xnu-4570.20.62.tar.gz

[apple/xnu.git] / EXTERNAL_HEADERS / corecrypto / cczp.h

/*
 *  cczp.h
 *  corecrypto
 *
 *  Created on 11/16/2010
 *
 *  Copyright (c) 2010,2011,2012,2013,2014,2015 Apple Inc. All rights reserved.
 *
 */

#ifndef _CORECRYPTO_CCZP_H_
#define _CORECRYPTO_CCZP_H_

#include <corecrypto/ccn.h>
#include <corecrypto/ccrng.h>

/* 
 Don't use cczp_hd struct directly, except in static tables such as eliptic curve parameter definitions.
 
 Declare cczp objects using cczp_decl_n(). It allocates cc_unit arrays of the length returned by either cczp_nof_n() or cczp_short_nof_n().
*/

struct cczp;
#if CORECRYPTO_USE_TRANSPARENT_UNION

typedef union {
    cc_unit *u;
    struct cczp *zp;
    //cczp_const_t czp; //for automatic type cast
    //struct cczp_prime *prime;
} cczp_t __attribute__((transparent_union));

typedef union {
    const cc_unit *u;
    const struct cczp *zp;
    //const struct cczp_prime *prime;
    cczp_t _nczp;
} cczp_const_t __attribute__((transparent_union));

#else
    typedef struct cczp* cczp_t;
    typedef const struct cczp* cczp_const_t;
#endif
typedef void (*ccmod_func_t)(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *s);

// keep cczp_hd and cczp structures consistent
// cczp_hd is typecasted to cczp to read EC curve params
// options field is to specify Montgomery arithmetic, bit field, etc
// make sure n is the first element see ccrsa_ctx_n macro 
#define __CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
cc_size pre ## n;\
cc_unit pre ## options;\
ccmod_func_t pre ## mod_prime;

#define __CCZP_ELEMENTS_DEFINITIONS(pre) \
__CCZP_HEADER_ELEMENTS_DEFINITIONS(pre) \
cc_unit pre ## ccn[];

//cczp_hd must be defined separetly without variable length array ccn[], because it is used in sructures such as ccdh_gp_decl_n
struct cczp_hd{
    __CCZP_HEADER_ELEMENTS_DEFINITIONS()
}  CC_ALIGNED(CCN_UNIT_SIZE);

struct cczp {
    __CCZP_ELEMENTS_DEFINITIONS()
} CC_ALIGNED(CCN_UNIT_SIZE);


/* Return the size of an cczp where each ccn is _size_ bytes. */
#define cczp_size(_size_) (sizeof(struct cczp) + ccn_sizeof_n(1) + 2 * (_size_))

/* Return number of units that a struct cczp needs to be in units for a prime
   size of N units.  This is large enough for all operations.  */
#define cczp_nof_n(_n_) (ccn_nof_size(sizeof(struct cczp)) + 1 + 2 * (_n_))

/* Return number of units that a struct cczp needs to be in units for a prime
   size of _n_ units.  The _short variant does not have room for CCZP_RECIP,
   so it can not be used with cczp_mod, cczp_mul, cczp_sqr. It can be used
   with cczp_add, cczp_sub, cczp_div2, cczp_mod_inv. */
#define cczp_short_nof_n(_n_) (ccn_nof_size(sizeof(struct cczp)) + (_n_))

#define cczp_decl_n(_n_, _name_)  cc_ctx_decl(struct cczp, ccn_sizeof_n(cczp_nof_n(_n_)), _name_)
#define cczp_short_decl_n(_n_, _name_) cc_ctx_decl(struct cczp_short, ccn_sizeof_n(cczp_short_nof_n(_n_)), _name_)

#define cczp_clear_n(_n_, _name_)  cc_clear(ccn_sizeof_n(cczp_nof_n(_n_)), _name_)
#define cczp_short_clear_n(_n_, _name_)  cc_clear(ccn_sizeof_n(cczp_short_nof_n(_n_)), _name_)

#if CORECRYPTO_USE_TRANSPARENT_UNION 
  #define CCZP_N(ZP) (((cczp_t)(ZP)).zp->n)
  #define CCZP_MOD(ZP) (((cczp_t)(ZP)).zp->mod_prime)
  #define CCZP_PRIME(ZP) (((cczp_t)(ZP)).zp->ccn)
  #define CCZP_RECIP(ZP) (((cczp_t)(ZP)).zp->ccn + cczp_n(ZP))
  #define CCZP_OPS(ZP) ((ZP).zp->options)
  #define CCZP_MOD_PRIME(ZP) CCZP_MOD(ZP)

CC_CONST CC_NONNULL_TU((1))
static inline cc_size cczp_n(cczp_const_t zp) {
    return zp.zp->n;
}

CC_CONST CC_NONNULL_TU((1))
static inline cc_unit cczp_options(cczp_const_t zp) {
    return zp.zp->options;
}

CC_CONST CC_NONNULL_TU((1))
static inline ccmod_func_t cczp_mod_prime(cczp_const_t zp) {
    return zp.zp->mod_prime;
}

CC_CONST CC_NONNULL_TU((1))
static inline const cc_unit *cczp_prime(cczp_const_t zp) {
    return zp.zp->ccn;
}

/* Return a pointer to the Reciprocal or Montgomery constant of zp, which is
 allocated cczp_n(zp) + 1 units long. */
CC_CONST CC_NONNULL_TU((1))

static inline const cc_unit *cczp_recip(cczp_const_t zp) {
    return zp.zp->ccn + zp.zp->n;
}

#else
  #define CCZP_N(ZP)     ((ZP)->n)
  #define CCZP_MOD(ZP)   ((ZP)->mod_prime)
  #define CCZP_MOD_PRIME(ZP) CCZP_MOD(ZP)
  #define CCZP_PRIME(ZP) ((ZP)->ccn)
  #define CCZP_RECIP(ZP) ((ZP)->ccn + CCZP_N(ZP))
  #define CCZP_OPS(ZP)   ((ZP)->options)
CC_CONST CC_NONNULL_TU((1))
static inline cc_size cczp_n(cczp_const_t zp) {
    return zp->n;
}

CC_CONST CC_NONNULL_TU((1))
static inline cc_unit cczp_options(cczp_const_t zp) {
    return zp->options;
}

CC_CONST CC_NONNULL_TU((1))
static inline ccmod_func_t cczp_mod_prime(cczp_const_t zp) {
    return zp->mod_prime;
}

CC_CONST CC_NONNULL_TU((1))
static inline const cc_unit *cczp_prime(cczp_const_t zp) {
    return zp->ccn;
}

/* Return a pointer to the Reciprocal or Montgomery constant of zp, which is
 allocated cczp_n(zp) + 1 units long. */
CC_CONST CC_NONNULL_TU((1))

static inline const cc_unit *cczp_recip(cczp_const_t zp) {
    return zp->ccn + zp->n;
}

#endif


CC_CONST CC_NONNULL_TU((1))
CC_INLINE size_t cczp_bitlen(cczp_const_t zp) {
    return ccn_bitlen(cczp_n(zp), cczp_prime(zp));
}


/* Ensure both cczp_mod_prime(zp) and cczp_recip(zp) are valid. cczp_n and
   cczp_prime must have been previously initialized. */
CC_NONNULL_TU((1))
int cczp_init(cczp_t zp);

/* Compute r = s2n mod cczp_prime(zp). Will write cczp_n(zp)
 units to r and reads 2 * cczp_n(zp) units units from s2n. If r and s2n are not
 identical they must not overlap.  Before calling this function either
 cczp_init(zp) must have been called or both CCZP_MOD_PRIME((cc_unit *)zp)
 and CCZP_RECIP((cc_unit *)zp) must be initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
void cczp_mod(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *s2n);

/* Compute r = sn mod cczp_prime(zp), Will write cczp_n(zp)
 units to r and reads sn units units from s. If r and s are not
 identical they must not overlap.  Before calling this function either
 cczp_init(zp) must have been called or both CCZP_MOD_PRIME((cc_unit *)zp)
 and CCZP_RECIP((cc_unit *)zp) must be initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 4))
int cczp_modn(cczp_const_t zp, cc_unit *r, cc_size ns, const cc_unit *s);

/* Compute r = x * y mod cczp_prime(zp). Will write cczp_n(zp) units to r
   and reads cczp_n(zp) units units from both x and y. If r and x are not
   identical they must not overlap, The same holds for r and y.  Before
   calling this function either cczp_init(zp) must have been called or both
   CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must be
   initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
void cczp_mul(cczp_const_t zp, cc_unit *t, const cc_unit *x, const cc_unit *y);

CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4, 5))
void cczp_mul_ws(cc_ws_t ws, cczp_const_t zp, cc_unit *t, const cc_unit *x, const cc_unit *y);

/* Compute r = x * x mod cczp_prime(zp). Will write cczp_n(zp) units to r
   and reads cczp_n(zp) units from x. If r and x are not identical they must
   not overlap. Before calling this function either cczp_init(zp) must have
   been called or both CCZP_MOD_PRIME((cc_unit *)zp) and
   CCZP_RECIP((cc_unit *)zp) must be initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
void cczp_sqr(cczp_const_t zp, cc_unit *r, const cc_unit *x);

CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
void cczp_sqr_ws(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *x);

/* Compute r = x^(1/2) mod cczp_prime(zp). Will write cczp_n(zp) units to r
 and reads cczp_n(zp) units from x. If r and x are not identical they must
 not overlap. Before calling this function either cczp_init(zp) must have
 been called or both CCZP_MOD_PRIME((cc_unit *)zp) and
 CCZP_RECIP((cc_unit *)zp) must be initialized some other way. 
 Only support prime = 3 mod 4 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
int cczp_sqrt(cczp_const_t zp, cc_unit *r, const cc_unit *x);

/* Compute r = m ^ e mod cczp_prime(zp), using Montgomery ladder.
   - writes cczp_n(zp) units to r
   - reads  cczp_n(zp) units units from m and e
   - if r and m are not identical they must not overlap. 
   - r and e must not overlap nor be identical.
   - before calling this function either cczp_init(zp) must have been called
   or both CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must
   be initialized some other way.
 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
int cczp_power(cczp_const_t zp, cc_unit *r, const cc_unit *m,
               const cc_unit *e);

/* Compute r = m ^ e mod cczp_prime(zp), using Square Square Multiply Always.
 - writes cczp_n(zp) units to r
 - reads  cczp_n(zp) units units from m and e
 - if r and m are not identical they must not overlap.
 - r and e must not overlap nor be identical.
 - before calling this function either cczp_init(zp) must have been called
 or both CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must
 be initialized some other way. 
 
 Important: This function is intented to be constant time but is more likely
    to leak information due to memory cache. Only used with randomized input
 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
int cczp_power_ssma(cczp_const_t zp, cc_unit *r, const cc_unit *m,
                const cc_unit *e);

int cczp_power_ssma_ws(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *s, const cc_unit *e);

/* Compute r = m ^ e mod cczp_prime(zp). Will write cczp_n(zp) units to r and
 reads cczp_n(zp) units units from m.  Reads ebitlen bits from e.
 m must be <= to cczp_prime(zp).  If r and m are not identical they must not
 overlap. r and e must not overlap nor be identical.
 Before calling this function either cczp_init(zp) must have been called
 or both CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must
 be initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 5))
int cczp_powern(cczp_const_t zp, cc_unit *r, const cc_unit *s,
                size_t ebitlen, const cc_unit *e);

/* Compute r = x + y mod cczp_prime(zp). Will write cczp_n(zp) units to r and
   reads cczp_n(zp) units units from x and y. If r and x are not identical
   they must not overlap. Only cczp_n(zp) and cczp_prime(zp) need to be valid.
   Can be used with cczp_short_nof_n sized cc_unit array zp. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
void cczp_add(cczp_const_t zp, cc_unit *r, const cc_unit *x,
              const cc_unit *y);

CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4, 5))
void cczp_add_ws(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *x,
                 const cc_unit *y);

/* Compute r = x - y mod cczp_prime(zp). Will write cczp_n(zp) units to r and
   reads cczp_n(zp) units units from x and y. If r and x are not identical
   they must not overlap. Only cczp_n(zp) and cczp_prime(zp) need to be valid.
   Can be used with cczp_short_nof_n sized cc_unit array zp. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
void cczp_sub(cczp_const_t zp, cc_unit *r, const cc_unit *x, const cc_unit *y);

CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4, 5))
void cczp_sub_ws(cc_ws_t ws, cczp_const_t zp, cc_unit *r, const cc_unit *x,
                 const cc_unit *y);

/* Compute r = x / 2 mod cczp_prime(zp). Will write cczp_n(zp) units to r and
   reads cczp_n(zp) units units from x. If r and x are not identical
   they must not overlap. Only cczp_n(zp) and cczp_prime(zp) need to be valid.
   Can be used with cczp_short_nof_n sized cc_unit array zp. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
void cczp_div2(cczp_const_t zp, cc_unit *r, const cc_unit *x);

/* Compute q = a_2n / cczp_prime(zd) (mod cczp_prime(zd)) . Will write cczp_n(zd)
   units to q and r. Will read 2 * cczp_n(zd) units units from a. If r and a
   are not identical they must not overlap. Before calling this function
   either cczp_init(zp) must have been called or both
   CCZP_MOD_PRIME((cc_unit *)zp) and CCZP_RECIP((cc_unit *)zp) must be
   initialized some other way. */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3, 4))
void cczp_div(cczp_const_t zd, cc_unit *q, cc_unit *r, const cc_unit *a_2n);


/*!
 @brief cczp_inv(zp, r, x) computes r = x^-1 (mod p) , where p=cczp_prime(zp).
 @discussion It is a general function and works for any p. It validates the inputs. r and x can overlap. It writes n =cczp_n(zp) units to r, and read n units units from x and p. The output r is overwriten only if the inverse is correctly computed. This function is not constant time in absolute sense, but it does not have data dependent 'if' statements in the code.
 @param zp  The input zp. cczp_n(zp) and cczp_prime(zp) need to be valid. cczp_init(zp) need not to be called before invoking cczp_inv().
 @param x input big integer
 @param r output big integer
 @return  0 if inverse exists and correctly computed.
 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))

int cczp_inv(cczp_const_t zp, cc_unit *r, const cc_unit *x);

/*!
 @brief cczp_inv_odd(zp, r, x) computes r = x^-1 (mod p) , where p=cczp_prime(zp) is an odd number.
 @discussion  r and x can overlap.
 @param zp  The input zp. cczp_n(zp) and cczp_prime(zp) need to be valid. cczp_init(zp) need not to be called before invoking.
 @param x input big integer
 @param r output big integer
 @return  0 if successful
 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
int cczp_inv_odd(cczp_const_t zp, cc_unit *r, const cc_unit *x);

/*!
 @brief cczp_inv_field(zp, r, x) computes r = x^-1 (mod p) , where p=cczp_prime(zp) is a prime number number.
 @discussion r and x must NOT overlap. The excution time of the function is independent to the value of the input x. It works only if p is a field. That is, when p is a prime. It supports Montgomery and non-Montgomery form of zp. It leaks the value of the prime and should only be used be used for public (not secret) primes (ex. Elliptic Curves)

 @param zp  The input zp. cczp_n(zp) and cczp_prime(zp) need to be valid. cczp_init(zp) need not to be called before invoking cczp_inv_field().
 @param x input big unteger
 @param r output big integer
 @return  0 if inverse exists and correctly computed.
 */
CC_NONNULL_TU((1)) CC_NONNULL((2, 3))
int cczp_inv_field(cczp_const_t zp, cc_unit *r, const cc_unit *x);

#endif /* _CORECRYPTO_CCZP_H_ */