void test_hashset_remove_all()
{
HashSet *hs = hashset_new();
char *a = "foo";
char *b = "bar";
char *c = "baz";
char *d = "foo";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
hashset_add(hs, d);
hashset_remove_all(hs);
size_t size = hashset_size(hs);
cc_assert(size == 0,
cc_msg("hashset_add: Expected size was 0, but got %d",
size));
cc_assert(!hashset_contains(hs, "bar") &&
!hashset_contains(hs, c),
cc_msg("hashset_add: HashSet not empty after removing"
" all elements"));
hashset_destroy(hs);
}
void test_hashset_iter_remove()
{
HashSet *hs = hashset_new();
char *a = "foo";
char *b = "bar";
char *c = "baz";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
HashSetIter iter;
hashset_iter_init(&iter, hs);
while (hashset_iter_has_next(&iter)) {
char const *e = hashset_iter_next(&iter);
if (!strcmp(e, "bar"))
hashset_iter_remove(&iter);
}
cc_assert(hashset_size(hs) == 2,
cc_msg("hashset_iter: Expected size 2 but got %d ",
hashset_size(hs)));
cc_assert(!hashset_contains(hs, "bar"),
cc_msg("hashset_iter: Element (%s) still pressent "
"after removal", "bar"));
hashset_destroy(hs);
}
void test_hashset_iter_remove()
{
HashSet *hs;
hashset_new(&hs);
char *a = "foo";
char *b = "bar";
char *c = "baz";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
HashSetIter iter;
hashset_iter_init(&iter, hs);
char *e;
while (hashset_iter_next(&iter, (void*) &e) != CC_ITER_END) {
if (!strcmp(e, "bar"))
hashset_iter_remove(&iter, NULL);
}
cc_assert(hashset_size(hs) == 2,
cc_msg("hashset_iter: Expected size 2 but got %d ",
hashset_size(hs)));
cc_assert(!hashset_contains(hs, "bar"),
cc_msg("hashset_iter: Element (%s) still pressent "
"after removal", "bar"));
hashset_destroy(hs);
}
void test_hashset_add()
{
HashSet *hs = hashset_new();
char *a = "foo";
char *b = "bar";
char *c = "baz";
char *d = "foo";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
hashset_add(hs, d);
size_t size = hashset_size(hs);
cc_assert(size == 3,
cc_msg("hashset_add: Expected size was 3, but got %d",
size));
cc_assert(hashset_contains(hs, a) &&
hashset_contains(hs, d),
cc_msg("hashset_add: HashSet expected to contain elemnts"
" %s and %s", a, d));
hashset_destroy(hs);
}
void test_stack_push()
{
Stack *s = stack_new();
int a = 1;
int b = 2;
int c = 3;
stack_push(s, &a);
cc_assert(stack_peek(s) == &a,
cc_msg("stack_push: Top stack element not as expected"));
stack_push(s, &b);
cc_assert(stack_peek(s) == &b,
cc_msg("stack_push: Top stack element not as expected"));
stack_push(s, &c);
cc_assert(stack_peek(s) == &c,
cc_msg("stack_push: Top stack element not as expected"));
stack_destroy(s);
}
void test_hashset_remove()
{
HashSet *hs = hashset_new();
char *a = "foo";
char *b = "bar";
char *c = "baz";
char *d = "foo";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
hashset_add(hs, d);
hashset_remove(hs, "bar");
size_t size = hashset_size(hs);
cc_assert(size == 2,
cc_msg("hashset_add: Expected size was 2, but got %d",
size));
cc_assert(!hashset_contains(hs, "bar"),
cc_msg("hashset_add: HashSet not expected to contain "
"element %s", "foo"));
hashset_destroy(hs);
}
static void abstract_declarator(node_t ** ty)
{
cc_assert(ty);
if (token->id == '*' || token->id == '(' || token->id == '[') {
if (token->id == '*') {
node_t *pty = ptr_decl();
prepend_type(ty, pty);
}
if (token->id == '(') {
if (first_decl(lookahead())) {
node_t *faty = func_or_array(true, NULL);
prepend_type(ty, faty);
} else {
expect('(');
abstract_declarator(ty);
expect(')');
}
} else if (token->id == '[') {
node_t *faty = func_or_array(true, NULL);
prepend_type(ty, faty);
}
} else {
error("expect '(' or '[' at '%s'", token->name);
}
}
static void param_declarator(node_t ** ty, struct token **id)
{
if (token->id == '*') {
node_t *pty = ptr_decl();
prepend_type(ty, pty);
}
if (token->id == '(') {
if (first_decl(lookahead())) {
abstract_declarator(ty);
} else {
node_t *type1 = *ty;
node_t *rtype = NULL;
expect('(');
param_declarator(&rtype, id);
expect(')');
if (token->id == '(' || token->id == '[') {
node_t *faty;
cc_assert(id);
if (*id) {
faty = func_or_array(false, NULL);
} else {
faty = func_or_array(true, NULL);
}
attach_type(&faty, type1);
attach_type(&rtype, faty);
}
*ty = rtype;
}
} else if (token->id == '[') {
abstract_declarator(ty);
} else if (token->id == ID) {
declarator(ty, id, NULL);
}
}
static double perf_ccrng_system_oneshot(unsigned long loops, size_t nbytes)
{
struct ccrng_system_state system_ctx;
CC_UNUSED int status;
uint8_t results[nbytes];
double time;
perf_start();
do {
status = ccrng_system_init(&system_ctx);
cc_assert(status==0);
status = ccrng_generate((struct ccrng_state *)&system_ctx, nbytes, results);
cc_assert(status==0);
ccrng_system_done(&system_ctx);
} while (--loops != 0);
time=perf_time();
return time;
}
static void ccn_mod_384(cczp_const_t zp, cc_unit *r, const cc_unit *a, CC_UNUSED cc_ws_t ws) {
cc_assert(cczp_n(zp) == CCN384_N);
cc_unit s1[CCN384_N] = { ccn384_32( Anil, Anil, Anil, Anil, Anil, A(23), A(22), A(21), Anil, Anil, Anil, Anil) };
//cc_unit s2[CCN384_N] = { ccn384_32( A(23), A(22), A(21), A(20), A(19), A(18), A(17), A(16), A(15), A(14), A(13), A(12)) };
cc_unit s3[CCN384_N] = { ccn384_32( A(20), A(19), A(18), A(17), A(16), A(15), A(14), A(13), A(12), A(23), A(22), A(21)) };
cc_unit s4[CCN384_N] = { ccn384_32( A(19), A(18), A(17), A(16), A(15), A(14), A(13), A(12), A(20), Anil, A(23), Anil) };
cc_unit s5[CCN384_N] = { ccn384_32( Anil, Anil, Anil, Anil, A(23), A(22), A(21), A(20), Anil, Anil, Anil, Anil) };
cc_unit s6[CCN384_N] = { ccn384_32( Anil, Anil, Anil, Anil, Anil, Anil, A(23), A(22), A(21), Anil, Anil, A(20)) };
cc_unit d1[CCN384_N] = { ccn384_32( A(22), A(21), A(20), A(19), A(18), A(17), A(16), A(15), A(14), A(13), A(12), A(23)) };
cc_unit d2[CCN384_N] = { ccn384_32( Anil, Anil, Anil, Anil, Anil, Anil, Anil, A(23), A(22), A(21), A(20), Anil) };
cc_unit d3[CCN384_N] = { ccn384_32( Anil, Anil, Anil, Anil, Anil, Anil, Anil, A(23), A(23), Anil, Anil, Anil) };
cc_unit *select[2] __attribute__((aligned(16))) ={s1,s3};
cc_unit carry,carry_mask;
ccn_add(ccn_nof(160)+1, d2, d2, d3); // smaller size and no carry possible
ccn_add(ccn_nof(224)+1, s1, s1, s1); // smaller size and no carry possible, alternatively cc_shiftl(s1, 1) but add is currently faster.
ccn_add(ccn_nof(256)+1, s5, s5, s1); // smaller size and no carry possible
ccn_add(ccn_nof(256)+1, s5, s5, s6); // smaller size and no carry possible
carry = ccn_add(CCN384_N, r, a, &a[CCN384_N]);
carry += ccn_add(CCN384_N, r, r, s3);
carry += ccn_add(CCN384_N, r, r, s4);
carry += ccn_add(CCN384_N, r, r, s5);
carry -= ccn_sub(CCN384_N, d1, cczp_prime(zp), d1);
carry += ccn_add(CCN384_N, r, r, d1);
carry -= ccn_sub(CCN384_N, s3, r, d2);
/* Reduce r mod p384 by subtraction of up to four multiples of p384. */
carry_mask=CC_CARRY_3BITS(carry);
carry -= (carry_mask & ccn_sub(CCN384_N,select[carry_mask],s3,cczp_prime(zp)));
carry_mask=CC_CARRY_2BITS(carry);
carry -= (carry_mask & ccn_sub(CCN384_N,select[carry_mask],s3,cczp_prime(zp)));
carry_mask=CC_CARRY_2BITS(carry);
carry -= (carry_mask & ccn_sub(CCN384_N,select[carry_mask],s3,cczp_prime(zp)));
carry ^= ccn_sub(CCN384_N,s1,s3,cczp_prime(zp));
ccn_set(CCN384_N,r,select[carry]);
/* Sanity for debug */
cc_assert(ccn_cmp(CCN384_N, r, cczp_prime(zp)) < 0);
}
void test_hashset_new()
{
HashSetConf conf;
hashset_conf_init(&conf);
conf.initial_capacity = 7;
HashSet *set = hashset_new_conf(&conf);
cc_assert(hashset_size(set) == 0,
cc_msg("hashset_new: Initial size not 0"));
size_t capacity = hashset_capacity(set);
/* power of 2 rounding */
cc_assert(capacity == 8,
cc_msg("hashset_new: Expected capactity was 8, but got %d",
capacity));
hashset_destroy(set);
}
/*
* NIST SP 800-90 March 2007
* 10.2.1.4.2 The Process Steps for Reseeding When a Derivation
* Function is Used
*/
static int
reseed(struct ccdrbg_state *rng,
unsigned long entropyLength, const void *entropy,
unsigned long additionalLength, const void *additional)
{
int err;
uint32_t count;
const char *input_string[2];
uint32_t length[2];
struct ccdrbg_nistctr_state *drbg=(struct ccdrbg_nistctr_state *)rng;
uint32_t seed_material[CCADRBG_SEEDLEN_INTS(drbg)];
err =validate_inputs(drbg, entropyLength, additionalLength, 0); if(err!=CCDRBG_STATUS_OK) return err;
if(drbg->use_df) {
/* [1] seed_material = entropy || additional */
input_string[0] = entropy;
/* typecast: guaranteed to fit by the above checks */
length[0] = (uint32_t)entropyLength;
count = 1;
if (additional && additionalLength)
{
input_string[count] = additional;
/* typecast: guaranteed to fit by above checks */
length[count] = (uint32_t)additionalLength;
++count;
}
/* [2] seed_material = Block_Cipher_df(seed_material, seedlen) */
err = df(drbg, input_string, length, count,
(uint8_t *)seed_material, sizeof(seed_material));
if (err)
return err;
} else {
cc_clear(sizeof(seed_material),seed_material);
cc_assert(additionalLength==0 || additionalLength==sizeof(seed_material)); //additionalLength is validated above
CC_MEMCPY(seed_material, additional, additionalLength);
cc_xor(CCADRBG_SEEDLEN(drbg), seed_material, seed_material, entropy);
}
/* [3] (Key, V) = Update(seed_material, Key, V) */
if (drbg_update(drbg, seed_material))
{
return CCDRBG_STATUS_PARAM_ERROR;
}
/* [4] reseed_counter = 1 */
drbg->reseed_counter = 1;
return CCDRBG_STATUS_OK;
}
static node_t *ptr_decl(void)
{
node_t *ret = NULL;
int con, vol, res, type;
cc_assert(token->id == '*');
for (;;) {
int *p, t = token->id;
switch (token->id) {
case CONST:
p = &con;
break;
case VOLATILE:
p = &vol;
break;
case RESTRICT:
p = &res;
break;
case '*':
{
node_t *pty = ptr_type(NULL);
con = vol = res = type = 0;
p = &type;
prepend_type(&ret, pty);
}
break;
default:
p = NULL;
break;
}
if (p == NULL)
break;
if (*p != 0)
warning("duplicate type qulifier '%s'", token->name);
*p = t;
if (t == CONST || t == VOLATILE || t == RESTRICT)
ret = qual(t, ret);
gettok();
}
return ret;
}
int
ccec_generate_key_internal_fips(ccec_const_cp_t cp, struct ccrng_state *rng, ccec_full_ctx_t key)
{
int result=CCEC_GENERATE_KEY_DEFAULT_ERR;
/* Get base point G in projected form. */
ccec_point_decl_cp(cp, base);
cczp_const_t zq = ccec_cp_zq(cp);
cc_require((result=ccec_projectify(cp, base, ccec_cp_g(cp),rng))==0,errOut);
/* Generate a random private key k. */
ccec_ctx_init(cp, key);
cc_unit *k = ccec_ctx_k(key);
cc_unit *q_minus_2 = ccec_ctx_x(key); // used as temp buffer
int cmp_result=1;
/* Need to test candidate against q-2 */
ccn_sub1(ccec_cp_n(cp), q_minus_2, cczp_prime(zq), 2);
size_t i;
/* Generate adequate random for private key */
for (i = 0; i < MAX_RETRY && cmp_result>0; i++)
{
/* Random bits */
cc_require(((result = ccn_random_bits(ccec_cp_order_bitlen(cp), k, rng)) == 0),errOut);
/* If k <= q-2, the number is valid */
cmp_result=ccn_cmp(ccec_cp_n(cp), k, q_minus_2);
}
if (i >= MAX_RETRY)
{
result=CCEC_GENERATE_KEY_TOO_MANY_TRIES;
}
else
{
cc_assert(cmp_result<=0);
/* k is now in range [ 0, q-2 ] ==> +1 for range [ 1, q-1 ] */
ccn_add1(ccec_cp_n(cp), k, k, 1);
/* Calculate the public key for k. */
cc_require_action(ccec_mult(cp, ccec_ctx_point(key), k, base,rng) == 0 ,errOut,
result=CCEC_GENERATE_KEY_MULT_FAIL);
cc_require_action(ccec_is_point_projective(cp, ccec_ctx_point(key)),errOut,
result=CCEC_GENERATE_NOT_ON_CURVE);
cc_require_action(ccec_affinify(cp, ccec_ctx_point(key), ccec_ctx_point(key)) == 0,errOut,
result=CCEC_GENERATE_KEY_AFF_FAIL);
ccn_seti(ccec_cp_n(cp), ccec_ctx_z(key), 1);
result=0;
}
errOut:
return result;
}
static void XYCZdblJac(ccec_const_cp_t cp,
cc_unit *twoP,
cc_unit *P,
ccec_const_projective_point_t p,
cc_ws_t ws)
{
cc_size n=ccec_cp_n(cp);
cc_unit *t1=&twoP[0],*t2=&twoP[n],
*t3=&P[0],*t4=&P[n];
cc_unit *t5=ws->start;
cc_unit *t6=ws->start+n;
cc_unit *t7=ws->start+2*n;
ws->start+=3*n;
cc_assert((ws->start)<=ws->end); // Check that provided workspace is sufficient;
/*
Cost (a=-3) : 6S + 2M + 12add/sub
Cost (generic) : 6S + 3M + 10add/sub
*/
cczp_sqr_ws(cp.zp, t7, ccec_const_point_x(p,cp), ws); // X1^2
cczp_add_ws(cp.zp, t4, t7, t7, ws); // 2*X1^2
cczp_add_ws(cp.zp, t7, t7, t4, ws); // 3*X1^2
cczp_sqr_ws(cp.zp, t3, ccec_const_point_z(p,cp), ws); // Z1^2
cczp_sqr_ws(cp.zp, t3, t3, ws); // Z1^4
#ifdef EC_CURVE_SUPPORT_ONLY_A_MINUS_3
cczp_add_ws(cp.zp, t5, t3, t3, ws); // 2*Z1^4
cczp_add_ws(cp.zp, t5, t5, t3, ws); // 3*Z1^4
cczp_sub_ws(cp.zp, t7, t7, t5, ws); // B = 3*X1^2 - 3.Z1^4
#else
cczp_mul_ws(cp.zp, t5, ccec_cp_a(cp), t3, ws); // a.Z1^4
cczp_add_ws(cp.zp, t7, t7, t5, ws); // B = 3*X1^2 + a.Z1^4
#endif
cczp_sqr_ws(cp.zp, t4, ccec_const_point_y(p,cp), ws); // Y1^2
cczp_add_ws(cp.zp, t4, t4, t4, ws); // 2Y1^2
cczp_add_ws(cp.zp, t5, t4, t4, ws); // 4Y1^2
cczp_mul_ws(cp.zp, t3, t5, ccec_const_point_x(p,cp), ws); // A = 4Y1^2.X1
cczp_sqr_ws(cp.zp, t6, t7, ws); // B^2
cczp_sub_ws(cp.zp, t6, t6, t3, ws); // B^2 - A
cczp_sub_ws(cp.zp, t1, t6, t3, ws); // X2 = B^2 - 2.A
cczp_sub_ws(cp.zp, t6, t3, t1, ws); // A - X2
cczp_mul_ws(cp.zp, t6, t6, t7, ws); // (A - X2)*B
cczp_sqr_ws(cp.zp, t4, t4, ws); // (2Y1^2)^2
cczp_add_ws(cp.zp, t4, t4, t4, ws); // 8.Y1^4 = Y1'
cczp_sub_ws(cp.zp, t2, t6, t4, ws); // Y2 = (A - X2)*B - 8.Y1^4
ws->start=t5; // restore workspace starting point.
}
// Convert point from affine to jacobian projective coordinates
int ccec_projectify(ccec_const_cp_t cp, ccec_projective_point_t r, ccec_const_affine_point_t s,
struct ccrng_state *masking_rng) {
int status;
cc_assert(r.hdr!=s.hdr); // Points must differ
#if CCEC_DEBUG
ccec_alprint(cp, "ccec_projectify input", s);
#endif
// Initialize z
#if CCEC_MASKING
// Randomized z coordinate
if (masking_rng) {
cc_size bitlen=ccec_cp_prime_bitlen(cp);
status=ccn_random_bits(bitlen-1, ccec_point_z(r, cp), masking_rng);
ccn_set_bit(ccec_point_z(r, cp), bitlen-2, 1);
cczp_sqr(cp.zp, ccec_point_x(r, cp), ccec_point_z(r, cp)); // Z^2 (mtgR^-1)
cczp_mul(cp.zp, ccec_point_y(r, cp), ccec_point_x(r, cp), ccec_point_z(r, cp)); // Z^3 (mtgR^-2)
// Set point coordinate from Z, Z^2, Z^3
cczp_mul(cp.zp, ccec_point_x(r, cp), ccec_point_x(r, cp), ccec_const_point_x(s, cp)); // x.Z^2.mtgR (mtgR^-3)
cczp_mul(cp.zp, ccec_point_y(r, cp), ccec_point_y(r, cp), ccec_const_point_y(s, cp)); // y.Z^3.mtgR (mtgR^-4)
// Z.mtgR (mtgR^-1)
if (CCEC_ZP_IS_MONTGOMERY(cp)) {
cczp_convert_to_montgomery(cp.zp, ccec_point_x(r, cp), ccec_point_x(r, cp)); // x.Z^2.mtgR (mtgR^-2)
cczp_convert_to_montgomery(cp.zp, ccec_point_y(r, cp), ccec_point_y(r, cp)); // y.Z^3.mtgR (mtgR^-3)
} // Z.mtgR (mtgR^-1)
} else
#endif
// Fixed z coordinate
{
ccn_seti(ccec_cp_n(cp), ccec_point_z(r, cp),1);
(void) masking_rng;
// Set point in the arithmetic representation
if (CCEC_ZP_IS_MONTGOMERY(cp)) {
cczp_convert_to_montgomery(cp.zp, ccec_point_x(r, cp), ccec_const_point_x(s, cp));
cczp_convert_to_montgomery(cp.zp, ccec_point_y(r, cp), ccec_const_point_y(s, cp));
cczp_convert_to_montgomery(cp.zp, ccec_point_z(r, cp), ccec_point_z(r, cp));
}
else {
ccn_set(ccec_cp_n(cp), ccec_point_x(r, cp), ccec_const_point_x(s, cp));
ccn_set(ccec_cp_n(cp), ccec_point_y(r, cp), ccec_const_point_y(s, cp));
}
status=0;
}
#if CCEC_DEBUG
ccec_plprint(cp, "ccec_projectify output", r);
#endif
return status;
}
static double perf_ccrng_CommonCrypto_generate(unsigned long loops, size_t nbytes)
{
uint8_t results[nbytes];
CC_UNUSED int status;
double time;
perf_start();
do {
status = ccrng_generate((struct ccrng_state *)&nist_ctx, nbytes, results);
cc_assert(status==0);
} while (--loops != 0);
time=perf_time();
return time;
}
// Constant time implementation when assembly is not available.
cc_size ccn_n(cc_size n, const cc_unit *s) {
cc_unit s_tmp;
cc_size ms_ix=0;
for (cc_size ix=1;ix<=n;ix++) {
s_tmp=s[ix-1];
CC_HEAVISIDE_STEP(s_tmp); // 1 iff (s[ix]!=0)
s_tmp=(~0 + s_tmp); // 0 iff (s[ix]!=0), ~0 otherwise
// Keep the (index+1) of the most significant non zero cc_unit
ms_ix = (~s_tmp & ix) | (s_tmp & ms_ix);
}
#if CCN_N_DEBUG
cc_assert(ms_ix == ccn_n_ref(n,s));
#endif
return ms_ix;
}
void ccmode_gcm_init(const struct ccmode_gcm *gcm, ccgcm_ctx *key,
size_t rawkey_len, const void *rawkey) {
const struct ccmode_ecb *ecb = gcm->custom;
cc_assert(((GCM_TABLE_SIZE % CCN_UNIT_SIZE) == 0));
_CCMODE_GCM_ECB_MODE(key)->ecb = ecb;
_CCMODE_GCM_ECB_MODE(key)->ecb_key = &_CCMODE_GCM_KEY(key)->u[0] + GCM_TABLE_SIZE;
ecb->init(ecb, CCMODE_GCM_KEY_ECB_KEY(key), rawkey_len, rawkey);
/* gmac init: X=0, PAD=0, H = E(0) */
cc_zero(16, CCMODE_GCM_KEY_X(key));
cc_zero(16, CCMODE_GCM_KEY_PAD(key));
ecb->ecb(CCMODE_GCM_KEY_ECB_KEY(key), 1, CCMODE_GCM_KEY_X(key),
CCMODE_GCM_KEY_H(key));
CCMODE_GCM_KEY_PAD_LEN(key) = 0;
_CCMODE_GCM_KEY(key)->mode = CCMODE_GCM_MODE_IV;
_CCMODE_GCM_KEY(key)->ivmode = 0;
_CCMODE_GCM_KEY(key)->totlen = 0;
_CCMODE_GCM_KEY(key)->pttotlen = 0;
#ifdef CCMODE_GCM_TABLES
/* setup tables */
int x, y, z, t;
unsigned char B[16] = {};
/* generate the first table as it has no shifting (from which we make the other tables) */
for (y = 0; y < 256; y++) {
B[0] = y;
ccmode_gcm_gf_mult(CCMODE_GCM_KEY_H(key), B, &_CCMODE_GCM_KEY(key)->PC[0][y][0]);
}
/* now generate the rest of the tables based the previous table */
for (x = 1; x < 16; x++) {
for (y = 0; y < 256; y++) {
/* now shift it right by 8 bits */
t = _CCMODE_GCM_KEY(key)->PC[x-1][y][15];
for (z = 15; z > 0; z--) {
_CCMODE_GCM_KEY(key)->PC[x][y][z] = _CCMODE_GCM_KEY(key)->PC[x-1][y][z-1];
}
_CCMODE_GCM_KEY(key)->PC[x][y][0] = gcm_shift_table[t<<1];
_CCMODE_GCM_KEY(key)->PC[x][y][1] ^= gcm_shift_table[(t<<1)+1];
}
}
#endif /* !CCMODE_GCM_TABLES */
}
struct ccperf_family *ccperf_family_ccrng(int argc, char *argv[])
{
ccdrbg_factory_nistctr(&info, &DRBGcustom);
struct ccdrbg_state *state = malloc(info.size);
CC_UNUSED int status = ccrng_CommonCrypto_init(&nist_ctx, &info, state, 0);
cc_assert(status==0);
F_GET_ALL(family, ccrng);
family.nsizes=5;
family.sizes=malloc(family.nsizes*sizeof(unsigned long));
family.sizes[0]=16;
family.sizes[1]=128;
family.sizes[2]=256;
family.sizes[3]=1024;
family.sizes[4]=32*1024;
family.size_kind=ccperf_size_bytes;
return &family;
}
static void XYCZaddC(ccec_const_cp_t cp,
cc_unit *P,
cc_unit *Q,
cc_ws_t ws)
{
cc_size n=ccec_cp_n(cp);
cc_unit *t1=&P[0],*t2=&P[n],
*t3=&Q[0],*t4=&Q[n];
cc_unit *t5=ws->start;
cc_unit *t6=ws->start+n;
cc_unit *t7=ws->start+2*n;
ws->start+=3*n;
cc_assert((ws->start)<=ws->end); // Check that provided workspace is sufficient;
/*
Algo 19
Modified to have same input and output buffers
Cost: 3S + 5M + 11add/sub
*/
cczp_sub_ws(cp.zp, t5, t3, t1, ws); // X2-X1
cczp_sqr_ws(cp.zp, t5, t5, ws); // (X2-X1)^2=A
cczp_mul_ws(cp.zp, t6, t1, t5, ws); // X1 * A = B
cczp_mul_ws(cp.zp, t1, t3, t5, ws); // X2 * A = C
cczp_add_ws(cp.zp, t5, t4, t2, ws); // Y2+Y1
cczp_sub_ws(cp.zp, t4, t4, t2, ws); // Y2-Y1
cczp_sub_ws(cp.zp, t3, t1, t6, ws); // C - B
cczp_mul_ws(cp.zp, t7, t2, t3, ws); // Y1 * (C-B)
cczp_add_ws(cp.zp, t3, t1, t6, ws); // C + B
cczp_sqr_ws(cp.zp, t1, t4, ws); // (Y2-Y1)^2
cczp_sub_ws(cp.zp, t1, t1, t3, ws); // X3 = (Y2-Y1)^2 - (C+B)
cczp_sub_ws(cp.zp, t2, t6, t1, ws); // B - X3
cczp_mul_ws(cp.zp, t2, t4, t2, ws); // (Y2-Y1) * (B-X3)
cczp_sub_ws(cp.zp, t2, t2, t7, ws); // Y3 = (Y2-Y1)*(B-X3) - Y1*(C-B)
cczp_sqr_ws(cp.zp, t4, t5, ws); // F = (Y2+Y1)^2
cczp_sub_ws(cp.zp, t3, t4, t3, ws); // X3' = F - (C+B)
cczp_sub_ws(cp.zp, t4, t3, t6, ws); // X3' - B
cczp_mul_ws(cp.zp, t4, t4, t5, ws); // (X3'-B) * (Y2+Y1)
cczp_sub_ws(cp.zp, t4, t4, t7, ws); // Y3' = (X3'-B)*(Y2+Y1) - Y1*(C-B)
ws->start=t5; // restore workspace starting point.
}
static void ccn_mod_521(cczp_const_t zp, cc_unit *r, const cc_unit *a, CC_UNUSED cc_ws_t ws) {
cc_assert(cczp_n(zp) == CCN521_N);
cc_unit t[CCN521_N];
cc_unit t2[CCN521_N];
cc_unit *select[2] __attribute__((aligned(16))) ={t,t2};
cc_unit borrow;
#if CCN_UNIT_SIZE == 1
ccn_shift_right(CCN521_N - 1, t2, &a[CCN521_N - 1], 1); // r = a521,...,a1041
t2[CCN521_N - 1] += a[CCN521_N - 1] & CC_UNIT_C(1);
t2[CCN521_N - 1] += ccn_add(CCN521_N - 1,t2,t2,a);
#else
ccn_shift_right(CCN521_N, t2, &a[CCN512_N], 9); // r = a521,...,a1041
t2[CCN512_N] += a[CCN512_N] & CC_UNIT_C(0x1ff); // r += (a512,...,a520)*2^512
t2[CCN512_N] += ccn_add(CCN512_N,t2,t2,a); // r += a0,...,a511
#endif
borrow=ccn_sub(CCN521_N, t, t2, cczp_prime(zp));
ccn_set(CCN521_N,r,select[borrow]);
}
static void array_qualifiers(node_t * atype)
{
int cons, vol, res;
int *p;
cons = vol = res = 0;
while (token->kind == CONST) {
int t = token->id;
struct source src = source;
switch (t) {
case CONST:
p = &cons;
gettok();
break;
case VOLATILE:
p = &vol;
gettok();
break;
case RESTRICT:
p = &res;
gettok();
break;
default:
cc_assert(0);
}
if (*p != 0)
warningf(src, "duplicate type qualifier '%s'", id2s(*p));
*p = t;
}
if (cons)
TYPE_A_CONST(atype) = 1;
if (vol)
TYPE_A_VOLATILE(atype) = 1;
if (res)
TYPE_A_RESTRICT(atype) = 1;
}
static int validate_gen_params(struct ccdrbg_nistctr_state *drbg, unsigned long dataOutLength, unsigned long additionalLength)
{
int rc=CCDRBG_STATUS_PARAM_ERROR;
cc_require (dataOutLength >= 1, end); //Requested zero byte in one request
cc_require (dataOutLength <= CCDRBG_MAX_REQUEST_SIZE, end); //Requested too many bytes in one request
unsigned long max = drbg->use_df? CCDRBG_MAX_ADDITIONALINPUT_SIZE:CCADRBG_SEEDLEN(drbg);
cc_require (additionalLength<=max, end); //Additional input too long
// 1. If (reseed_counter > 2^^48), then Return (“Reseed required”, Null, V, Key, reseed_counter).
cc_assert(sizeof(drbg->reseed_counter>=8)); //make sure it fits 2^48
rc = CCDRBG_STATUS_NEED_RESEED;
cc_require (drbg->reseed_counter <= CCDRBG_RESEED_INTERVAL || !drbg->strictFIPS, end); //Reseed required
rc=CCDRBG_STATUS_OK;
end:
return rc;
}
// verify the signature in sig. The original (hash of the message) message is in digest
int ccrsa_verify_pss(ccrsa_pub_ctx_t key,
const struct ccdigest_info* di, const struct ccdigest_info* MgfDi,
size_t digestSize, const uint8_t *digest,
size_t sigSize, const uint8_t *sig,
size_t saltSize, bool *valid)
{
const cc_size modBits =ccn_bitlen(ccrsa_ctx_n(key), ccrsa_ctx_m(key));
const cc_size modBytes = cc_ceiling(modBits, 8);
const cc_size emBits = modBits-1; //as defined in §8.1.1
const cc_size emSize = cc_ceiling(emBits, 8);
*valid = false;
int rc=0;
//1.
if(modBytes!= sigSize) return CCRSA_INVALID_INPUT;
if(digestSize != di->output_size) return CCRSA_INVALID_INPUT;
//2.
const cc_size modWords=ccrsa_ctx_n(key);
cc_unit EM[modWords]; //EM islarge enough to fit sig variable
//2.a read sig to tmp array and make sure it fits
cc_require_action(ccn_read_uint(modWords, EM, sigSize, sig)==0,errOut,rc=CCRSA_INVALID_INPUT);
//2.b
cc_require((rc=ccrsa_pub_crypt(key, EM, EM))==0,errOut);
//2.c
ccn_swap(modWords, EM);
//3
const size_t ofs = modWords*sizeof(cc_unit)-emSize;
cc_assert(ofs<=sizeof(cc_unit)); //make sure sizes are consistent and we don't overrun buffers.
rc|= ccrsa_emsa_pss_decode(di, MgfDi, saltSize, digestSize, digest, emBits, (uint8_t *) EM+ofs);
*valid = (rc==0)?true:false;
errOut:
return rc;
}
void test_hashset_iter_next()
{
HashSet *hs = hashset_new();
char *a = "foo";
char *b = "bar";
char *c = "baz";
hashset_add(hs, a);
hashset_add(hs, b);
hashset_add(hs, c);
size_t x = 0;
size_t y = 0;
size_t z = 0;
HashSetIter iter;
hashset_iter_init(&iter, hs);
while (hashset_iter_has_next(&iter)) {
char const *e = hashset_iter_next(&iter);
if (!strcmp(e, "foo"))
x++;
if (!strcmp(e, "bar"))
y++;
if (!strcmp(e, "baz"))
z++;
}
cc_assert((x == 1) && (y == 1) && (z == 1),
cc_msg("hashset_iter: Unexpected number of "
"elements returned by the iterator"));
hashset_destroy(hs);
}
static void XYCZadd(ccec_const_cp_t cp,
cc_unit *P,
cc_unit *Q,
cc_ws_t ws)
{
cc_size n=ccec_cp_n(cp);
cc_unit *t1=&P[0],*t2=&P[n],
*t3=&Q[0],*t4=&Q[n];
cc_unit *t5=ws->start;
cc_unit *t6=ws->start+n;
ws->start+=2*n;
cc_assert((ws->start)<=ws->end); // Check that provided workspace is sufficient;
/*
Algo 18
modified to have input and output in same buffer
use more RAM but less than XYCZaddC so that it does not matter
Cost: 2S + 4M + 7sub
*/
cczp_sub_ws(cp.zp, t5, t3, t1, ws); // X2-X1
cczp_sqr_ws(cp.zp, t5, t5, ws); // (X2-X1)^2=A
cczp_mul_ws(cp.zp, t6, t3, t5, ws); // X2.A=C
cczp_mul_ws(cp.zp, t3, t1, t5, ws); // X1.A=B
cczp_sub_ws(cp.zp, t5, t4, t2, ws); // Y2-Y1
cczp_sqr_ws(cp.zp, t1, t5, ws); // (Y2-Y1)^2 = D
cczp_sub_ws(cp.zp, t1, t1, t3, ws); // D - B
cczp_sub_ws(cp.zp, t1, t1, t6, ws); // X3
cczp_sub_ws(cp.zp, t6, t6, t3, ws); // C - B
cczp_mul_ws(cp.zp, t4, t2, t6, ws); // Y1 (C - B)
cczp_sub_ws(cp.zp, t2, t3, t1, ws); // B - X3
cczp_mul_ws(cp.zp, t2, t5, t2, ws); // (Y2-Y1) (B - X3)
cczp_sub_ws(cp.zp, t2, t2, t4, ws); // (Y2-Y1)(B - X3) - Y1 (C - B)
ws->start=t5; // restore workspace starting point.
}
static void declarator(node_t ** ty, struct token **id, int *params)
{
int follow[] = { ',', '=', IF, 0 };
cc_assert(ty && id);
if (token->id == '*') {
node_t *pty = ptr_decl();
prepend_type(ty, pty);
}
if (token->id == ID) {
*id = token;
expect(ID);
if (token->id == '[' || token->id == '(') {
node_t *faty = func_or_array(false, params);
prepend_type(ty, faty);
}
} else if (token->id == '(') {
node_t *type1 = *ty;
node_t *rtype = NULL;
expect('(');
declarator(&rtype, id, params);
match(')', follow);
if (token->id == '[' || token->id == '(') {
node_t *faty = func_or_array(false, params);
attach_type(&faty, type1);
attach_type(&rtype, faty);
} else {
attach_type(&rtype, type1);
}
*ty = rtype;
} else {
error("expect identifier or '('");
}
}
static void parse_assign(node_t *atype)
{
node_t *assign = assign_expr();
TYPE_A_ASSIGN(atype) =assign;
if (!assign)
return;
if (isint(AST_TYPE(assign))) {
// try evaluate the length
node_t *ret = eval(assign, longtype);
if (ret) {
cc_assert(isiliteral(ret));
TYPE_LEN(atype) = ILITERAL_VALUE(ret);
if ((long)ILITERAL_VALUE(ret) < 0)
error("array has negative size");
} else {
error("expect constant expression");
}
} else {
error("size of array has non-integer type '%s'",
type2s(AST_TYPE(assign)));
}
}
static int ccec_mult_ws(ccec_const_cp_t cp, ccec_projective_point_t r, const cc_unit *d, ccec_const_projective_point_t s, struct ccrng_state *rng, cc_ws_t ws) {
cc_size n=ccec_cp_n(cp);
size_t dbitlen=ccn_bitlen(n,d);
cc_unit *R0=ws->start; // R0 and R1 are full points:
cc_unit *R1=ws->start+2*n; // X in [0..n-1] and Y in [n..2n-1]
ws->start+=4*n;
cc_assert((ws->start)<=ws->end); // Check that provided workspace is sufficient;
// Check edge cases
// Scalar d must be <= q to
// prevent intermediary results to be the point at infinity
// corecrypto to take care to meet this requirement
cc_assert(ccn_cmp(n,d,cczp_prime(ccec_cp_zq(cp)))<=0); // d <= q
ccn_sub1(n,R0,cczp_prime(ccec_cp_zq(cp)),1); // q-1
if (dbitlen < 1) {
ccn_clear(n, ccec_point_x(r, cp));
ccn_clear(n, ccec_point_y(r, cp));
ccn_clear(n, ccec_point_z(r, cp));
} else if (dbitlen == 1) {
// If d=1 => r=s
ccn_set(n, ccec_point_x(r, cp), ccec_const_point_x(s, cp));
ccn_set(n, ccec_point_y(r, cp), ccec_const_point_y(s, cp));
ccn_set(n, ccec_point_z(r, cp), ccec_const_point_z(s, cp));
} else if (ccn_cmp(n,d,R0)==0) {
// If d=(q-1) => r=-s
// Case not handle by Montgomery Ladder because R1-R0 = s.
// On the last iteration r=R0 => R1 is equal to infinity which is not supported
ccn_set(n, ccec_point_x(r, cp), ccec_const_point_x(s, cp));
ccn_sub(n, ccec_point_y(r, cp), cczp_prime(cp.zp), ccec_const_point_y(s, cp));
ccn_set(n, ccec_point_z(r, cp), ccec_const_point_z(s, cp));
}
else {
// Randomize buffer to harden against cache attacks
// TODO: scalar randomization.
cc_unit c=1;
if (rng) ccn_random_bits(1,&c,rng);
// Core of the EC scalar multiplication
cc_unit dbit; // Bit of d at index i
cc_unit *R[2] __attribute__((aligned(16)))={R0,R1};
XYCZdblJac(cp,R[c^1],R[c^0],s,ws);
// Main loop
for (unsigned long i = dbitlen - 2; i>0; --i) {
dbit=c^(ccn_bit(d, i));
XYCZaddC(cp,R[dbit],R[1^dbit],ws);
XYCZadd(cp,R[dbit],R[1^dbit],ws);
// Per Montgomery Ladder:
// Invariably, R1 - R0 = P at this point of the loop
}
// Last iteration
dbit=c^(ccn_bit(d, 0));
XYCZaddC(cp,R[dbit],R[1^dbit],ws);
// If d0 = 0 1
// R1-R0=-P R1-R0=P
// Therefore we can reconstruct the Z coordinate
// To save an inversion and keep the result in Jacobian projective coordinates,
// we compute coefficient for X and Y.
XYCZrecoverCoeffJac(cp,
ccec_point_x(r, cp),
ccec_point_y(r, cp),
ccec_point_z(r, cp),
R[c^1],R[c^0],
(int)(dbit^c),
s,
ws);
XYCZadd(cp,R[dbit],R[1^dbit],ws);
// Apply coefficients
cczp_mul_ws(cp.zp, ccec_point_x(r, cp), ccec_point_x(r, cp), &(R[c][0]), ws); // X0 * lambdaX
cczp_mul_ws(cp.zp, ccec_point_y(r, cp), ccec_point_y(r, cp), &(R[c][n]), ws); // Y0 * lambdaY
}
#if CCEC_MULT_DEBUG
ccn_lprint(n, "Result X:", ccec_point_x(r, cp));
ccn_lprint(n, "Result Y:", ccec_point_y(r, cp));
ccn_lprint(n, "Result Z:", ccec_point_z(r, cp));
#endif
ws->start-=4*n;
return 0;
}