[apple/xnu.git] / EXTERNAL_HEADERS / corecrypto / cczp.h

/* Copyright (c) (2010,2011,2012,2013,2014,2015,2016,2017,2018,2019) Apple Inc. All rights reserved.
 *
 * corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
 * is contained in the License.txt file distributed with corecrypto) and only to 
 * people who accept that license. IMPORTANT:  Any license rights granted to you by 
 * Apple Inc. (if any) are limited to internal use within your organization only on 
 * devices and computers you own or control, for the sole purpose of verifying the 
 * security characteristics and correct functioning of the Apple Software.  You may 
 * not, directly or indirectly, redistribute the Apple Software or any portions thereof.
 */

#ifndef _CORECRYPTO_CCZP_H_
#define _CORECRYPTO_CCZP_H_

#include <corecrypto/ccn.h>
#include <corecrypto/ccrng.h>

/*
 Don't use cczp_hd struct directly, except in static tables such as eliptic curve parameter
 definitions.

 Declare cczp objects using cczp_decl_n(). It allocates cc_unit arrays of the length returned by
 cczp_nof_n().
*/

struct cczp;

typedef struct cczp *cczp_t;
typedef const struct cczp *cczp_const_t;

struct cczp_funcs;
typedef const struct cczp_funcs *cczp_funcs_t;

// keep cczp_hd and cczp structures consistent
// cczp_hd is typecasted to cczp to read EC curve params
// make sure n is the first element see ccrsa_ctx_n macro
#define __CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
    cc_size pre##n;                             \
    cc_unit pre##bitlen;                        \
    cczp_funcs_t pre##funcs;

#define __CCZP_ELEMENTS_DEFINITIONS(pre)    \
    __CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
    cc_unit pre##ccn[];

// cczp_hd must be defined separetly without variable length array ccn[], because it is used in
// sructures such as ccdh_gp_decl_n
struct cczp_hd {
    __CCZP_HEADER_ELEMENTS_DEFINITIONS()
} CC_ALIGNED(CCN_UNIT_SIZE);

struct cczp {
    __CCZP_ELEMENTS_DEFINITIONS()
} CC_ALIGNED(CCN_UNIT_SIZE);

/* Return the size of an cczp where each ccn is _size_ bytes. */
#define cczp_size(_size_) (sizeof(struct cczp) + ccn_sizeof_n(1) + 2 * (_size_))

/* Return number of units that a struct cczp needs to be in units for a prime
   size of N units.  This is large enough for all operations.  */
#define cczp_nof_n(_n_) (ccn_nof_size(sizeof(struct cczp)) + 1 + 2 * (_n_))

/* Return number of units that a struct cczp needs to be in units for a prime
   size of _n_ units. */
#define cczp_decl_n(_n_, _name_) cc_ctx_decl(struct cczp, ccn_sizeof_n(cczp_nof_n(_n_)), _name_)
#define cczp_clear_n(_n_, _name_) cc_clear(ccn_sizeof_n(cczp_nof_n(_n_)), _name_)

#define CCZP_N(ZP) ((ZP)->n)
#define CCZP_PRIME(ZP) ((ZP)->ccn)
#define CCZP_BITLEN(ZP) ((ZP)->bitlen)
#define CCZP_RECIP(ZP) ((ZP)->ccn + CCZP_N(ZP))
CC_NONNULL((1)) CC_INLINE cc_size cczp_n(cczp_const_t zp)
{
    return zp->n;
}

CC_NONNULL((1)) CC_INLINE const cc_unit *cczp_prime(cczp_const_t zp)
{
    return zp->ccn;
}

CC_NONNULL((1)) CC_INLINE size_t cczp_bitlen(cczp_const_t zp)
{
    cc_assert(ccn_bitlen(cczp_n(zp), cczp_prime(zp)) == CCZP_BITLEN(zp));
    return (size_t)CCZP_BITLEN(zp);
}

/* Return a pointer to the Reciprocal or Montgomery constant of zp, which is
 allocated cczp_n(zp) + 1 units long. */
CC_NONNULL((1)) CC_INLINE const cc_unit *cczp_recip(cczp_const_t zp)
{
    return zp->ccn + zp->n;
}

/* Ensure both cczp_mod_prime(zp) and cczp_recip(zp) are valid. cczp_n and
   cczp_prime must have been previously initialized. The reciprocal will
   be computed and set. */
CC_NONNULL((1))
int cczp_init(cczp_t zp);

/*! @function cczp_init_with_recip
 @abstract Initializes a cczp struct with a given reciprocal.

 @param zp    Pointer to a cczp struct.
 @param recip Reciprocal for zp's prime.
 */
CC_NONNULL((1, 2))
void cczp_init_with_recip(cczp_t zp, const cc_unit *recip);

/* Compute r = m ^ e mod cczp_prime(zp), using Montgomery ladder.
   - writes cczp_n(zp) units to r
   - reads  cczp_n(zp) units units from m and e
   - if r and m are not identical they must not overlap.
   - r and e must not overlap nor be identical.
   - before calling this function either cczp_init(zp) must have been called
   or both CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must
   be initialized some other way.
 */
CC_NONNULL((1, 2, 3, 4))
int cczp_power(cczp_const_t zp, cc_unit *r, const cc_unit *m, const cc_unit *e);

/*!
 @brief cczp_inv(zp, r, x) computes r = x^-1 (mod p) , where p=cczp_prime(zp).
 @discussion It is a general function and works for any p. It validates the inputs. r and x can
 overlap. It writes n =cczp_n(zp) units to r, and read n units units from x and p. The output r is
 overwriten only if the inverse is correctly computed. This function is not constant time in
 absolute sense, but it does not have data dependent 'if' statements in the code.
 @param zp  The input zp. cczp_n(zp) and cczp_prime(zp) need to be valid. cczp_init(zp) need not to
 be called before invoking cczp_inv().
 @param x input big integer
 @param r output big integer
 @return  0 if inverse exists and correctly computed.
 */
CC_NONNULL((1, 2, 3))
int cczp_inv(cczp_const_t zp, cc_unit *r, const cc_unit *x);

#endif /* _CORECRYPTO_CCZP_H_ */
Commit	Line	Data
f427ee49	1	/* Copyright (c) (2010,2011,2012,2013,2014,2015,2016,2017,2018,2019) Apple Inc. All rights reserved.
d190cdc3	2	*
f427ee49 A	3	* corecrypto is licensed under Apple Inc.’s Internal Use License Agreement (which
	4	* is contained in the License.txt file distributed with corecrypto) and only to
	5	* people who accept that license. IMPORTANT: Any license rights granted to you by
	6	* Apple Inc. (if any) are limited to internal use within your organization only on
	7	* devices and computers you own or control, for the sole purpose of verifying the
	8	* security characteristics and correct functioning of the Apple Software. You may
	9	* not, directly or indirectly, redistribute the Apple Software or any portions thereof.
d190cdc3 A	10	*/
	11
	12	#ifndef _CORECRYPTO_CCZP_H_
	13	#define _CORECRYPTO_CCZP_H_
	14
	15	#include <corecrypto/ccn.h>
	16	#include <corecrypto/ccrng.h>
	17
d9a64523 A	18	/*
	19	Don't use cczp_hd struct directly, except in static tables such as eliptic curve parameter
	20	definitions.
	21
	22	Declare cczp objects using cczp_decl_n(). It allocates cc_unit arrays of the length returned by
cb323159	23	cczp_nof_n().
d190cdc3 A	24	*/
	25
	26	struct cczp;
d9a64523 A	27
	28	typedef struct cczp *cczp_t;
	29	typedef const struct cczp *cczp_const_t;
	30
f427ee49 A	31	struct cczp_funcs;
f427ee49 A	32	typedef const struct cczp_funcs *cczp_funcs_t;
d190cdc3 A	33
	34	// keep cczp_hd and cczp structures consistent
	35	// cczp_hd is typecasted to cczp to read EC curve params
d9a64523	36	// make sure n is the first element see ccrsa_ctx_n macro
d190cdc3	37	#define __CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
d9a64523	38	cc_size pre##n; \
f427ee49 A	39	cc_unit pre##bitlen; \
f427ee49 A	40	cczp_funcs_t pre##funcs;
d190cdc3	41
d9a64523 A	42	#define __CCZP_ELEMENTS_DEFINITIONS(pre) \
	43	__CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
	44	cc_unit pre##ccn[];
d190cdc3	45
d9a64523 A	46	// cczp_hd must be defined separetly without variable length array ccn[], because it is used in
	47	// sructures such as ccdh_gp_decl_n
	48	struct cczp_hd {
d190cdc3	49	__CCZP_HEADER_ELEMENTS_DEFINITIONS()
d9a64523	50	} CC_ALIGNED(CCN_UNIT_SIZE);
d190cdc3 A	51
	52	struct cczp {
	53	__CCZP_ELEMENTS_DEFINITIONS()
	54	} CC_ALIGNED(CCN_UNIT_SIZE);
	55
d190cdc3 A	56	/* Return the size of an cczp where each ccn is _size_ bytes. */
	57	#define cczp_size(_size_) (sizeof(struct cczp) + ccn_sizeof_n(1) + 2 * (_size_))
	58
	59	/* Return number of units that a struct cczp needs to be in units for a prime
	60	size of N units. This is large enough for all operations. */
	61	#define cczp_nof_n(_n_) (ccn_nof_size(sizeof(struct cczp)) + 1 + 2 * (_n_))
	62
	63	/* Return number of units that a struct cczp needs to be in units for a prime
cb323159	64	size of _n_ units. */
d9a64523	65	#define cczp_decl_n(_n_, _name_) cc_ctx_decl(struct cczp, ccn_sizeof_n(cczp_nof_n(_n_)), _name_)
d9a64523	66	#define cczp_clear_n(_n_, _name_) cc_clear(ccn_sizeof_n(cczp_nof_n(_n_)), _name_)
d9a64523 A	67
d9a64523 A	68	#define CCZP_N(ZP) ((ZP)->n)
d9a64523	69	#define CCZP_PRIME(ZP) ((ZP)->ccn)
f427ee49	70	#define CCZP_BITLEN(ZP) ((ZP)->bitlen)
d9a64523	71	#define CCZP_RECIP(ZP) ((ZP)->ccn + CCZP_N(ZP))
cb323159	72	CC_NONNULL((1)) CC_INLINE cc_size cczp_n(cczp_const_t zp)
d9a64523	73	{
d190cdc3 A	74	return zp->n;
	75	}
	76
cb323159	77	CC_NONNULL((1)) CC_INLINE const cc_unit *cczp_prime(cczp_const_t zp)
d9a64523	78	{
d190cdc3 A	79	return zp->ccn;
	80	}
	81
f427ee49 A	82	CC_NONNULL((1)) CC_INLINE size_t cczp_bitlen(cczp_const_t zp)
	83	{
	84	cc_assert(ccn_bitlen(cczp_n(zp), cczp_prime(zp)) == CCZP_BITLEN(zp));
	85	return (size_t)CCZP_BITLEN(zp);
	86	}
	87
d190cdc3 A	88	/* Return a pointer to the Reciprocal or Montgomery constant of zp, which is
d190cdc3 A	89	allocated cczp_n(zp) + 1 units long. */
cb323159	90	CC_NONNULL((1)) CC_INLINE const cc_unit *cczp_recip(cczp_const_t zp)
d9a64523	91	{
d190cdc3 A	92	return zp->ccn + zp->n;
	93	}
	94
d190cdc3	95	/* Ensure both cczp_mod_prime(zp) and cczp_recip(zp) are valid. cczp_n and
cb323159 A	96	cczp_prime must have been previously initialized. The reciprocal will
cb323159 A	97	be computed and set. */
d9a64523	98	CC_NONNULL((1))
5ba3f43e	99	int cczp_init(cczp_t zp);
d190cdc3	100
cb323159 A	101	/*! @function cczp_init_with_recip
	102	@abstract Initializes a cczp struct with a given reciprocal.
	103
	104	@param zp Pointer to a cczp struct.
	105	@param recip Reciprocal for zp's prime.
	106	*/
	107	CC_NONNULL((1, 2))
	108	void cczp_init_with_recip(cczp_t zp, const cc_unit *recip);
d190cdc3	109
d190cdc3 A	110	/* Compute r = m ^ e mod cczp_prime(zp), using Montgomery ladder.
	111	- writes cczp_n(zp) units to r
	112	- reads cczp_n(zp) units units from m and e
d9a64523	113	- if r and m are not identical they must not overlap.
d190cdc3 A	114	- r and e must not overlap nor be identical.
	115	- before calling this function either cczp_init(zp) must have been called
	116	or both CCZP_MOD_PRIME((cc_unit )zp) and CCZP_RECIP((cc_unit )zp) must
	117	be initialized some other way.
	118	*/
d9a64523 A	119	CC_NONNULL((1, 2, 3, 4))
d9a64523 A	120	int cczp_power(cczp_const_t zp, cc_unit r, const cc_unit m, const cc_unit *e);
d190cdc3	121
d190cdc3 A	122	/*!
d190cdc3 A	123	@brief cczp_inv(zp, r, x) computes r = x^-1 (mod p) , where p=cczp_prime(zp).
d9a64523 A	124	@discussion It is a general function and works for any p. It validates the inputs. r and x can
	125	overlap. It writes n =cczp_n(zp) units to r, and read n units units from x and p. The output r is
	126	overwriten only if the inverse is correctly computed. This function is not constant time in
	127	absolute sense, but it does not have data dependent 'if' statements in the code.
	128	@param zp The input zp. cczp_n(zp) and cczp_prime(zp) need to be valid. cczp_init(zp) need not to
	129	be called before invoking cczp_inv().
d190cdc3 A	130	@param x input big integer
	131	@param r output big integer
	132	@return 0 if inverse exists and correctly computed.
	133	*/
d9a64523	134	CC_NONNULL((1, 2, 3))
d190cdc3 A	135	int cczp_inv(cczp_const_t zp, cc_unit r, const cc_unit x);
d190cdc3 A	136
d190cdc3	137	#endif /* _CORECRYPTO_CCZP_H_ */