter.
*
* @remark When reusing an encryption key @p k, a different nonce @p n or
* initial block counter @p count must be used.
*
* @remark This function is equivalent to @c chacha20_stream_xor with a
* message @p m consisting of @p c_len zeroes.
*/
void ocrypto_chacha20_stream(
uint8_t *c, size_t c_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_KEY_BYTES],
uint32_t count);
/**
* ChaCha20 cipher stream encoder.
*
* The message @p m is encrypted by applying the XOR operation with a pseudo
* random cipher stream derived from the encryption key @p k, the nonce @p n, and
* the initial block counter @p count.
*
* Calling the function a second time with the generated ciphertext as input
* message @p m decrypts it back to the original message.
*
* @param[out] c Generated ciphertext. Same length as input message.
* @param m Input message.
* @param m_len Length of @p c and @p m.
* @param n Nonce.
* @param n_len Nonce length. 0 <= @p n_len <= @c ocrypto_chacha20_NONCE_BYTES_MAX.
* @param k Encryption key.
* @param count Initial block counter.
*
* @remark @p c and @p m can point to the same address.
*
* @remark When reusing an encryption key @p k for a different message @p m, a
* different nonce @p n or initial block counter @p count must be used.
*/
void ocrypto_chacha20_stream_xor(
uint8_t *c,
const uint8_t *m, size_t m_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_KEY_BYTES],
uint32_t count);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CHACHA20_H */
/** @} */

224
external/nrf_oberon/include/ocrypto_chacha20_poly1305.h vendored Normal file
View File

@@ -0,0 +1,224 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_chacha_poly ChaCha20-Poly1305
* @ingroup nrf_oberon
* @{
* @brief ChaCha20-Poly1305 is an authenticated encryption algorithm with optional
* additional authenticated data developed by Daniel J.Bernstein.
* @}
*
* @defgroup nrf_oberon_chacha_poly_apis ChaCha20-Poly1305 APIs
* @ingroup nrf_oberon_chacha_poly
* @{
* @brief Type declaration and APIs for authenticated encryption and additional data using
* the ChaCha20-Poly1305 algorithm.
*
* ChaCha20-Poly1305 is an authenticated encryption algorithm with optional
* additional authenticated data developed by Daniel J.Bernstein.
*
* The ChaCha20 stream cipher is combined with the Poly1305 authenticator.
*
* @see [RFC 7539 - ChaCha20 and Poly1305 for IETF Protocols](http://tools.ietf.org/html/rfc7539)
*/
#ifndef OCRYPTO_CHACHA20_POLY1305_H
#define OCRYPTO_CHACHA20_POLY1305_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of the encryption key.
*/
#define ocrypto_chacha20_poly1305_KEY_BYTES (32)
/**
* Maximum length of the nonce.
*/
#define ocrypto_chacha20_poly1305_NONCE_BYTES_MAX (12)
/**
* Length of the authentication tag.
*/
#define ocrypto_chacha20_poly1305_TAG_BYTES (16)
/**@{*/
/**
* AEAD ChaCha20-Poly1305 encrypt.
*
* The message @p m is encrypted using a ChaCha20 cipher stream derived from the
* encryption key @p k and the nonce @p n. The resulting ciphertext has the same
* length @p m_len as the input message @p m and is put into @p c.
*
* Additionally, the ciphertext @p c is authenticated with a tag that is
* generated with Poly1305 using a unique subkey derived from @p k and @p n, and
* then put into @p tag.
*
* @param[out] tag Generated authentication tag.
* @param[out] c Generated ciphertext. Same length as input message.
* @param m Input message.
* @param m_len Length of @p m and @p c.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @remark @p c and @p m can point to the same address.
*
* @remark When reusing an encryption key @p k for a different message @p m, a
* different nonce @p n must be used.
*/
void ocrypto_chacha20_poly1305_encrypt(
uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES],
uint8_t *c,
const uint8_t *m, size_t m_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**
* AEAD ChaCha20-Poly1305 encrypt with AAD.
*
* The message @p m is encrypted using a ChaCha20 cipher stream derived from the
* encryption key @p k and the nonce @p n. The resulting ciphertext has the same
* length @p m_len as the input message @p m and is put into @p c.
*
* Additionally, the ciphertext @p c, as well as the additional authenticated
* data @p a, is authenticated with a tag that is generated with Poly1305 using a
* unique subkey derived from @p k and @p n, and then put into @p tag.
*
* @param[out] tag Generated authentication tag.
* @param[out] c Generated ciphertext. Same length as input message.
* @param m Input message.
* @param m_len Length of @p m and @p c.
* @param a Additional authenticated data.
* @param a_len Length of @p a.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @remark @p c and @p m can point to the same address.
*
* @remark When reusing an encryption key @p k for a different message @p m or
* different additional authenticated data @p a, a different nonce @p n
* must be used.
*/
void ocrypto_chacha20_poly1305_encrypt_aad(
uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES],
uint8_t *c,
const uint8_t *m, size_t m_len,
const uint8_t *a, size_t a_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**@}*/
/**@{*/
/**
* AEAD ChaCha20-Poly1305 decrypt.
*
* If the authentication tag @p tag is valid for the ciphertext @p c, the
* encryption key @p k and the nonce @p n, the ciphertext is decrypted and put
* into @p m. The decrypted message @p m has the same length @p c_len as the
* original ciphertext.
*
* @param tag Received authentication tag.
* @param[out] m Decoded message. Same length as received ciphertext.
* @param c Received ciphertext.
* @param c_len Length of @p c and @p m.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_chacha20_poly1305_decrypt(
const uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES],
uint8_t *m,
const uint8_t *c, size_t c_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**
* AEAD ChaCha20-Poly1305 decrypt with AAD.
*
* If the authentication tag @p tag is valid for the ciphertext @p c, the
* additional authenticated data @p a, the encryption key @p k and the nonce
* @p n, the ciphertext is decrypted and put into @p m. The decrypted message
* @p m has the same length @p c_len as the original ciphertext.
*
* @param tag Received authentication tag.
* @param[out] m Decoded message. Same length as received ciphertext.
* @param c Received ciphertext.
* @param c_len Length of @p c and @p m.
* @param a Received additional authenticated data.
* @param a_len Length of @p a.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_chacha20_poly1305_decrypt_aad(
const uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES],
uint8_t *m,
const uint8_t *c, size_t c_len,
const uint8_t *a, size_t a_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CHACHA20_POLY1305_H */
/** @} */

244
external/nrf_oberon/include/ocrypto_chacha20_poly1305_inc.h vendored Normal file
View File

@@ -0,0 +1,244 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_chacha_poly_inc ChaCha20-Poly1305 incremental APIs
* @ingroup nrf_oberon_chacha_poly
* @{
* @brief Type declaration and APIs for authenticated encryption and additional data using
* the ChaCha20-Poly1305 algorithm in incremental steps.
*
* ChaCha20-Poly1305 is an authenticated encryption algorithm with optional
* additional authenticated data developed by Daniel J.Bernstein.
*
* The ChaCha20 stream cipher is combined with the Poly1305 authenticator.
*
* @see [RFC 7539 - ChaCha20 and Poly1305 for IETF Protocols](http://tools.ietf.org/html/rfc7539)
*/
#ifndef OCRYPTO_CHACHA20_POLY1305_INC_H
#define OCRYPTO_CHACHA20_POLY1305_INC_H
#include <stdint.h>
#include <stddef.h>
#include "ocrypto_chacha20_poly1305.h"
#include "ocrypto_poly1305.h"
#ifdef __cplusplus
extern "C" {
#endif
/**@cond */
typedef struct {
ocrypto_poly1305_ctx auth_ctx;
uint8_t subkey[32];
uint8_t buffer[16];
uint32_t buffer_len;
uint8_t cypher[64];
uint32_t cypher_idx;
uint32_t count;
size_t msg_len;
size_t aad_len;
} ocrypto_chacha20_poly1305_ctx;
/**@endcond */
/**@name Incremental ChaCha20-Poly1305 generator.
*
* This group of functions can be used to incrementally encode and decode using the ChaCha20-Poly1305 stream cypher.
*
* Use pattern:
*
* Encoding:
* @code
* ocrypto_chacha20_poly1305_init(ctx, nonce, nonce_len, key);
* ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len, nonce, nonce_len, key);
* ...
* ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len, nonce, nonce_len, key);
* ocrypto_chacha20_poly1305_update_enc(ctx, ct, pt, pt_len, nonce, nonce_len, key);
* ...
* ocrypto_chacha20_poly1305_update_enc(ctx, ct, pt, pt_len, nonce, nonce_len, key);
* ocrypto_chacha20_poly1305_final_enc(ctx, tag);
* @endcode
* Decoding:
* @code
* ocrypto_chacha20_poly1305_init(ctx, nonce, nonce_len, key);
* ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len, nonce, nonce_len, key);
* ...
* ocrypto_chacha20_poly1305_update_aad(ctx, aad, aad_len, nonce, nonce_len, key);
* ocrypto_chacha20_poly1305_update_dec(ctx, pt, ct, ct_len, nonce, nonce_len, key);
* ...
* ocrypto_chacha20_poly1305_update_dec(ctx, pt, ct, ct_len, nonce, nonce_len, key);
* res = ocrypto_chacha20_poly1305_final_dec(ctx, tag);
* @endcode
*/
/**@{*/
/**
* ChaCha20-Poly1305 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*/
void ocrypto_chacha20_poly1305_init(
ocrypto_chacha20_poly1305_ctx *ctx,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**
* SHA-ChaCha20-Poly1305 incremental aad input.
*
* The generator state @p ctx is updated to include a data chunk @p a.
*
* This function can be called repeatedly until the whole data is processed.
*
* @param ctx Generator state.
* @param a Additional authenticated data.
* @param a_len Length of @p a.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_chacha20_poly1305_init is required before this function can be called.
*
* @remark @c ocrypto_chacha20_poly1305_update_aad must be called before any call to
* @c ocrypto_chacha20_poly1305_update_enc or @c ocrypto_chacha20_poly1305_update_dec.
*/
void ocrypto_chacha20_poly1305_update_aad(
ocrypto_chacha20_poly1305_ctx *ctx,
const uint8_t *a, size_t a_len);
/**
* SHA-ChaCha20-Poly1305 incremental encoder input.
*
* The generator state @p ctx is updated to include a message chunk @p m.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Generator state.
* @param[out] c Generated ciphertext. Same length as input message.
* @param m Message chunk.
* @param m_len Length of @p m.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_chacha20_poly1305_init is required before this function can be called.
*
* @remark @c ocrypto_chacha20_poly1305_update_enc must be called after any call to
* @c ocrypto_chacha20_poly1305_update_aad.
*
* @remark @p c and @p m can point to the same address.
*/
void ocrypto_chacha20_poly1305_update_enc(
ocrypto_chacha20_poly1305_ctx *ctx,
uint8_t *c,
const uint8_t *m, size_t m_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**
* SHA-ChaCha20-Poly1305 incremental decoder input.
*
* The generator state @p ctx is updated to include a cyphertext chunk @p c.
*
* This function can be called repeatedly until the whole cyphertext is processed.
*
* @param ctx Generator state.
* @param[out] m Decoded message. Same length as received ciphertext.
* @param c Cyphertext chunk.
* @param c_len Length of @p c.
* @param n Nonce.
* @param n_len Length of @p n. 0 <= @p n_len <= @c ocrypto_chacha20_poly1305_NONCE_BYTES_MAX.
* @param k Encryption key.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_chacha20_poly1305_init is required before this function can be called.
*
* @remark @c ocrypto_chacha20_poly1305_update_dec must be called after any call to
* @c ocrypto_chacha20_poly1305_update_aad.
*
* @remark @p m and @p c can point to the same address.
*/
void ocrypto_chacha20_poly1305_update_dec(
ocrypto_chacha20_poly1305_ctx *ctx,
uint8_t *m,
const uint8_t *c, size_t c_len,
const uint8_t *n, size_t n_len,
const uint8_t k[ocrypto_chacha20_poly1305_KEY_BYTES]);
/**
* SHA-ChaCha20-Poly1305 final encoder step.
*
* The generator state @p ctx is used to finalize the encryption and generate the tag.
*
* @param ctx Generator state.
* @param[out] tag Generated authentication tag.
*/
void ocrypto_chacha20_poly1305_final_enc(
ocrypto_chacha20_poly1305_ctx *ctx,
uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES]);
/**
* SHA-ChaCha20-Poly1305 final decoder step.
*
* The generator state @p ctx is used to finalize the decryption and check the tag.
*
* @param ctx Generator state.
* @param tag Received authentication tag.
*
* @retval 0 If @p tag is valid.
* @retval -1 Otherwise.
*/
int ocrypto_chacha20_poly1305_final_dec(
ocrypto_chacha20_poly1305_ctx *ctx,
const uint8_t tag[ocrypto_chacha20_poly1305_TAG_BYTES]);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CHACHA20_POLY1305_INC_H */
/** @} */

111
external/nrf_oberon/include/ocrypto_constant_time.h vendored Normal file
View File

@@ -0,0 +1,111 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon Oberon cryptographic library
* @{
* @brief Highly optimized cryptographic algorithm implementation for Cortex-M0, Cortex-M4,
* and Cortex-M33. Created by Oberon, under distribution license with Nordic Semiconductor ASA.
* @}
*
* @defgroup nrf_oberon_constant_time Constant time APIs
* @ingroup nrf_oberon
* @{
* @brief Timing-invariant functions to use with cryptography.
*
* Collection of timing-invariant implementations of basic functions.
*/
#ifndef OCRYPTO_CONSTANT_TIME_H
#define OCRYPTO_CONSTANT_TIME_H
#include <stddef.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Variable length comparison.
*
* @param x Memory region to compare with @p y.
* @param y Memory region to compare with @p x.
* @param length Number of bytes to compare, @p length > 0.
*
* @retval 1 If @p x and @p y point to equal memory regions.
* @retval 0 Otherwise.
*/
int ocrypto_constant_time_equal(const void *x, const void *y, size_t length);
/**
* Variable length compare to zero.
*
* @param x Pointer to memory region that will be compared.
* @param length Number of bytes to compare, @p length > 0.
*
* @retval 1 If @p x is equal to a zero memory region.
* @retval 0 Otherwise.
*/
int ocrypto_constant_time_is_zero(const void *x, size_t length);
/**
* Variable length copy.
*
* @param x Pointer to memory region to copy @p y to.
* @param y Pointer to memory region to copy to @p x.
* @param length Number of bytes to copy, @p length > 0.
*/
void ocrypto_constant_time_copy(void *x, const void *y, size_t length);
/**
* Variable length fill with zero.
*
* @param x Pointer to memory region to be filled with zero.
* @param length Number of bytes to fill, @p length > 0.
*/
void ocrypto_constant_time_fill_zero(void *x, size_t length);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CONSTANT_TIME_H */
/** @} */

117
external/nrf_oberon/include/ocrypto_curve25519.h vendored Normal file
View File

@@ -0,0 +1,117 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_curve25519 ECC Curve25519 low-level APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for low-level elliptic curve point operations
* based on Curve25519.
*
* Curve25519 is an elliptic curve offering 128 bits of security. It is designed
* for use in the Elliptic Curve Diffie-Hellman (ECDH) key agreement scheme.
*
* @see [RFC 7748 - Elliptic Curves for Security](https://tools.ietf.org/html/rfc7748)
* @see [Curve25519: high-speed elliptic-curve cryptography](http://cr.yp.to/ecdh.html)
*/
#ifndef OCRYPTO_CURVE25519_H
#define OCRYPTO_CURVE25519_H
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of a scalar.
*/
#define ocrypto_curve25519_SCALAR_BYTES (32)
/**
* Length of a curve point.
*/
#define ocrypto_curve25519_BYTES (32)
/**
* Curve25519 scalar multiplication `r = n * basePoint`.
*
* Given a secret key @p n, the corresponding Curve25519 public key is computed
* and put into @p r.
*
* The inverse of this function is difficult to compute.
*
* @param[out] r Resulting curve point.
* @param[in] n Scalar factor.
*
* @remark @p r and @p n can point to the same address.
*/
void ocrypto_curve25519_scalarmult_base(
uint8_t r[ocrypto_curve25519_BYTES],
const uint8_t n[ocrypto_curve25519_SCALAR_BYTES]);
/**
* Curve25519 scalar multiplication `r = n * p`.
*
* A shared secret is computed from the local secret key @p n and another
* party's public key @p p and put into @p r. The same shared secret is
* generated when the other party combines its private key with the local public
* key.
*
* @param[out] r Resulting curve point.
* @param[in] n Scalar factor.
* @param[in] p Point factor.
*
* @remark @p r and @p n can point to the same address.
*/
void ocrypto_curve25519_scalarmult(
uint8_t r[ocrypto_curve25519_BYTES],
const uint8_t n[ocrypto_curve25519_SCALAR_BYTES],
const uint8_t p[ocrypto_curve25519_BYTES]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CURVE25519_H */
/** @} */

136
external/nrf_oberon/include/ocrypto_curve_p256.h vendored Normal file
View File

@@ -0,0 +1,136 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_p256 ECC secp256r1 low-level APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for low-level elliptic curve point operations
* based on the NIST secp256r1 curve.
*/
#ifndef OCRYPTO_CURVE_P256_H
#define OCRYPTO_CURVE_P256_H
#include "ocrypto_sc_p256.h"
#ifdef __cplusplus
extern "C" {
#endif
// (x,y) only jacobian coordinates
/**@cond */
typedef struct {
ocrypto_mod_p256 x;
ocrypto_mod_p256 y;
} ocrypto_cp_p256;
/**@endcond */
/** Load r.x from bytes, keep r.y.
*
* @param[out] r Point with r.x loaded, r.y kept.
* @param p x as as array of bytes.
*
* @retval 0 If @p r is a valid curve point.
* @retval -1 Otherwise.
*/
int ocrypto_curve_p256_from32bytes(ocrypto_cp_p256 *r, const uint8_t p[32]);
/** Load point from bytes.
*
* @param[out] r Loaded point.
* @param p Point as array of bytes.
*
* @retval 0 If @p r is a valid curve point.
* @retval -1 Otherwise.
*/
int ocrypto_curve_p256_from64bytes(ocrypto_cp_p256 *r, const uint8_t p[64]);
/** Store p.x to bytes.
*
* @param[out] r x stored as array.
* @param p Point with x to be stored.
*/
void ocrypto_curve_p256_to32bytes(uint8_t r[32], ocrypto_cp_p256 *p);
/** Store p.x to bytes.
*
* @param[out] r Point stored as array.
* @param p Point to be stored.
*/
void ocrypto_curve_p256_to64bytes(uint8_t r[64], ocrypto_cp_p256 *p);
/** P256 scalar multiplication.
*
* r = p * s
* r = [0,0] if p = [0,0] or s mod q = 0
*
* @param[out] r Output point.
* @param p Input point.
* @param s Scalar.
*
* @retval -1 If r = [0,0].
* @retval 0 If 0 < s < q.
* @retval 1 If s > q.
*/
int ocrypto_curve_p256_scalarmult(ocrypto_cp_p256 *r, const ocrypto_cp_p256 *p, const ocrypto_sc_p256 *s);
/** P256 scalar base multiplication.
*
* r = basePoint * s
* r = [0,0] if s mod q = 0
*
* @param[out] r Output point.
* @param s Scalar.
*
* @retval -1 If r = [0,0].
* @retval 0 If 0 < s < q.
* @retval 1 If s > q.
*/
int ocrypto_curve_p256_scalarmult_base(ocrypto_cp_p256 *r, const ocrypto_sc_p256 *s);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_CURVE_P256_H */
/** @} */

98
external/nrf_oberon/include/ocrypto_ecdh_p256.h vendored Normal file
View File

@@ -0,0 +1,98 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_ecdh ECDH APIs
* @ingroup nrf_oberon
* @{
* @brief APIs to do Elliptic Curve Diffie-Hellman using the NIST secp256r1 curve.
*/
#ifndef OCRYPTO_ECDH_P256_H
#define OCRYPTO_ECDH_P256_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdint.h>
/**
* ECDH P-256 public key generation `r = n * p`.
*
* Given a secret key @p s the corresponding public key is computed and put
* into @p r.
*
* @param[out] r Generated public key.
* @param s Secret key. Must be pre-filled with random data.
*
* @retval 0 If @p s is a valid secret key.
* @retval -1 Otherwise.
*
* @remark @p r may be same as @p s.
*/
int ocrypto_ecdh_p256_public_key(uint8_t r[64], const uint8_t s[32]);
/**
* ECDH P-256 common secret.
*
* The common secret is computed from both the client's public key @p p
* and the server's secret key @p s and put into @p r.
*
* @param[out] r Generated common secret.
* @param s Server private key.
* @param p Client public key.
*
* @retval 0 If @p s is a valid secret key and @p p is a valid public key.
* @retval -1 Otherwise.
*
* @remark @p r may be same as @p s or @p p.
*/
int ocrypto_ecdh_p256_common_secret(uint8_t r[32], const uint8_t s[32], const uint8_t p[64]);
#ifdef __cplusplus
}
#endif
#endif
/** @} */

157
external/nrf_oberon/include/ocrypto_ecdsa_p256.h vendored Normal file
View File

@@ -0,0 +1,157 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_ecdsa ECDSA APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs to do Elliptic Curve Digital Signature Algorith using the
* NIST secp256r1 curve.
*/
#ifndef OCRYPTO_ECDSA_P256_H
#define OCRYPTO_ECDSA_P256_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* ECDSA P-256 public key generation.
*
* Given a secret key @p sk the corresponding public key is computed and put
* into @p pk.
*
* @param[out] pk Generated public key.
* @param sk Secret key. Must be pre-filled with random data.
*
* @retval 0 If @p sk is a valid secret key.
* @retval -1 Otherwise.
*/
int ocrypto_ecdsa_p256_public_key(
uint8_t pk[64],
const uint8_t sk[32]);
/**
* ECDSA P-256 signature generation.
*
* The message @p m is signed using the secret key @p sk and the ephemeral
* session key @p ek. The signature is put into @p sig.
*
* @param[out] sig Generated signature.
* @param m Input message.
* @param mlen Length of @p m.
* @param sk Secret key.
* @param ek Ephemeral session key.
*
* @retval 0 If @p ek is a valid session key.
* @retval -1 Otherwise.
*/
int ocrypto_ecdsa_p256_sign(
uint8_t sig[64],
const uint8_t *m, size_t mlen,
const uint8_t sk[32],
const uint8_t ek[32]);
/**
* ECDSA P-256 signature generation from SHA256 hash.
*
* The message hash @p hash is signed using the secret key @p sk and the ephemeral
* session key @p ek. The signature is put into @p sig.
*
* @param[out] sig Generated signature.
* @param hash Input hash.
* @param sk Secret key.
* @param ek Ephemeral session key.
*
* @retval 0 If @p ek is a valid session key.
* @retval -1 Otherwise.
*/
int ocrypto_ecdsa_p256_sign_hash(
uint8_t sig[64],
const uint8_t hash[32],
const uint8_t sk[32],
const uint8_t ek[32]);
/**
* ECDSA P-256 signature verification.
*
* The signature @p sig of the input message @p m is verified using the signer's
* public key @p pk.
*
* @param sig Input signature.
* @param m Input message.
* @param mlen Length of @p m.
* @param pk Signer's public key.
*
* @retval 0 If the signature is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecdsa_p256_verify(
const uint8_t sig[64],
const uint8_t *m, size_t mlen,
const uint8_t pk[64]);
/**
* ECDSA P-256 signature verification from SHA256 hash.
*
* The signature @p sig of the message hash @p hash is verified using the signer's
* public key @p pk.
*
* @param sig Input signature.
* @param hash Input hash.
* @param pk Signer's public key.
*
* @retval 0 If the signature is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecdsa_p256_verify_hash(
const uint8_t sig[64],
const uint8_t hash[32],
const uint8_t pk[64]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_ECDSA_P256_H */
/** @} */

171
external/nrf_oberon/include/ocrypto_ecjpake_p256.h vendored Normal file
View File

@@ -0,0 +1,171 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_ecjpake EC-JPAKE
* @ingroup nrf_oberon
* @{
* @brief Type declaration and APIs for EC-JPAKE.
*
*/
#ifndef OCRYPTO_ECJPAKE_P256_H
#define OCRYPTO_ECJPAKE_P256_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* EC-JPAKE-P256 public key and zero knowledge proof generation.
*
* @param[out] X Public key.
* @param[out] V ZKP ephemeral public key.
* @param[out] r ZKP signature.
* @param G Generator. May be NULL to use the default generator.
* @param x Secret key. 0 < x < group order.
* @param v ZKP ephemeral secret key. 0 < v < group order.
* @param id Identity of originator.
* @param id_len Identity length.
*
* @retval 0 If inputs are valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecjpake_get_key(
uint8_t X[64],
uint8_t V[64],
uint8_t r[32],
const uint8_t G[64],
const uint8_t x[32],
const uint8_t v[32],
const char *id, size_t id_len);
/**
* EC-JPAKE-P256 zero knowledge proof verification.
*
* @param G Generator. May be NULL to use the default generator.
* @param X Public key.
* @param V ZKP ephemeral public key.
* @param r ZKP signature.
* @param id Identity of originator.
* @param id_len Identity length.
*
* @retval 0 If proof is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecjpake_verify_key(
const uint8_t G[64],
const uint8_t X[64],
const uint8_t V[64],
const uint8_t r[32],
const char *id, size_t id_len);
/**
* EC-JPAKE-P256 generator derivation.
*
* @param[out] G Generator.
* @param X1 Public key 1.
* @param X2 Public key 2.
* @param X3 Public key 3.
*
* @retval 0 If the generator is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecjpake_get_generator(
uint8_t G[64],
const uint8_t X1[64],
const uint8_t X2[64],
const uint8_t X3[64]);
/**
* EC-JPAKE-P256 read shared secret.
*
* @param[out] rs Reduced shared secret.
* @param secret Shared secret.
* @param secret_len Secret length.
*/
void ocrypto_ecjpake_read_shared_secret(
uint8_t rs[32],
const uint8_t *secret, size_t secret_len);
/**
* EC-JPAKE-P256 shared secret handling.
*
* @param[out] xs Client/server secret key.
* @param x2 Secret key 2.
* @param rs Reduced shared secret.
*
* @retval 0 If the derived secret key is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecjpake_process_shared_secret(
uint8_t xs[32],
const uint8_t x2[32],
const uint8_t rs[32]);
/**
* EC-JPAKE-P256 secret key generation.
*
* @param[out] secret Resulting premaster secret.
* @param Xr Remote client/server public key.
* @param X2 Remote public key 2.
* @param xs Client/server secret key.
* @param x2 Secret key 2.
*
* @retval 0 If the key is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ecjpake_get_secret_key(
uint8_t secret[32],
const uint8_t Xr[64],
const uint8_t X2[64],
const uint8_t xs[32],
const uint8_t x2[32]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_ECJPAKE_P256_H */
/** @} */

135
external/nrf_oberon/include/ocrypto_ed25519.h vendored Normal file
View File

@@ -0,0 +1,135 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_ed25519 Ed25519 APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for the Ed25519 algorithm.
*
* Ed25519 is a specific implementation of EdDSA, a digital signature scheme.
* EdDSA is based on Twisted Edwards curves and is designed to be faster than
* existing digital signature schemes without sacrificing security. It was
* developed by Daniel J. Bernstein, et al. Ed25519 is intended to provide
* attack resistance comparable to quality 128-bit symmetric ciphers.
*
* @see [Ed25519: high-speed high-security signatures](https://ed25519.cr.yp.to)
*/
#ifndef OCRYPTO_ED25519_H
#define OCRYPTO_ED25519_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of a public key.
*/
#define ocrypto_ed25519_PUBLIC_KEY_BYTES (32)
/**
* Length of a secret key.
*/
#define ocrypto_ed25519_SECRET_KEY_BYTES (32)
/**
* Length of a signature.
*/
#define ocrypto_ed25519_BYTES (64)
/**
* Ed25519 signature key pair generation.
*
* Given a secret key @p sk, the corresponding public key is computed and put
* into @p pk. The key pair can then be used to sign and verify message signatures.
*
* @param[out] pk Generated public key.
* @param sk Secret key. Must be pre-filled with random data.
*/
void ocrypto_ed25519_public_key(uint8_t pk[ocrypto_ed25519_PUBLIC_KEY_BYTES],
const uint8_t sk[ocrypto_ed25519_SECRET_KEY_BYTES]);
/**
* Ed25519 signature generate.
*
* The message @p m is signed using the secret key @p sk and the corresponding
* public key @p pk. The signature is put into @p sig.
*
* @param[out] sig Generated signature.
* @param m Input message.
* @param m_len Length of @p m.
* @param sk Secret key.
* @param pk Public key.
*/
void ocrypto_ed25519_sign(uint8_t sig[ocrypto_ed25519_BYTES],
const uint8_t *m, size_t m_len,
const uint8_t sk[ocrypto_ed25519_SECRET_KEY_BYTES],
const uint8_t pk[ocrypto_ed25519_PUBLIC_KEY_BYTES]);
/**
* Ed25519 signature verification.
*
* The signature @p sig of the input message @p m is verified using the signer's
* public key @p pk.
*
* @param sig Input signature.
* @param m Input message.
* @param m_len Length of @p m.
* @param pk Signer's public key.
*
* @retval 0 If the signature is valid.
* @retval -1 Otherwise.
*/
int ocrypto_ed25519_verify(const uint8_t sig[ocrypto_ed25519_BYTES],
const uint8_t *m, size_t m_len,
const uint8_t pk[ocrypto_ed25519_PUBLIC_KEY_BYTES]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_ED25519_H */
/** @} */

100
external/nrf_oberon/include/ocrypto_hkdf_sha1.h vendored Normal file
View File

@@ -0,0 +1,100 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hkdf_1 HKDF APIs using SHA-1
* @ingroup nrf_oberon_hkdf
* @{
* @brief Type declaration and APIs for the HKDF-SHA1 algorithm.
*
* HKDF-SHA1 is a key derivation function based on HMAC-SHA1.
*
* @see [RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)](http://tools.ietf.org/html/rfc5869)
*/
#ifndef OCRYPTO_HKDF_SHA1_H
#define OCRYPTO_HKDF_SHA1_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum length of a derived key.
*/
#define ocrypto_hkdf_sha1_LENGTH_MAX (20)
/**
* Maximum salt length.
*/
#define ocrypto_hkdf_sha1_SALT_LENGTH_MAX (40)
/**
* HKDF-SHA1 algorithm.
*
* A new pseudo-random key of length @p r_len is derived from an input key
* @p key, a salt @p salt and additional information @p info. The new key is put
* into @p r.
*
* @param[out] r Output key.
* @param r_len Length of @p r, 0 < @p r_len <= @c ocrypto_hkdf_sha1_LENGTH_MAX.
* @param key Input key.
* @param key_len Length of @p key.
* @param salt Salt.
* @param salt_len Length of salt @p salt. 0 <= @p salt_len <= @c ocrypto_hkdf_sha1_SALT_LENGTH_MAX.
* @param info Additional information.
* @param info_len Length of @p info.
*/
void ocrypto_hkdf_sha1(
uint8_t* r, size_t r_len,
const uint8_t* key, size_t key_len,
const uint8_t* salt, size_t salt_len,
const uint8_t* info, size_t info_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HKDF_SHA1_H */
/** @} */

107
external/nrf_oberon/include/ocrypto_hkdf_sha256.h vendored Normal file
View File

@@ -0,0 +1,107 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hkdf HKDF - HMAC based Key Derivation Function
* @ingroup nrf_oberon
* @{
* @brief HKDF is a key derivation function based on HMAC Extract-and-Expand
* @}
*
* @defgroup nrf_oberon_hkdf_256 HKDF APIs using SHA-256
* @ingroup nrf_oberon_hkdf
* @{
* @brief Type declarations and APIs for the HKDF-SHA256 algorithm.
*
* HKDF-SHA256 is a key derivation function based on HMAC-SHA256.
*
* @see [RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)](http://tools.ietf.org/html/rfc5869)
*/
#ifndef OCRYPTO_HKDF_SHA256_H
#define OCRYPTO_HKDF_SHA256_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum length of a derived key.
*/
#define ocrypto_hkdf_sha256_LENGTH_MAX (32)
/**
* Maximum salt length.
*/
#define ocrypto_hkdf_sha256_SALT_LENGTH_MAX (64)
/**
* HKDF-SHA256 algorithm.
*
* A new pseudo-random key of length @p r_len is derived from an input key
* @p key, a salt @p salt and additional information @p info. The new key is put
* into @p r.
*
* @param[out] r Output key.
* @param r_len Length of @p r, 0 < @p r_len <= @c ocrypto_hkdf_sha256_LENGTH_MAX.
* @param key Input key.
* @param key_len Length of @p key.
* @param salt Salt.
* @param salt_len Length of salt @p salt. 0 <= @p salt_len <= @c ocrypto_hkdf_sha256_SALT_LENGTH_MAX.
* @param info Additional information.
* @param info_len Length of @p info.
*/
void ocrypto_hkdf_sha256(
uint8_t* r, size_t r_len,
const uint8_t* key, size_t key_len,
const uint8_t* salt, size_t salt_len,
const uint8_t* info, size_t info_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HKDF_SHA256_H */
/** @} */

101
external/nrf_oberon/include/ocrypto_hkdf_sha512.h vendored Normal file
View File

@@ -0,0 +1,101 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hkdf_512 HKDF APIs using SHA-512
* @ingroup nrf_oberon_hkdf
* @{
* @brief Type declaration and APIs for the HKDF-SHA512 algorithm.
*
* HKDF-SHA512 is a key derivation function based on HMAC-SHA512.
*
* @see [RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)](http://tools.ietf.org/html/rfc5869)
*/
#ifndef OCRYPTO_HKDF_SHA512_H
#define OCRYPTO_HKDF_SHA512_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum length of a derived key.
*/
#define ocrypto_hkdf_sha512_LENGTH_MAX (64)
/**
* Maximum salt length.
*/
#define ocrypto_hkdf_sha512_SALT_LENGTH_MAX (128)
/**
* HKDF-SHA512 algorithm.
*
* A new pseudo-random key of length @p r_len is derived from an input key
* @p key, a salt @p salt and additional information @p info. The new key is put
* into @p r.
*
* @param[out] r Output key.
* @param r_len Length of @p r, 0 < @p r_len <= @c ocrypto_hkdf_sha512_LENGTH_MAX.
* @param key Input key.
* @param key_len Length of @p key.
* @param salt Salt.
* @param salt_len Length of salt @p salt. 0 <= @p salt_len <= @c ocrypto_hkdf_sha512_SALT_LENGTH_MAX.
* @param info Additional information.
* @param info_len Length of @p info.
*/
void ocrypto_hkdf_sha512(
uint8_t* r, size_t r_len,
const uint8_t* key, size_t key_len,
const uint8_t* salt, size_t salt_len,
const uint8_t* info, size_t info_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HKDF_SHA512_H */
/** @} */

118
external/nrf_oberon/include/ocrypto_hmac_sha1.h vendored Normal file
View File

@@ -0,0 +1,118 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hmac_1 HMAC APIs using SHA-1
* @ingroup nrf_oberon_hmac
* @{
* @brief Type declarations and APIs for the HMAC-SHA1 algorithm.
*
* HMAC-SHA1 is an algorithm for message authentication using the
* cryptographic hash function SHA-1 and a reusable secret key. Users in
* possession of the key can verify the integrity and authenticity of the
* message.
*
* @see [RFC 2104 - HMAC: Keyed-Hashing for Message Authentication](http://tools.ietf.org/html/rfc2104)
*/
#ifndef OCRYPTO_HMAC_SHA1_H
#define OCRYPTO_HMAC_SHA1_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum key length.
*/
#define ocrypto_hmac_sha1_KEY_BYTES_MAX (64)
/**
* Length of the authenticator.
*/
#define ocrypto_hmac_sha1_BYTES (20)
/**
* HMAC-SHA1 algorithm.
*
* The input message @p in is authenticated using the key @p k. The computed
* authenticator is put into @p r. To verify the authenticator, the recipient
* needs to recompute the HMAC authenticator and can then compare it with the
* received authenticator.
*
* @param[out] r HMAC output.
* @param key HMAC key.
* @param key_len Length of @p key. 0 <= @p key_len <= @c ocrypto_hmac_sha1_KEY_BYTES_MAX.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_hmac_sha1(
uint8_t r[ocrypto_hmac_sha1_BYTES],
const uint8_t* key, size_t key_len,
const uint8_t* in, size_t in_len);
/**
* HMAC-SHA1 algorithm with AAD.
*
* @param[out] r HMAC output
* @param key HMAC key.
* @param key_len Length of @p key. 0 <= @p key_len <= @c ocrypto_hmac_sha1_KEY_BYTES_MAX.
* @param in Input data.
* @param in_len Length of @p in.
* @param aad Additional authentication data. May be NULL.
* @param aad_len Length of @p aad.
*/
void ocrypto_hmac_sha1_aad(
uint8_t r[20],
const uint8_t* key, size_t key_len,
const uint8_t* in, size_t in_len,
const uint8_t* aad, size_t aad_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HMAC_SHA1_H */
/** @} */

174
external/nrf_oberon/include/ocrypto_hmac_sha256.h vendored Normal file
View File

@@ -0,0 +1,174 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hmac HMAC - Hash-based Aessage Authentication Code
* @ingroup nrf_oberon
* @{
* @brief HMAC is a hash-based Message Authentication Code utilizing a secure hash function.
* @}
* @defgroup nrf_oberon_hmac_256 HMAC APIs using SHA-256
* @ingroup nrf_oberon_hmac
* @{
* @brief Type declarations and APIs for the HMAC-SHA256 algorithm.
*
* HMAC-SHA256 is an algorithm for message authentication using the
* cryptographic hash function SHA256 and a reusable secret key. Users in
* possession of the key can verify the integrity and authenticity of the
* message.
*
* @see [RFC 2104 - HMAC: Keyed-Hashing for Message Authentication](http://tools.ietf.org/html/rfc2104)
*/
#ifndef OCRYPTO_HMAC_SHA256_H
#define OCRYPTO_HMAC_SHA256_H
#include <stddef.h>
#include <stdint.h>
#include "include/ocrypto_sha256.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum key length.
*/
#define ocrypto_hmac_sha256_KEY_BYTES_MAX (64)
/**
* Length of the authenticator.
*/
#define ocrypto_hmac_sha256_BYTES (32)
/**@cond */
typedef struct
{
ocrypto_sha256_ctx hash_ctx;
uint8_t ikey[ocrypto_hmac_sha256_KEY_BYTES_MAX];
uint8_t okey[ocrypto_hmac_sha256_KEY_BYTES_MAX];
uint8_t key[ocrypto_hmac_sha256_KEY_BYTES_MAX];
} ocrypto_hmac_sha256_ctx;
/**@endcond */
/**@name Incremental HMAC-SHA256 generator.
*
* This group of functions can be used to incrementally compute HMAC-SHA256
* for a given message.
*/
/**@{*/
/**
* HMAC-SHA256 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
* @param key HMAC key.
* @param key_len Length of @p key.
*/
void ocrypto_hmac_sha256_init(ocrypto_hmac_sha256_ctx * ctx,
const uint8_t* key, size_t key_len);
/**
* HMAC-SHA256 incremental data input.
*
* The generator state @p ctx is updated to hash a message chunk @p in.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param[in,out] ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_hmac_sha256_init is required before this function can be called.
*/
void ocrypto_hmac_sha256_update(ocrypto_hmac_sha256_ctx * ctx,
const uint8_t* in, size_t in_len);
/**
* HMAC-SHA256 output.
*
* The generator state @p ctx is updated to finalize the HMAC calculation.
* The HMAC digest is put into @p r.
*
* @param[in,out] ctx Generator state.
* @param[out] r Generated HMAC digest.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_hmac_sha256_init is required before this function can be called.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_hmac_sha256_update and @c ocrypto_hmac_sha256_final unless it is
* reinitialized using @c ocrypto_hmac_sha256_init.
*/
void ocrypto_hmac_sha256_final(ocrypto_hmac_sha256_ctx * ctx,
uint8_t r[ocrypto_hmac_sha256_BYTES]);
/**@}*/
/**
* HMAC-SHA256 algorithm.
*
* The input message @p in is authenticated using the key @p k. The computed
* authenticator is put into @p r. To verify the authenticator, the recipient
* needs to recompute the HMAC authenticator and can then compare it with the
* received authenticator.
*
* @param[out] r HMAC output.
* @param key HMAC key.
* @param key_len Length of @p key. 0 <= @p key_len <= @c ocrypto_hmac_sha256_KEY_BYTES_MAX.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_hmac_sha256(
uint8_t r[ocrypto_hmac_sha256_BYTES],
const uint8_t* key, size_t key_len,
const uint8_t* in, size_t in_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HMAC_SHA256_H */
/** @} */

169
external/nrf_oberon/include/ocrypto_hmac_sha512.h vendored Normal file
View File

@@ -0,0 +1,169 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_hmac_512 HMAC APIs using SHA-512
* @ingroup nrf_oberon_hmac
* @{
* @brief Type declarations and APIs for the HMAC-SHA512 algorithm.
*
* HMAC-SHA512 is an algorithm for message authentication using the
* cryptographic hash function SHA512 and a reusable secret key. Users in
* possession of the key can verify the integrity and authenticity of the
* message.
*
* @see [RFC 2104 - HMAC: Keyed-Hashing for Message Authentication](http://tools.ietf.org/html/rfc2104)
*/
#ifndef OCRYPTO_HMAC_SHA512_H
#define OCRYPTO_HMAC_SHA512_H
#include <stddef.h>
#include <stdint.h>
#include "include/ocrypto_sha512.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* Maximum key length.
*/
#define ocrypto_hmac_sha512_KEY_BYTES_MAX (128)
/**
* Length of the authenticator.
*/
#define ocrypto_hmac_sha512_BYTES (64)
/**@cond */
typedef struct
{
ocrypto_sha512_ctx hash_ctx;
uint8_t ikey[ocrypto_hmac_sha512_KEY_BYTES_MAX];
uint8_t okey[ocrypto_hmac_sha512_KEY_BYTES_MAX];
uint8_t key[ocrypto_hmac_sha512_KEY_BYTES_MAX];
} ocrypto_hmac_sha512_ctx;
/**@endcond */
/**@name Incremental HMAC-SHA512 generator.
*
* This group of functions can be used to incrementally compute HMAC-SHA512
* for a given message.
*/
/**@{*/
/**
* HMAC-SHA512 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
* @param key HMAC key.
* @param key_len Length of @p key.
*/
void ocrypto_hmac_sha512_init(ocrypto_hmac_sha512_ctx * ctx,
const uint8_t* key, size_t key_len);
/**
* HMAC-SHA512 incremental data input.
*
* The generator state @p ctx is updated to hash a message chunk @p in.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param[in,out] ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_hmac_sha512_init is required before this function can be called.
*/
void ocrypto_hmac_sha512_update(ocrypto_hmac_sha512_ctx * ctx,
const uint8_t* in, size_t in_len);
/**
* HMAC-SHA512 output.
*
* The generator state @p ctx is updated to finalize the HMAC calculation.
* The HMAC digest is put into @p r.
*
* @param[in,out] ctx Generator state.
* @param[out] r Generated HMAC digest.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_hmac_sha512_init is required before this function can be called.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_hmac_sha512_update and @c ocrypto_hmac_sha512_final unless it is
* reinitialized using @c ocrypto_hmac_sha512_init.
*/
void ocrypto_hmac_sha512_final(ocrypto_hmac_sha512_ctx * ctx,
uint8_t r[ocrypto_hmac_sha512_BYTES]);
/**@}*/
/**
* HMAC-SHA512 algorithm.
*
* The input message @p in is authenticated using the key @p k. The computed
* authenticator is put into @p r. To verify the authenticator, the recipient
* needs to recompute the HMAC authenticator and can then compare it with the
* received authenticator.
*
* @param[out] r HMAC output.
* @param key HMAC key.
* @param key_len Length of @p key. 0 <= @p key_len <= @c ocrypto_hmac_sha512_KEY_BYTES_MAX.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_hmac_sha512(
uint8_t r[ocrypto_hmac_sha512_BYTES],
const uint8_t* key, size_t key_len,
const uint8_t* in, size_t in_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_HMAC_SHA512_H */
/** @} */

176
external/nrf_oberon/include/ocrypto_poly1305.h vendored Normal file
View File

@@ -0,0 +1,176 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_poly1305 Poly1305 APIs
* @ingroup nrf_oberon_chacha_poly
@{
* @brief Type declaration and APIs for the Poly1035 algorithm.
*
* Poly1305 is a message authentication code created by Daniel J.
* Bernstein. It can be used to verify the data integrity and the
* authenticity of a message.
*
* Poly1305 takes a one-time key to produce an authentication tag for a message.
* Since a key can only be used to authenticate a single message, a new key
* needs to be derived for each message.
*
* @see [RFC 7539 - ChaCha20 and Poly1305 for IETF Protocols](http://tools.ietf.org/html/rfc7539)
* @see [Poly1305-AES: a state-of-the-art message-authentication code](http://cr.yp.to/mac.html)
*/
#ifndef OCRYPTO_POLY1305_H
#define OCRYPTO_POLY1305_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Key length.
*/
#define ocrypto_poly1305_KEY_BYTES (32)
/**
* Authenticator length.
*/
#define ocrypto_poly1305_BYTES (16)
/**@cond */
typedef struct {
uint32_t h[5];
} ocrypto_poly1305_ctx;
/**@endcond */
/**@name Incremental Poly1305 generator.
*
* This group of functions can be used to incrementally compute the Poly1305
* authenticator for a given message and key.
*/
/**@{*/
/**
* Poly1305 generator initialize.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
*/
void ocrypto_poly1305_init(ocrypto_poly1305_ctx *ctx);
/**
* Poly1305 generator.
*
* The generator state @p ctx is updated to authenticate a message chunk @p in
* with a key @p k.
*
* This function can be called repeatedly until the whole message has been
* processed.
*
* @param ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
* @param k Encryption key.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_poly1305_init is required before this function can be called.
*
* @remark The same key @p k needs to be supplied for all message chunks.
*/
void ocrypto_poly1305_update(
ocrypto_poly1305_ctx *ctx,
const uint8_t *in, size_t in_len,
const uint8_t k[ocrypto_poly1305_KEY_BYTES]);
/**
* Poly1305 generator output.
*
* The generator state @p ctx is updated to finalize the authenticator for the
* previously processed message chunks with key @p k. The authentication tag is
* put into @p r.
*
* @param ctx Generator state.
* @param[out] r Generated authentication tag.
* @param k Encryption key.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_poly1305_init is required before this function can be called.
*
* @remark The same key @p k needs to be supplied that was used in previous
* @c ocrypto_poly1305_update invocations.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_poly1305_update and @c ocrypto_poly1305_final unless it is
* reinitialized using @c ocrypto_poly1305_init.
*/
void ocrypto_poly1305_final(
ocrypto_poly1305_ctx *ctx,
uint8_t r[ocrypto_poly1305_BYTES],
const uint8_t k[ocrypto_poly1305_KEY_BYTES]);
/**@}*/
/**
* Poly1305 message authentication tag.
*
* The Poly1305 authentication of a given input message @p in is computed and
* put into @p r.
*
* @param[out] r Generated authentication tag.
* @param in Input data.
* @param in_len Length of @p in.
* @param k Encryption key.
*/
void ocrypto_poly1305(
uint8_t r[ocrypto_poly1305_BYTES],
const uint8_t *in, size_t in_len,
const uint8_t k[ocrypto_poly1305_KEY_BYTES]);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_POLY1305_H */
/**@}*/

642
external/nrf_oberon/include/ocrypto_rsa.h vendored Normal file
View File

@@ -0,0 +1,642 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_rsa RSA - Rivest-Shamir-Adleman algorithm
* @ingroup nrf_oberon
* @{
* @brief RSA is a number theoretic public-key encryption and signature algorithm.
* @}
* @defgroup nrf_oberon_rsa_api RSA APIs
* @ingroup nrf_oberon_rsa
* @{
* @brief APIs to for RSA encryption/decryption and sign/verify using PKCS1 v1.5, OEAP and PSS.
*
* These functions support RSA encryption and signatures with 1024 and 2048-bit
* modulo and PKCS1 V1.5 padding.
*/
#ifndef OCRYPTO_RSA_H
#define OCRYPTO_RSA_H
#include <stddef.h>
#include <stdint.h>
#include "ocrypto_rsa_key.h"
#ifdef __cplusplus
extern "C" {
#endif
/**@name 1024-bit RSA Functions.
*
* This group of functions is used for 1024-bit RSA.
*/
/**@{*/
/**
* 1024 bit RSA PKCS1 V1.5 encryption.
*
* The message @p m is encrypted to a ciphertext returned in @p c.
*
* @param[out] c The generated 128-byte ciphertext.
* @param m The message to be encrypted.
* @param mlen Length of @p m. 0 <= mlen <= 117.
* @param seed The random seed to be used for the padding.
* @param slen Length of @p seed. @p slen >= 125 - @p mlen.
* @param pk A valid 1024-bit RSA public key.
*
* @retval -1 If the message is too long (mlen > 117).
* @retval -2 If the seed is too short (slen < 125 - mlen).
* @retval 0 Otherwise.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa1024_init_pub_key.
* @remark The @p seed should consist of non-zero random bytes.
* @remark @p c and @p m can point to the same address.
*/
int ocrypto_rsa1024_pkcs1_v15_encrypt(
uint8_t c[128],
const uint8_t *m, size_t mlen,
const uint8_t *seed, size_t slen,
const ocrypto_rsa1024_pub_key *pk);
/**
* 1024-bit RSA PKCS1 V1.5 decryption.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 128-byte ciphertext to decrypt.
* @param k A valid 1024-bit RSA secret key.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa1024_pkcs1_v15_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[128],
const ocrypto_rsa1024_key *k);
/**
* 1024-bit RSA PKCS1 V1.5 decryption with CRT acceleration.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 128-byte ciphertext to decrypt.
* @param k A valid 1024-bit RSA secret key with CRT coefficients.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_crt_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa1024_pkcs1_v15_crt_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[128],
const ocrypto_rsa1024_crt_key *k);
/**
* 1024-bit RSA OAEP SHA256 encryption.
*
* The message @p m is encrypted to a ciphertext returned in @p c.
*
* @param[out] c The generated 128-byte ciphertext.
* @param m The message to be encrypted.
* @param mlen Length of @p m. 0 <= mlen <= 62.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param seed 32-byte random seed.
* @param pk A valid 1024-bit RSA public key.
*
* @retval -1 If the message is too long (mlen > 62).
* @retval 0 Otherwise.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa1024_init_pub_key.
* @remark @p c and @p m can point to the same address.
*/
int ocrypto_rsa1024_oaep_sha256_encrypt(
uint8_t c[128],
const uint8_t *m, size_t mlen,
const uint8_t *label, size_t llen,
const uint8_t seed[32],
const ocrypto_rsa1024_pub_key *pk);
/**
* 1024-bit RSA OAEP SHA256 decryption.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 128-byte ciphertext to decrypt.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param k A valid 1024-bit RSA secret key.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa1024_oaep_sha256_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[128],
const uint8_t *label, size_t llen,
const ocrypto_rsa1024_key *k);
/**
* 1024-bit RSA OAEP SHA256 decryption with CRT acceleration.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 128-byte ciphertext to decrypt.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param k A valid 1024-bit RSA secret key with CRT coefficients.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_crt_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa1024_oaep_sha256_crt_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[128],
const uint8_t *label, size_t llen,
const ocrypto_rsa1024_crt_key *k);
/**
* 1024-bit RSA PKCS1 V1.5 SHA-256 sign.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 128-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param k A valid 1024-bit RSA secret key.
*
* @return 0
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa1024_pkcs1_v15_sha256_sign(
uint8_t s[128],
const uint8_t *m, size_t mlen,
const ocrypto_rsa1024_key *k);
/**
* 1024-bit RSA PKCS1 V1.5 SHA-256 sign with CRT acceleration.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 128-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param k A valid 1024-bit RSA secret key with CRT coefficients.
*
* @return 0
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_crt_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa1024_pkcs1_v15_sha256_crt_sign(
uint8_t s[128],
const uint8_t *m, size_t mlen,
const ocrypto_rsa1024_crt_key *k);
/**
* 1024-bit RSA PKCS1 V1.5 SHA-256 signature verify.
*
* The signature @p s is verified for a valid signature of message @p m.
*
* @param s The 128-byte signature.
* @param m The signed message.
* @param mlen Length of @p m.
* @param pk A valid 1024-bit RSA public key.
*
* @retval 0 If the signature is valid.
* @retval -1 If verification failed.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa1024_init_pub_key.
*/
int ocrypto_rsa1024_pkcs1_v15_sha256_verify(
const uint8_t s[128],
const uint8_t *m, size_t mlen,
const ocrypto_rsa1024_pub_key *pk);
/**
* 1024-bit RSA PSS SHA-256 sign.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 128-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param salt The salt to be used.
* @param slen Length of @p salt.
* @param k A valid 1024-bit RSA secret key.
*
* @retval -2 If the salt is too long.
* @retval 0 Otherwise.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa1024_pss_sha256_sign(
uint8_t s[128],
const uint8_t *m, size_t mlen,
const uint8_t *salt, size_t slen,
const ocrypto_rsa1024_key *k);
/**
* 1024-bit RSA PSS SHA-256 sign with CRT acceleration.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 128-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param salt The salt to be used.
* @param slen Length of @p salt.
* @param k A valid 1024-bit RSA secret key with CRT coefficients.
*
* @retval -2 If the salt is too long.
* @retval 0 Otherwise.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa1024_init_crt_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa1024_pss_sha256_crt_sign(
uint8_t s[128],
const uint8_t *m, size_t mlen,
const uint8_t *salt, size_t slen,
const ocrypto_rsa1024_crt_key *k);
/**
* 1024-bit RSA PSS SHA-256 signature verify.
*
* The signature @p s is verified for a valid signature of message @p m.
*
* @param s The 128-byte signature.
* @param m The signed message.
* @param mlen Length of @p m.
* @param slen The length of the salt.
* @param pk A valid 1024-bit RSA public key.
*
* @retval 0 If the signature is valid.
* @retval -1 If verification failed.
* @retval -2 If the salt is too long.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa1024_init_pub_key.
*/
int ocrypto_rsa1024_pss_sha256_verify(
const uint8_t s[128],
const uint8_t *m, size_t mlen,
size_t slen, // salt length
const ocrypto_rsa1024_pub_key *pk);
/**@}*/
/**@name 2048-bit RSA Functions.
*
* This group of functions is used for 2048-bit RSA.
*/
/**@{*/
/**
* 2048-bit RSA PKCS1 V1.5 encryption.
*
* The message @p m is encrypted to a ciphertext returned in @p c.
*
* @param[out] c The generated 256-byte ciphertext.
* @param m The message to be encrypted.
* @param mlen Length of @p m. 0 <= @p mlen <= 245.
* @param seed The random seed to be used for the padding.
* @param slen Length of @p seed. @p slen >= 253 - @p mlen.
* @param pk A valid 2048-bit RSA public key.
*
* @retval -1 If the message is too long (mlen > 245).
* @retval -2 If the seed is too short (slen < 253 - mlen).
* @retval 0 Otherwise.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa2048_init_pub_key.
* @remark The @p seed should consist of non-zero random bytes.
* @remark @p c and @p m can point to the same address.
*/
int ocrypto_rsa2048_pkcs1_v15_encrypt(
uint8_t c[256],
const uint8_t *m, size_t mlen,
const uint8_t *seed, size_t slen,
const ocrypto_rsa2048_pub_key *pk);
/**
* 2048-bit RSA PKCS1 V1.5 decryption.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 256-byte ciphertext to decrypt.
* @param k A valid 2048-bit RSA secret key.
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa2048_pkcs1_v15_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[256],
const ocrypto_rsa2048_key *k);
/**
* 2048-bit RSA PKCS1 V1.5 decryption with CRT acceleration.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 256-byte ciphertext to decrypt.
* @param k A valid 2048-bit RSA secret key with CRT coefficients.
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_crt_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa2048_pkcs1_v15_crt_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[256],
const ocrypto_rsa2048_crt_key *k);
/**
* 2048-bit RSA OAEP SHA256 encryption.
*
* The message @p m is encrypted to a ciphertext returned in @p c.
*
* @param[out] c The generated 256-byte ciphertext.
* @param m The message to be encrypted.
* @param mlen Length of @p m. 0 <= mlen <= 190.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param seed 32-byte random seed.
* @param pk A valid 2048-bit RSA public key.
*
* @retval -1 If the message is too long (mlen > 190).
* @retval 0 Otherwise.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa2048_init_pub_key.
* @remark @p c and @p m can point to the same address.
*/
int ocrypto_rsa2048_oaep_sha256_encrypt(
uint8_t c[256],
const uint8_t *m, size_t mlen,
const uint8_t *label, size_t llen,
const uint8_t seed[32],
const ocrypto_rsa2048_pub_key *pk);
/**
* 2048-bit RSA OAEP SHA256 decryption.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 256-byte ciphertext to decrypt.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param k A valid 2048-bit RSA secret key.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa2048_oaep_sha256_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[256],
const uint8_t *label, size_t llen,
const ocrypto_rsa2048_key *k);
/**
* 2048-bit RSA OAEP SHA256 decryption with CRT acceleration.
*
* The ciphertext @p c is decrypted to the message returned in @p m.
*
* @param[out] m The decrypted message. The buffer must be long enough to hold the message.
* @param mlen Length of @p m.
* @param c The 256-byte ciphertext to decrypt.
* @param label The label associated with the message.
* @param llen Length of @p label. May be 0.
* @param k A valid 2048-bit RSA secret key with CRT coefficients.
*
* @retval -1 If decryption failed.
* @retval -2 If the output buffer is too short (mlen < length of message).
* @retval n If a message of length n was successfully decrypted.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_crt_key.
* @remark @p m and @p c can point to the same address.
*/
int ocrypto_rsa2048_oaep_sha256_crt_decrypt(
uint8_t *m, size_t mlen,
const uint8_t c[256],
const uint8_t *label, size_t llen,
const ocrypto_rsa2048_crt_key *k);
/**
* 2048-bit RSA PKCS1 V1.5 SHA-256 sign.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 256-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param k A valid 2048-bit RSA secret key.
* @returns 0
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa2048_pkcs1_v15_sha256_sign(
uint8_t s[256],
const uint8_t *m, size_t mlen,
const ocrypto_rsa2048_key *k);
/**
* 2048-bit RSA PKCS1 V1.5 SHA-256 sign with CRT acceleration.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 256-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param k A valid 2048-bit RSA secret key with CRT coefficients.
* @returns 0
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_crt_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa2048_pkcs1_v15_sha256_crt_sign(
uint8_t s[256],
const uint8_t *m, size_t mlen,
const ocrypto_rsa2048_crt_key *k);
/**
* 2048-bit RSA PKCS1 V1.5 SHA-256 signature verify.
*
* The signature @p s is verified for a correct signature of message @p m.
*
* @param s The 256-byte signature.
* @param m The signed message.
* @param mlen Length of @p m.
* @param pk A valid 2048-bit RSA public key.
*
* @retval 0 If the signature is valid.
* @retval -1 If verification failed.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa2048_init_pub_key.
*/
int ocrypto_rsa2048_pkcs1_v15_sha256_verify(
const uint8_t s[256],
const uint8_t *m, size_t mlen,
const ocrypto_rsa2048_pub_key *pk);
/**
* 2048-bit RSA PSS SHA-256 sign.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 256-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param salt The salt to be used.
* @param slen Length of @p salt.
* @param k A valid 2048-bit RSA secret key.
*
* @retval -2 If the salt is too long.
* @retval 0 Otherwise.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa2048_pss_sha256_sign(
uint8_t s[256],
const uint8_t *m, size_t mlen,
const uint8_t *salt, size_t slen,
const ocrypto_rsa2048_key *k);
/**
* 2048-bit RSA PSS SHA-256 sign with CRT acceleration.
*
* The message @p m is signed and the signature returned in @p s.
*
* @param[out] s The generated 256-byte signature.
* @param m The message to be signed.
* @param mlen Length of @p m.
* @param salt The salt to be used.
* @param slen Length of @p salt.
* @param k A valid 2048-bit RSA secret key with CRT coefficients.
*
* @retval -2 If the salt is too long.
* @retval 0 Otherwise.
*
* @remark The key @p k should be initialized with @c ocrypto_rsa2048_init_crt_key.
* @remark @p s and @p m can point to the same address.
*/
int ocrypto_rsa2048_pss_sha256_crt_sign(
uint8_t s[256],
const uint8_t *m, size_t mlen,
const uint8_t *salt, size_t slen,
const ocrypto_rsa2048_crt_key *k);
/**
* 2048-bit RSA PSS SHA-256 signature verify.
*
* The signature @p s is verified for a valid signature of message @p m.
*
* @param s The 256-byte signature.
* @param m The signed message.
* @param mlen Length of @p m.
* @param slen The length of the salt.
* @param pk A valid 2048-bit RSA public key.
*
* @retval 0 If the signature is valid.
* @retval -1 If verification failed.
* @retval -2 If the salt is too long.
*
* @remark The key @p pk should be initialized with @c ocrypto_rsa2048_init_pub_key.
*/
int ocrypto_rsa2048_pss_sha256_verify(
const uint8_t s[256],
const uint8_t *m, size_t mlen,
size_t slen, // salt length
const ocrypto_rsa2048_pub_key *pk);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_RSA_H */
/** @} */

280
external/nrf_oberon/include/ocrypto_rsa_key.h vendored Normal file
View File

@@ -0,0 +1,280 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_rsa_key RSA key APIs
* @ingroup nrf_oberon_rsa
* @{
* @brief Type declarations for RSA APIs.
*
* RSA is a number theoretic public-key encryption and signature algorithm.
*
* These functions support the setup of 1024 and 2048 RSA secret and public keys.
*/
#ifndef OCRYPTO_RSA_KEY_H
#define OCRYPTO_RSA_KEY_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* The Public RSA Exponent.
*/
#define PUB_EXP 65537 // 2^16 + 1
/**@name 1024-bit RSA Keys
*
* This group of keys is used for 1024-bit RSA.
*/
/**@{*/
/**
* 1024-bit RSA public key.
*/
typedef struct {
/**@cond */
uint32_t n[32];
// e = 65537
/**@endcond */
} ocrypto_rsa1024_pub_key;
/**
* 1024 bit RSA secret key.
*/
typedef struct {
/**@cond */
uint32_t n[32];
uint32_t d[32]; // x^(e*d) mod n == x
/**@endcond */
} ocrypto_rsa1024_key;
/**
* 1024-bit RSA secret key with CRT coefficients.
*/
typedef struct {
/**@cond */
uint32_t n[32];
uint32_t p[16], q[16]; // primes, p*q = n
uint32_t dp[16], dq[16]; // d mod (p-1), d mod (q-1)
uint32_t qinv[16]; // 1/q mod p
/**@endcond */
} ocrypto_rsa1024_crt_key;
/**@}*/
/**@name 2048-bit RSA Keys
*
* This group of keys is used for 2048-bit RSA.
*/
/**@{*/
/**
* 2048-bit RSA public key.
*/
typedef struct {
/**@cond */
uint32_t n[64];
// e = 65537
/**@endcond */
} ocrypto_rsa2048_pub_key;
/**
* 2048-bit RSA secret key.
*/
typedef struct {
/**@cond */
uint32_t n[64];
uint32_t d[64]; // x^(e*d) mod n == x
/**@endcond */
} ocrypto_rsa2048_key;
/**
* 2048-bit RSA secret key with CRT coefficients.
*/
typedef struct {
/**@cond */
uint32_t n[64];
uint32_t p[32], q[32]; // primes, p*q = n
uint32_t dp[32], dq[32]; // d mod (p-1), d mod (q-1)
uint32_t qinv[32]; // 1/q mod p
/**@endcond */
} ocrypto_rsa2048_crt_key;
/**@}*/
/**@name 1024-bit RSA key setup
*
* This group of functions is used for 1024-bit RSA key setup.
*/
/**@{*/
/**
* 1024-bit RSA public key setup.
*
* @param[out] k The initialized public key.
* @param n The RSA modulus. Must be exactly 1024 bits.
* @param nlen Length of @p n.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*
* @remark The public exponent is fixed at 65537.
*/
int ocrypto_rsa1024_init_pub_key(
ocrypto_rsa1024_pub_key *k,
const uint8_t *n, size_t nlen);
/**
* 1024-bit RSA secret key setup.
*
* @param[out] k The initialized public key.
* @param n The RSA modulus. Must be exactly 1024 bits.
* @param nlen Length of @p n.
* @param d The secret exponent. Must be <= 1024 bits.
* @param dlen Length of @p d.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*/
int ocrypto_rsa1024_init_key(
ocrypto_rsa1024_key *k,
const uint8_t *n, size_t nlen,
const uint8_t *d, size_t dlen);
/**
* 1024-bit RSA secret key setup with CRT coefficients.
*
* @param[out] k The initialized secret key.
* @param p The 1. RSA prime. Must be exactly 512 bits.
* @param plen Length of @p p.
* @param q The 2. RSA prime. Must be exactly 512 bits.
* @param qlen Length of @p q.
* @param dp The 1. CRT exponent. dp = d mod (p-1).
* @param dplen Length of @p dp.
* @param dq The 2. CRT exponent. dq = d mod (q-1).
* @param dqlen Length of @p dq.
* @param qinv The CRT coefficient. qinv = 1/q mod p.
* @param qilen Length of @p qinv.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*/
int ocrypto_rsa1024_init_crt_key(
ocrypto_rsa1024_crt_key *k,
const uint8_t *p, size_t plen,
const uint8_t *q, size_t qlen,
const uint8_t *dp, size_t dplen,
const uint8_t *dq, size_t dqlen,
const uint8_t *qinv, size_t qilen);
/**@}*/
/**@name 2048-bit RSA key setup
*
* This group of functions is used for 2048-bit RSA key setup.
*/
/**@{*/
/**
* 2048-bit RSA public key setup.
*
* @param[out] k The initialized public key.
* @param n The RSA modulus. Must be exactly 2048 bits.
* @param nlen Length of @p n.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*
* @remark The public exponent is fixed at 65537.
*/
int ocrypto_rsa2048_init_pub_key(
ocrypto_rsa2048_pub_key *k,
const uint8_t *n, size_t nlen);
/**
* 2048-bit RSA secret key setup.
*
* @param[out] k The initialized public key.
* @param n The RSA modulus. Must be exactly 2048 bits.
* @param nlen Length of @p n.
* @param d The secret exponent. Must be <= 2048 bits.
* @param dlen Length of @p d.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*/
int ocrypto_rsa2048_init_key(ocrypto_rsa2048_key *k,
const uint8_t *n, size_t nlen,
const uint8_t *d, size_t dlen);
/**
* 2048-bit RSA secret key setup with CRT coefficients.
*
* @param[out] k The initialized secret key.
* @param p The 1. RSA prime. Must be exactly 1024 bits.
* @param plen Length of @p p.
* @param q The 2. RSA prime. Must be exactly 1024 bits.
* @param qlen Length of @p q.
* @param dp The 1. CRT exponent. dp = d mod (p-1).
* @param dplen Length of @p dp.
* @param dq The 2. CRT exponent. dq = d mod (q-1).
* @param dqlen Length of @p dq.
* @param qinv The CRT coefficient. qinv = 1/q mod p.
* @param qilen Length of @p qinv.
*
* @retval -1 If the input length is invalid.
* @retval 0 Otherwise.
*/
int ocrypto_rsa2048_init_crt_key(
ocrypto_rsa2048_crt_key *k,
const uint8_t *p, size_t plen,
const uint8_t *q, size_t qlen,
const uint8_t *dp, size_t dplen,
const uint8_t *dq, size_t dqlen,
const uint8_t *qinv, size_t qilen);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_RSA_KEY_H */
/** @} */

63
external/nrf_oberon/include/ocrypto_sc_p256.h vendored Normal file
View File

@@ -0,0 +1,63 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#ifndef OCRYPTO_SC_P256_H
#define OCRYPTO_SC_P256_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdint.h>
// P-256 scalar modulo group order
/**@cond */
typedef struct
{
uint32_t w[8]; // little endian
}
ocrypto_sc_p256;
/**@endcond */
#ifdef __cplusplus
}
#endif
#endif

156
external/nrf_oberon/include/ocrypto_sha1.h vendored Normal file
View File

@@ -0,0 +1,156 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_sha_1 SHA-1 APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for the SHA-1 algorithm.
*
* A fixed-sized message digest is computed from variable length input data.
* The function is practically impossible to revert, and small changes in the
* input message lead to major changes in the message digest.
*
* SHA-1 is no longer considered secure against well-funded opponents;
* replacement by SHA-2 or SHA-3 is recommended.
*/
#ifndef OCRYPTO_SHA1_H
#define OCRYPTO_SHA1_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of SHA-1 hash.
*/
#define ocrypto_sha1_BYTES (20)
/**@cond */
typedef struct {
uint32_t h[5];
uint8_t padded[64];
uint32_t length;
size_t bytes;
} ocrypto_sha1_ctx;
/**@endcond */
/**@name Incremental SHA-1 generator.
*
* This group of functions can be used to incrementally compute the SHA-1
* hash for a given message.
*/
/**@{*/
/**
* SHA-1 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
*/
void ocrypto_sha1_init(
ocrypto_sha1_ctx *ctx);
/**
* SHA-1 incremental data input.
*
* The generator state @p ctx is updated to hash a message chunk @p in.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha1_init is required before this function can be called.
*/
void ocrypto_sha1_update(
ocrypto_sha1_ctx *ctx,
const uint8_t *in, size_t in_len);
/**
* SHA-1 output.
*
* The generator state @p ctx is updated to finalize the hash for the previously
* processed message chunks. The hash is put into @p r.
*
* @param ctx Generator state.
* @param[out] r Generated hash value.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha1_init is required before this function can be called.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_sha1_update and @c ocrypto_sha1_final unless it is
* reinitialized using @c ocrypto_sha1_init.
*/
void ocrypto_sha1_final(
ocrypto_sha1_ctx *ctx,
uint8_t r[ocrypto_sha1_BYTES]);
/**@}*/
/**
* SHA-1 hash.
*
* The SHA-1 hash of a given input message @p in is computed and put into @p r.
*
* @param[out] r Generated hash.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_sha1(
uint8_t r[ocrypto_sha1_BYTES],
const uint8_t *in, size_t in_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_SHA1_H */
/** @} */

154
external/nrf_oberon/include/ocrypto_sha256.h vendored Normal file
View File

@@ -0,0 +1,154 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_sha_256 SHA-256 APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for the SHA-256 algorithm.
*
* SHA-256 is part of the SHA-2 family that is a set of cryptographic hash
* functions designed by the NSA. It is the successor of the SHA-1 algorithm.
*
* A fixed-sized message digest is computed from variable length input data.
* The function is practically impossible to revert, and small changes in the
* input message lead to major changes in the message digest.
*/
#ifndef OCRYPTO_SHA256_H
#define OCRYPTO_SHA256_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of SHA-256 hash.
*/
#define ocrypto_sha256_BYTES (32)
/**@cond */
typedef struct {
uint32_t h[8];
uint8_t padded[64];
uint32_t length;
size_t bytes;
} ocrypto_sha256_ctx;
/**@endcond */
/**@name Incremental SHA-256 generator
*
* This group of functions can be used to incrementally compute the SHA-256
* hash for a given message.
*/
/**@{*/
/**
* SHA-256 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
*/
void ocrypto_sha256_init(
ocrypto_sha256_ctx *ctx);
/**
* SHA-256 incremental data input.
*
* The generator state @p ctx is updated to hash a message chunk @p in.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha256_init is required before this function can be called.
*/
void ocrypto_sha256_update(
ocrypto_sha256_ctx *ctx,
const uint8_t *in, size_t in_len);
/**
* SHA-256 output.
*
* The generator state @p ctx is updated to finalize the hash for the previously
* processed message chunks. The hash is put into @p r.
*
* @param ctx Generator state.
* @param[out] r Generated hash value.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha256_init is required before this function can be called.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_sha256_update and @c ocrypto_sha256_final unless it is
* reinitialized using @c ocrypto_sha256_init.
*/
void ocrypto_sha256_final(
ocrypto_sha256_ctx *ctx,
uint8_t r[ocrypto_sha256_BYTES]);
/**@}*/
/**
* SHA-256 hash.
*
* The SHA-256 hash of a given input message @p in is computed and put into @p r.
*
* @param[out] r Generated hash.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_sha256(
uint8_t r[ocrypto_sha256_BYTES],
const uint8_t *in, size_t in_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_SHA256_H */
/** @} */

155
external/nrf_oberon/include/ocrypto_sha512.h vendored Normal file
View File

@@ -0,0 +1,155 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_sha_512 SHA-512 APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for the SHA-512 algorithm.
*
* SHA-512 is part of the SHA-2 family that is a set of cryptographic hash
* functions designed by the NSA. It is the successor of the SHA-1 algorithm.
*
* A fixed-sized message digest is computed from variable length input data.
* The function is practically impossible to revert, and small changes in the
* input message lead to major changes in the message digest.
*/
#ifndef OCRYPTO_SHA512_H
#define OCRYPTO_SHA512_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Length of SHA-512 hash.
*/
#define ocrypto_sha512_BYTES (64)
/**@cond */
typedef struct {
uint64_t h[8];
uint8_t padded[128];
uint32_t length;
size_t bytes;
} ocrypto_sha512_ctx;
/**@endcond */
/**@name Incremental SHA-512 generator
*
* This group of functions can be used to incrementally compute the SHA-512
* hash for a given message.
*/
/**@{*/
/**
* SHA-512 initialization.
*
* The generator state @p ctx is initialized by this function.
*
* @param[out] ctx Generator state.
*/
void ocrypto_sha512_init(
ocrypto_sha512_ctx *ctx);
/**
* SHA-512 incremental data input.
*
* The generator state @p ctx is updated to hash a message chunk @p in.
*
* This function can be called repeatedly until the whole message is processed.
*
* @param ctx Generator state.
* @param in Input data.
* @param in_len Length of @p in.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha512_init is required before this function can be called.
*/
void ocrypto_sha512_update(
ocrypto_sha512_ctx *ctx,
const uint8_t *in, size_t in_len);
/**
* SHA-512 output.
*
* The generator state @p ctx is updated to finalize the hash for the previously
* processed message chunks. The hash is put into @p r.
*
* @param ctx Generator state.
* @param[out] r Generated hash value.
*
* @remark Initialization of the generator state @p ctx through
* @c ocrypto_sha512_init is required before this function can be called.
*
* @remark After return, the generator state @p ctx must no longer be used with
* @c ocrypto_sha512_update and @c ocrypto_sha512_final unless it is
* reinitialized using @c ocrypto_sha512_init.
*/
void ocrypto_sha512_final(
ocrypto_sha512_ctx *ctx,
uint8_t r[ocrypto_sha512_BYTES]);
/**@}*/
/**
* SHA-512 hash.
*
* The SHA-512 hash of a given input message @p in is computed and put into @p r.
*
* @param[out] r Generated hash.
* @param in Input data.
* @param in_len Length of @p in.
*/
void ocrypto_sha512(
uint8_t r[ocrypto_sha512_BYTES],
const uint8_t *in, size_t in_len);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_SHA512_H */
/** @} */

310
external/nrf_oberon/include/ocrypto_srp.h vendored Normal file
View File

@@ -0,0 +1,310 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_srp SRP - Secure Remote Password APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for the SRP key agreement protocol.
*
* SRP is an augmented password-authenticated key agreement protocol,
* specifically designed to work around existing patents. SRP allows the use of
* user names and passwords over unencrypted channels and supplies a shared
* secret at the end of the authentication sequence that can be used to generate
* encryption keys.
*
* An eavesdropper or man in the middle cannot obtain enough information to be
* able to brute force guess a password without further interactions with the
* parties for each guess.
*
* The server does not store password-equivalent data. This means that an
* attacker who steals the server data cannot masquerade as the client unless
* they first perform a brute force search for the password.
*
* The specific variant implemented here is SRP-6 3072 bit SHA-512.
*
* @see [RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication](https://tools.ietf.org/html/rfc5054)
* @see [The Stanford SRP Homepage](http://srp.stanford.edu)
*
* **Basic protocol overview**
*
* *Setup*
* 1. Server generates a username / password combination together with a salt.
* 2. Server derives a password verifier (see #ocrypto_srp_verifier).
* 3. The username, salt and verifier are stored and required to open sessions.
* The original password is no longer needed.
*
* *Session opening*
* 1. Client sends a username and the public key of an ephemeral key pair to the
* server.
* 2. Server sends the salt and the public key of another ephemeral key pair to
* the client (see #ocrypto_srp_public_key).
* 3. Client and Server both compute the session key from this information (see
* #ocrypto_srp_scrambling_parameter, #ocrypto_srp_premaster_secret,
* #ocrypto_srp_session_key).
* 4. Client sends proof of the session key to the server.
* 5. Server validates proof (see #ocrypto_srp_proof_m1), then sends proof of the
* session key to the client (see #ocrypto_srp_proof_m2).
* 6. Client validates proof. Both parties know that they share the same private
* session key.
*/
#ifndef OCRYPTO_SRP_H
#define OCRYPTO_SRP_H
#include <stddef.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/**
* Salt length.
*/
#define ocrypto_srp_SALT_BYTES (16)
/**
* Password verifier length.
*/
#define ocrypto_srp_VERIFIER_BYTES (384)
/**
* Secret key length.
*/
#define ocrypto_srp_SECRET_KEY_BYTES (32)
/**
* Public key length.
*/
#define ocrypto_srp_PUBLIC_KEY_BYTES (384)
/**
* Scrambling parameter length.
*/
#define ocrypto_srp_SCRAMBLING_PARAMETER_BYTES (64)
/**
* Premaster secret length.
*/
#define ocrypto_srp_PREMASTER_SECRET_BYTES (384)
/**
* Session key length.
*/
#define ocrypto_srp_SESSION_KEY_BYTES (64)
/**
* Proof length.
*/
#define ocrypto_srp_PROOF_BYTES (64)
/**@name SRP-6 Password verifier generation
*
* A password verifier is generated from a user name and a password. The
* password @p pass may be discarded, as only the verifier is used during later
* computations.
*/
/**@{*/
/**
* SRP-6 Password Verifier.
*
* The verifier is generated for a given user name @p user, a password @p pass
* and salt @p salt.
*
* @param[out] v Generated password verifier, must be 32-bit aligned.
* @param salt Salt.
* @param user User name.
* @param user_len Length of @p user.
* @param pass Password.
* @param pass_len Length of @p pass.
*/
void ocrypto_srp_verifier(
uint8_t v[ocrypto_srp_VERIFIER_BYTES],
const uint8_t salt[ocrypto_srp_SALT_BYTES],
const uint8_t *user, size_t user_len,
const uint8_t *pass, size_t pass_len);
/**@}*/
/**@name SRP-6 Public key generation
*
* An ephemeral keypair can be generated based on the password verifier to be
* used when opening a new session.
*/
/**@{*/
/**
* SRP-6 Public Key.
*
* The public key for a given private key @p priv_b is generated using the
* password verifier @p v and put into @p pub_b.
*
* @param[out] pub_b Generated public key, must be 32-bit aligned.
* @param priv_b Private key.
* @param v Password verifier.
*/
void ocrypto_srp_public_key(
uint8_t pub_b[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t priv_b[ocrypto_srp_SECRET_KEY_BYTES],
const uint8_t v[ocrypto_srp_VERIFIER_BYTES]);
/**@}*/
/**@name SRP-6 Session key generation
*
* A premaster secret can be derived from both the client's and server's public
* keys, the server's private key and the password verifier. A shared session
* key can be generated from this premaster secret.
*/
/**@{*/
/**
* SRP-6 Scrambling Parameter.
*
* The scrambling parameter is computed from both the client's public key
* @p pub_a and the server's public key @p pub_b. The scrambling parameter
* is required to compute the premaster secret.
*
* @param[out] u Generated scrambling parameter.
* @param pub_a Client public key.
* @param pub_b Server public key.
*/
void ocrypto_srp_scrambling_parameter(
uint8_t u[ocrypto_srp_SCRAMBLING_PARAMETER_BYTES],
const uint8_t pub_a[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t pub_b[ocrypto_srp_PUBLIC_KEY_BYTES]);
/**
* SRP-6 Premaster Secret.
*
* The premaster secret between the client and the server is computed using the
* client public key @p pub_a, the server private key @p priv_b, the scrambling
* parameter @p u and the password verifier @p v. If the client public key
* @p pub_a is valid, the premaster secret is then put into @p s. The premaster
* secret can be used to generate encryption keys.
*
* @param[out] s Generated premaster secret, must be 32-bit aligned.
* @param pub_a Client public key.
* @param priv_b Server private key.
* @param u Scrambling parameter; generated with @c srp_scrambling_parameter.
* @param v Password verifier.
*
* @retval 0 If @p pub_a is a valid public key.
* @retval 1 Otherwise.
*/
int ocrypto_srp_premaster_secret(
uint8_t s[ocrypto_srp_PREMASTER_SECRET_BYTES],
const uint8_t pub_a[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t priv_b[ocrypto_srp_SECRET_KEY_BYTES],
const uint8_t u[ocrypto_srp_SCRAMBLING_PARAMETER_BYTES],
const uint8_t v[ocrypto_srp_VERIFIER_BYTES]);
/**
* SRP-6 SRP Session Key.
*
* Generates the shared SRP session key from the premaster secret @p s and puts
* it into @p k.
*
* @param[out] k Generated SRP session key.
* @param s Premaster secret.
*/
void ocrypto_srp_session_key(
uint8_t k[ocrypto_srp_SESSION_KEY_BYTES],
const uint8_t s[ocrypto_srp_PREMASTER_SECRET_BYTES]);
/**@}*/
/**@name SRP-6 Proof exchange
*
* Proofs are exchanged from client to server and vice versa to ensure that both
* parties computed the same shared session key. The proofs only match if the
* correct password is used by the client.
*/
/**@{*/
/**
* SRP-6 Proof M1 (client to server).
*
* A proof is generated by the client and sent to the server to assert that the
* client is in possession of the shared session key @p k. The server also
* generates the proof. Only if the proofs match, the process can continue.
* The proof is based on the salt @p salt, the client public key @p pub_a,
* the server public key @p pub_b and the shared session key @p k.
*
* @param[out] m1 Generated proof.
* @param user User name.
* @param user_len Length of @p user.
* @param salt Salt.
* @param pub_a Client public key.
* @param pub_b Server public key.
* @param k Session key.
*/
void ocrypto_srp_proof_m1(
uint8_t m1[ocrypto_srp_PROOF_BYTES],
const uint8_t *user, size_t user_len,
const uint8_t salt[ocrypto_srp_SALT_BYTES],
const uint8_t pub_a[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t pub_b[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t k[ocrypto_srp_SESSION_KEY_BYTES]);
/**
* SRP-6 Proof M2 (server to client).
*
* A second proof is generated by the server and sent back to the client to
* assert that the server is in possession of the shared session key @p k. The
* client also generates the proof. If the proofs match, both parties can assume
* that they share the same session key @p k. The second proof is based on the
* client public key @p pub_a, the first proof @p m1 and the session key @p k.
*
* @param[out] m2 Generated proof.
* @param pub_a Client public key.
* @param m1 First proof. Generated with @c srp_proof_m1.
* @param k Session key.
*/
void ocrypto_srp_proof_m2(
uint8_t m2[ocrypto_srp_PROOF_BYTES],
const uint8_t pub_a[ocrypto_srp_PUBLIC_KEY_BYTES],
const uint8_t m1[ocrypto_srp_PROOF_BYTES],
const uint8_t k[ocrypto_srp_SESSION_KEY_BYTES]);
/**@}*/
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_SRP_H */
/** @} */

205
external/nrf_oberon/include/ocrypto_srtp.h vendored Normal file
View File

@@ -0,0 +1,205 @@
/**
* Copyright (c) 2019 - 2020, Nordic Semiconductor ASA
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without modification,
* are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice, this
* list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form, except as embedded into a Nordic
* Semiconductor ASA integrated circuit in a product or a software update for
* such product, must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution.
*
* 3. Neither the name of Nordic Semiconductor ASA nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* 4. This software, with or without modification, must only be used with a
* Nordic Semiconductor ASA integrated circuit.
*
* 5. Any software provided in binary form under this license must not be reverse
* engineered, decompiled, modified and/or disassembled.
*
* THIS SOFTWARE IS PROVIDED BY NORDIC SEMICONDUCTOR ASA "AS IS" AND ANY EXPRESS
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL NORDIC SEMICONDUCTOR ASA OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
/**@file
* @defgroup nrf_oberon_srpt SRPT - Secure Real-Time Transport Protocol APIs
* @ingroup nrf_oberon
* @{
* @brief Type declarations and APIs for SRTP - Secure Real-time Transport Protocol.
*/
#ifndef OCRYPTO_SRTP_H
#define OCRYPTO_SRTP_H
#include <stddef.h>
#include <stdint.h>
#include "ocrypto_aes_key.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* SRTP Authentication Key Size.
*/
#define ocrypto_srtp_AuthKeySize (20)
/**
* SRTP Salt Size.
*/
#define ocrypto_srtp_SaltSize (14)
/**
* SRTP Maximum Key Size.
*/
#define ocrypto_srtp_MaxKeySize (ocrypto_aes256_KEY_BYTES)
/**
* SRTP Context.
*/
typedef struct {
/**
* Key size [bytes].
*/
uint32_t keySize;
/**
* Tag size [bytes].
*/
uint32_t tagSize;
/**
* Session encryption key (max 256 bits).
*/
uint8_t encrKey[ocrypto_srtp_MaxKeySize];
/**
* Session authentication key
* 160 bits.
*/
uint8_t authKey[ocrypto_srtp_AuthKeySize];
/**
* Session salt
* 112 bits.
*/
uint8_t saltKey[ocrypto_srtp_SaltSize];
} ocrypto_srtp_context;
/**
* Setup SRTP contexts.
*
* @param[out] srtpContext SRTP context to be setup.
* @param[out] srtcpContext SRTCP context to be setup.
* @param key Master key.
* @param keySize Size of the master key (16, 24, or 32 bytes)
* @param salt Master salt.
* @param tagSize Size of the authentication tag.
* @param ssrc Synchronization source.
*/
void ocrypto_srtp_setupContext(
ocrypto_srtp_context *srtpContext,
ocrypto_srtp_context *srtcpContext,
const uint8_t *key,
uint32_t keySize,
const uint8_t *salt,
uint32_t tagSize,
uint32_t ssrc);
/**
* Encrypt SRTP packet.
*
* The final packet consists of @p numHeaderBytes encrypted in place, followed
* by @p numDataBytes copied from @p dataBytes during encryption.
*
* @param srtpContext SRTP context.
* @param[in,out] packet Encrypted packet.
* @param dataBytes Data bytes to be encrypted.
* @param numHeaderBytes Number of header bytes.
* @param numDataBytes Number of data bytes.
* @param index Packet index.
*/
void ocrypto_srtp_encrypt(
const ocrypto_srtp_context *srtpContext,
uint8_t *packet,
const uint8_t *dataBytes,
size_t numHeaderBytes,
size_t numDataBytes,
uint32_t index);
/**
* Decrypt SRTP packet.
*
* @param srtpContext SRTP context.
* @param[out] data Decrypted data.
* @param packetBytes Packet bytes.
* @param numPacketBytes Number of packet bytes.
* @param index Packet index.
*/
void ocrypto_srtp_decrypt(
const ocrypto_srtp_context *srtpContext,
uint8_t *data,
const uint8_t *packetBytes,
size_t numPacketBytes,
uint32_t index);
/**
* Generate SRTP authentication tag from bytes and index.
*
* @param context SRTP context.
* @param[out] tag Authentication tag generated.
* @param bytes Byte buffer.
* @param numBytes Number of bytes in buffer.
* @param index Index.
*/
void ocrypto_srtp_authenticate(
const ocrypto_srtp_context *context,
uint8_t *tag,
const uint8_t *bytes,
size_t numBytes,
uint32_t index);
/**
* Check SRTP authentication tag against bytes and index.
*
* @param context SRTP context.
* @param tag Tag.
* @param bytes Byte buffer.
* @param numBytes Number of bytes in buffer.
* @param index Index.
*
* @retval 1 If the tag is valid.
* @retval 0 Otherwise.
*/
int ocrypto_srtp_verifyAuthentication(
const ocrypto_srtp_context *context,
const uint8_t *tag,
const uint8_t *bytes,
size_t numBytes,
uint32_t index);
#ifdef __cplusplus
}
#endif
#endif /* #ifndef OCRYPTO_SRTP_H */
/** @} */