dropbear/libtomcrypt/crypt.tex

f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\documentclass[synpaper]{book}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage[dvips]{geometry}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{hyperref}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{makeidx}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{amssymb}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{color}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{graphicx}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{layout}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\usepackage{fancyhdr}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\union{\cup}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\intersect{\cap}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\getsrandom{\stackrel{\rm R}{\gets}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\cross{\times}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\cat{\hspace{0.5em} \| \hspace{0.5em}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\catn{$\|$}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\divides{\hspace{0.3em} | \hspace{0.3em}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\nequiv{\not\equiv}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\approx{\raisebox{0.2ex}{\mbox{\small $\sim$}}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\lcm{{\rm lcm}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\gcd{{\rm gcd}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\log{{\rm log}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\ord{{\rm ord}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\abs{{\mathit abs}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\rep{{\mathit rep}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\mod{{\mathit\ mod\ }}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\renewcommand{\pmod}[1]{\ ({\rm mod\ }{#1})}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\floor}[1]{\left\lfloor{#1}\right\rfloor}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\ceil}[1]{\left\lceil{#1}\right\rceil}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\Or{{\rm\ or\ }}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\And{{\rm\ and\ }}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\iff{\hspace{1em}\Longleftrightarrow\hspace{1em}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\implies{\Rightarrow}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\undefined{{\rm \textit{undefined}}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\Proof{\vspace{1ex}\noindent {\bf Proof:}\hspace{1em}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\let\oldphi\phi
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\phi{\varphi}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\Pr{{\rm Pr}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\str}[1]{{\mathbf{#1}}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\F{{\mathbb F}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\N{{\mathbb N}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\Z{{\mathbb Z}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\R{{\mathbb R}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\C{{\mathbb C}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\Q{{\mathbb Q}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\definecolor{DGray}{gray}{0.5}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\emailaddr}[1]{\mbox{$<${#1}$>$}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\def\gap{\vspace{0.5ex}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\makeindex
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\mysection}[1]    % Re-define the chaptering command to use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	{                   % THESE headers.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	\section{#1}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \markboth{\textsf{www.libtom.org}}{\thesection ~ {#1}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newcommand{\mystarsection}[1]    % Re-define the chaptering command to use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	{                   % THESE headers.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	\section*{#1}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \markboth{\textsf{www.libtom.org}}{{#1}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project	}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\pagestyle{empty}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{document}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\frontmatter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\pagestyle{empty}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vspace{2in}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{Huge}LibTomCrypt\end{Huge}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{large}Developer Manual\end{large}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vspace{15mm}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{c}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTom St Denis \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTom Projects
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newpage
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis document is part of the LibTomCrypt package and is hereby released into the public domain.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOpen Source.  Open Academia.  Open Minds.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{flushright}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTom St Denis
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOttawa, Ontario
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCanada
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project~
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{flushright}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newpage
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\tableofcontents
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\listoffigures
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\pagestyle{myheadings}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mainmatter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{What is the LibTomCrypt?}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt is a portable ISO C cryptographic library meant to be a tool set for cryptographers who are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdesigning cryptosystems.  It supports symmetric ciphers, one-way hashes, pseudo-random number generators,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpublic key cryptography (via PKCS \#1 RSA, DH or ECCDH), and a plethora of support routines.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library was designed such that new ciphers/hashes/PRNGs can be added at run-time and the existing API
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(and helper API functions) are able to use the new designs automatically.  There exists self-check functions for each
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectblock cipher and hash function to ensure that they compile and execute to the published design specifications.  The library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectalso performs extensive parameter error checking to prevent any number of run-time exploits or errors.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{What the library IS for?}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library serves as a toolkit for developers who have to solve cryptographic problems.  Out of the box LibTomCrypt
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdoes not process SSL or OpenPGP messages, it doesn't read X.509 certificates, or write PEM encoded data.  It does, however,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectprovide all of the tools required to build such functionality.  LibTomCrypt was designed to be a flexible library that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwas not tied to any particular cryptographic problem.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Why did I write it?}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou may be wondering, \textit{Tom, why did you write a crypto library.  I already have one.}  Well the reason falls into
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttwo categories:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \item I am too lazy to figure out someone else's API.  I'd rather invent my own simpler API and use that.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \item It was (still is) good coding practice.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe idea is that I am not striving to replace OpenSSL or Crypto++ or Cryptlib or etc.  I'm trying to write my
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{\bf own} crypto library and hopefully along the way others will appreciate the work.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWith this library all core functions (ciphers, hashes, prngs, and bignum) have the same prototype definition.  They all load
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand store data in a format independent of the platform.  This means if you encrypt with Blowfish on a PPC it should decrypt
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton an x86 with zero problems.  The consistent API also means that if you learn how to use Blowfish with the library you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectknow how to use Safer+, RC6, or Serpent as well.  With all of the core functions there are central descriptor tables
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat can be used to make a program automatically pick between ciphers, hashes and PRNGs at run-time.  That means your
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectapplication can support all ciphers/hashes/prngs/bignum without changing the source code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNot only did I strive to make a consistent and simple API to work with but I also attempted to make the library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectconfigurable in terms of its build options.  Out of the box the library will build with any modern version of GCC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwithout having to use configure scripts.  This means that the library will work with platforms where development
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttools may be limited (e.g. no autoconf).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOn top of making the build simple and the API approachable I've also attempted for a reasonably high level of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrobustness and efficiency.  LibTomCrypt traps and returns a series of errors ranging from invalid
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectarguments to buffer overflows/overruns.  It is mostly thread safe and has been clocked on various platforms
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith \textit{cycles per byte} timings that are comparable (and often favourable) to other libraries such as OpenSSL and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCrypto++.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Modular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe LibTomCrypt package has also been written to be very modular.  The block ciphers, one--way hashes,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpseudo--random number generators (PRNG), and bignum math routines are all used within the API through \textit{descriptor} tables which
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare essentially structures with pointers to functions.  While you can still call particular functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdirectly (\textit{e.g. sha256\_process()}) this descriptor interface allows the developer to customize their
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectusage of the library.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor example, consider a hardware platform with a specialized RNG device.  Obviously one would like to tap
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat for the PRNG needs within the library (\textit{e.g. making a RSA key}).  All the developer has to do
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis write a descriptor and the few support routines required for the device.  After that the rest of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAPI can make use of it without change.  Similarly imagine a few years down the road when AES2
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(\textit{or whatever they call it}) has been invented.  It can be added to the library and used within applications
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith zero modifications to the end applications provided they are written properly.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis flexibility within the library means it can be used with any combination of primitive algorithms and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunlike libraries like OpenSSL is not tied to direct routines.  For instance, in OpenSSL there are CBC block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmode routines for every single cipher.  That means every time you add or remove a cipher from the library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou have to update the associated support code as well.  In LibTomCrypt the associated code (\textit{chaining modes in this case})
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare not directly tied to the ciphers.  That is a new cipher can be added to the library by simply providing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe key setup, ECB decrypt and encrypt and test vector routines.  After that all five chaining mode routines
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcan make use of the cipher right away.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{License}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe project is hereby released as public domain.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Patent Disclosure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe author (Tom St Denis) is not a patent lawyer so this section is not to be treated as legal advice.  To the best
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the authors knowledge the only patent related issues within the library are the RC5 and RC6 symmetric block ciphers.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThey can be removed from a build by simply commenting out the two appropriate lines in \textit{tomcrypt\_custom.h}.  The rest
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the ciphers and hashes are patent free or under patents that have since expired.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe RC2 and RC4 symmetric ciphers are not under patents but are under trademark regulations.  This means you can use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe ciphers you just can't advertise that you are doing so.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Thanks}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectI would like to give thanks to the following people (in no particular order) for helping me develop this project from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectearly on:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Richard van de Laarschot
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Richard Heathfield
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Ajay K. Agrawal
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Brian Gladman
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Svante Seleborg
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Clay Culver
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Jason Klapste
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Dobes Vandermeer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Daniel Richards
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Wayne Scott
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Andrew Tyler
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Sky Schulz
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Christopher Imes
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere have been quite a few other people as well.  Please check the change log to see who else has contributed from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttime to time.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{The Application Programming Interface (API)}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{CRYPT\_ERROR} \index{CRYPT\_OK}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn general the API is very simple to memorize and use.  Most of the functions return either {\bf void} or {\bf int}.  Functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat return {\bf int} will return {\bf CRYPT\_OK} if the function was successful, or one of the many error codes
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif it failed.  Certain functions that return int will return $-1$ to indicate an error.  These functions will be explicitly
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcommented upon.  When a function does return a CRYPT error code it can be translated into a string with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{error\_to\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectconst char *error_to_string(int err);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn example of handling an error is:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid somefunc(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* call a cryptographic function */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = some_crypto_function(...)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("A crypto error occurred, %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      /* perform error handling */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* continue on if no error occurred */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere is no initialization routine for the library and for the most part the code is thread safe.  The only thread
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrelated issue is if you use the same symmetric cipher, hash or public key state data in multiple threads.  Normally
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat is not an issue.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo include the prototypes for \textit{LibTomCrypt.a} into your own program simply include \textit{tomcrypt.h} like so:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe header file \textit{tomcrypt.h} also includes \textit{stdio.h}, \textit{string.h}, \textit{stdlib.h}, \textit{time.h} and \textit{ctype.h}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Macros}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are a few helper macros to make the coding process a bit easier.  The first set are related to loading and storing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project32/64-bit words in little/big endian format.  The macros are:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{STORE32L} \index{STORE64L} \index{LOAD32L} \index{LOAD64L} \index{STORE32H} \index{STORE64H} \index{LOAD32H} \index{LOAD64H} \index{BSWAP}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newpage
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[hpbt]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline STORE32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 3]$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline STORE64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[0 \ldots 7]$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline LOAD32L(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[0 \ldots 3] \to x$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline LOAD64L(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[0 \ldots 7] \to x$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline STORE32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $x \to y[3 \ldots 0]$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline STORE64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $x \to y[7 \ldots 0]$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline LOAD32H(x, y) & {\bf unsigned long} x, {\bf unsigned char} *y & $y[3 \ldots 0] \to x$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline LOAD64H(x, y) & {\bf unsigned long long} x, {\bf unsigned char} *y & $y[7 \ldots 0] \to x$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline BSWAP(x) & {\bf unsigned long} x & Swap bytes \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{Load And Store Macros}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are 32 and 64-bit cyclic rotations as well:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ROL} \index{ROR} \index{ROL64} \index{ROR64} \index{ROLc} \index{RORc} \index{ROL64c} \index{ROR64c}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[hpbt]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROL(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y, 0 \le y \le 31$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROLc(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x << y, 0 \le y \le 31$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROR(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y, 0 \le y \le 31$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline RORc(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x >> y, 0 \le y \le 31$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline && \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROL64(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x << y, 0 \le y \le 63$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROL64c(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x << y, 0 \le y \le 63$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROR64(x, y) & {\bf unsigned long} x, {\bf unsigned long} y & $x >> y, 0 \le y \le 63$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline ROR64c(x, y) & {\bf unsigned long} x, {\bf const unsigned long} y & $x >> y, 0 \le y \le 63$ \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{Rotate Macros}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Functions with Variable Length Output}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCertain functions such as (for example) \textit{rsa\_export()} give an output that is variable length.  To prevent buffer overflows you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmust pass it the length of the buffer where the output will be stored.  For example:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_export()} \index{error\_to\_string()} \index{variable length output}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    rsa_key key;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned char buffer[1024];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long x;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* ... Make up the RSA key somehow ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* lets export the key, set x to the size of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     * output buffer */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    x = sizeof(buffer);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    if ((err = rsa_export(buffer, &x, PK_PUBLIC, &key)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("Export error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* if rsa_export() was successful then x will have
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     * the size of the output */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    printf("RSA exported key takes %d bytes\n", x);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* ... do something with the buffer */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the above example if the size of the RSA public key was more than 1024 bytes this function would return an error code
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectindicating a buffer overflow would have occurred.  If the function succeeds, it stores the length of the output back into
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{x} so that the calling application will know how many bytes were used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.13, most functions will update your length on failure to indicate the size required by the function.  Not all functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsupport this so please check the source before you rely on it doing that.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Functions that need a PRNG}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Pseudo Random Number Generator} \index{PRNG}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCertain functions such as \textit{rsa\_make\_key()} require a Pseudo Random Number Generator (PRNG).  These functions do not setup
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe PRNG themselves so it is the responsibility of the calling function to initialize the PRNG before calling them.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCertain PRNG algorithms do not require a \textit{prng\_state} argument (sprng for example).  The \textit{prng\_state} argument
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmay be passed as \textbf{NULL} in such situations.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{register\_prng()} \index{rsa\_make\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    rsa_key key;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int     err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* register the system RNG */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    register_prng(&sprng_desc)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* make a 1024-bit RSA key with the system RNG */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    if ((err = rsa_make_key(NULL, find_prng("sprng"), 1024/8, 65537, &key))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("make_key error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* use the key ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Functions that use Arrays of Octets}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectMost functions require inputs that are arrays of the data type \textit{unsigned char}.  Whether it is a symmetric key, IV
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfor a chaining mode or public key packet it is assumed that regardless of the actual size of \textit{unsigned char} only the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlower eight bits contain data.  For example, if you want to pass a 256 bit key to a symmetric ciphers setup routine, you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmust pass in (a pointer to) an array of 32 \textit{unsigned char} variables.  Certain routines (such as SAFER+) take
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecial care to work properly on platforms where an \textit{unsigned char} is not eight bits.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor the purposes of this library, the term \textit{byte} will refer to an octet or eight bit word.  Typically an array of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttype \textit{byte} will be synonymous with an array of type \textit{unsigned char.}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Symmetric Block Ciphers}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Core Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt provides several block ciphers with an ECB block mode interface.  It is important to first note that you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectshould never use the ECB modes directly to encrypt data.  Instead you should use the ECB functions to make a chaining mode,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projector use one of the provided chaining modes.  All of the ciphers are written as ECB interfaces since it allows the rest of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe API to grow in a modular fashion.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Key Scheduling}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll ciphers store their scheduled keys in a single data type called \textit{symmetric\_key}.  This allows all ciphers to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthave the same prototype and store their keys as naturally as possible.  This also removes the need for dynamic memory
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectallocation, and allows you to allocate a fixed sized buffer for storing scheduled keys.  All ciphers must provide six visible
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunctions which are (given that XXX is the name of the cipher) the following:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher Setup}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_setup(const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe XXX\_setup() routine will setup the cipher to be used with a given number of rounds and a given key length (in bytes).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe number of rounds can be set to zero to use the default, which is generally a good idea.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the function returns successfully the variable \textit{skey} will have a scheduled key stored in it.  It's important to note
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat you should only used this scheduled key with the intended cipher.  For example, if you call \textit{blowfish\_setup()} do not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpass the scheduled key onto \textit{rc5\_ecb\_encrypt()}.  All built--in setup functions do not allocate memory off the heap so
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhen you are done with a key you can simply discard it (e.g. they can be on the stack).  However, to maintain proper coding
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpractices you should always call the respective XXX\_done() function.  This allows for quicker porting to applications with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectexternally supplied plugins.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECB Encryption and Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encrypt or decrypt a block in ECB mode there are these two functions per cipher:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher Encrypt} \index{Cipher Decrypt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_ecb_encrypt(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_ecb_decrypt(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese two functions will encrypt or decrypt (respectively) a single block of text\footnote{The size of which depends on
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhich cipher you are using.}, storing the result in the \textit{ct} buffer (\textit{pt} resp.).  It is possible that the input and output buffer are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe same buffer.  For the encrypt function \textit{pt}\footnote{pt stands for plaintext.} is the input and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{ct}\footnote{ct stands for ciphertext.} is the output.  For the decryption function it's the opposite.  They both
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectreturn \textbf{CRYPT\_OK} on success.  To test a particular cipher against test vectors\footnote{As published in their design papers.}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcall the following self-test function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Self--Testing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher Testing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will return {\bf CRYPT\_OK} if the cipher matches the test vectors from the design publication it is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbased upon.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Key Sizing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor each cipher there is a function which will help find a desired key size.  It is specified as follows:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Key Sizing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_keysize(int *keysize);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEssentially, it will round the input keysize in \textit{keysize} down to the next appropriate key size.  This function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill return {\bf CRYPT\_OK} if the key size specified is acceptable.  For example:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int keysize, err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now given a 20 byte key what keysize does Twofish want to use? */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   keysize = 20;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = twofish_keysize(&keysize)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error getting key size: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("Twofish suggested a key size of %d\n", keysize);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis should indicate a keysize of sixteen bytes is suggested by storing 16 in \textit{keysize.}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Cipher Termination}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen you are finished with a cipher you can de--initialize it with the done function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid XXX_done(symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor the software based ciphers within LibTomCrypt, these functions will not do anything.  However, user supplied
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcipher descriptors may require to be called for resource management purposes.  To be compliant, all functions which call a cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsetup function must also call the respective cipher done function when finished.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Simple Encryption Demonstration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn example snippet that encodes a block with Blowfish in ECB mode.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{blowfish\_setup()} \index{blowfish\_ecb\_encrypt()} \index{blowfish\_ecb\_decrypt()} \index{blowfish\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char pt[8], ct[8], key[8];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   symmetric_key skey;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ... key is loaded appropriately in key ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ... load a block of plaintext in pt ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* schedule the key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = blowfish_setup(key, /* the key we will use */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               8, /* key is 8 bytes (64-bits) long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               0, /* 0 == use default # of rounds */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           &skey) /* where to put the scheduled key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Setup error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* encrypt the block */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   blowfish_ecb_encrypt(pt,       /* encrypt this 8-byte array */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        ct,       /* store encrypted data here */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        &skey);   /* our previously scheduled key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now ct holds the encrypted version of pt */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* decrypt the block */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   blowfish_ecb_decrypt(ct,       /* decrypt this 8-byte array */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        pt,       /* store decrypted data here */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        &skey);   /* our previously scheduled key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now we have decrypted ct to the original plaintext in pt */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* Terminate the cipher context */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   blowfish_done(&skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Sizes and Number of Rounds}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Symmetric Keys}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs a general rule of thumb, do not use symmetric keys under 80 bits if you can help it.  Only a few of the ciphers support smaller
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectkeys (mainly for test vectors anyways).  Ideally, your application should be making at least 256 bit keys.  This is not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbecause you are to be paranoid.  It is because if your PRNG has a bias of any sort the more bits the better.  For
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectexample, if you have $\mbox{Pr}\left[X = 1\right] = {1 \over 2} \pm \gamma$ where $\vert \gamma \vert > 0$ then the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttotal amount of entropy in N bits is $N \cdot -log_2\left ({1 \over 2} + \vert \gamma \vert \right)$.  So if $\gamma$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwere $0.25$ (a severe bias) a 256-bit string would have about 106 bits of entropy whereas a 128-bit string would have
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectonly 53 bits of entropy.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe number of rounds of most ciphers is not an option you can change.  Only RC5 allows you to change the number of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrounds.  By passing zero as the number of rounds all ciphers will use their default number of rounds.  Generally the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectciphers are configured such that the default number of rounds provide adequate security for the given block and key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsize.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{The Cipher Descriptors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher Descriptor}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo facilitate automatic routines an array of cipher descriptors is provided in the array \textit{cipher\_descriptor}.  An element
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof this array has the following (partial) format (See Section \ref{sec:cipherdesc}):
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct _cipher_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** name of cipher */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** internal ID */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char ID;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** min keysize (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int  min_key_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** max keysize (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        max_key_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** block size (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        block_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** default number of rounds */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        default_rounds;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project...<snip>...
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{name} is the lower case ASCII version of the name.  The fields \textit{min\_key\_length} and \textit{max\_key\_length}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare the minimum and maximum key sizes in bytes.  The \textit{block\_length} member is the block size of the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin bytes.  As a good rule of thumb it is assumed that the cipher supports
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe min and max key lengths but not always everything in between.  The \textit{default\_rounds} field is the default number
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof rounds that will be used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor a plugin to be compliant it must provide at least each function listed before the accelerators begin.  Accelerators are optional,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand if missing will be emulated in software.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe remaining fields are all pointers to the core functions for each cipher.  The end of the cipher\_descriptor array is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmarked when \textit{name} equals {\bf NULL}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of this release the current cipher\_descriptors elements are the following:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher descriptor table}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{blowfish\_desc} \index{xtea\_desc} \index{rc2\_desc} \index{rc5\_desc} \index{rc6\_desc} \index{saferp\_desc} \index{aes\_desc} \index{twofish\_desc}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{des\_desc} \index{des3\_desc} \index{noekeon\_desc} \index{skipjack\_desc} \index{anubis\_desc} \index{khazad\_desc} \index{kseed\_desc} \index{kasumi\_desc}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[hpbt]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline \textbf{Name} & \textbf{Descriptor Name} & \textbf{Block Size} & \textbf{Key Range} & \textbf{Rounds} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Blowfish & blowfish\_desc & 8 & 8 $\ldots$ 56 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline X-Tea & xtea\_desc & 8 & 16 & 32 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline RC2 & rc2\_desc & 8 & 8 $\ldots$ 128 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline RC5-32/12/b & rc5\_desc & 8 & 8 $\ldots$ 128 & 12 $\ldots$ 24 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline RC6-32/20/b & rc6\_desc & 16 & 8 $\ldots$ 128 & 20 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline SAFER+ & saferp\_desc &16 & 16, 24, 32 & 8, 12, 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline AES & aes\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                & aes\_enc\_desc & 16 & 16, 24, 32 & 10, 12, 14 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Twofish & twofish\_desc & 16 & 16, 24, 32 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline DES & des\_desc & 8 & 7 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline 3DES (EDE mode) & des3\_desc & 8 & 21 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline CAST5 (CAST-128) & cast5\_desc & 8 & 5 $\ldots$ 16 & 12, 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Noekeon & noekeon\_desc & 16 & 16 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Skipjack & skipjack\_desc & 8 & 10 & 32 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Anubis & anubis\_desc & 16 & 16 $\ldots$ 40 & 12 $\ldots$ 18 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline Khazad & khazad\_desc & 8 & 16 & 8 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline SEED   & kseed\_desc & 16 & 16 & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline KASUMI & kasumi\_desc & 8 & 16 & 8 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{Built--In Software Ciphers}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Notes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\item
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor AES, (also known as Rijndael) there are four descriptors which complicate issues a little.  The descriptors
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrijndael\_desc and rijndael\_enc\_desc provide the cipher named \textit{rijndael}.  The descriptors aes\_desc and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectaes\_enc\_desc provide the cipher name \textit{aes}.  Functionally both \textit{rijndael} and \textit{aes} are the same cipher.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectonly difference is when you call find\_cipher() you have to pass the correct name.  The cipher descriptors with \textit{enc}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin the middle (e.g. rijndael\_enc\_desc) are related to an implementation of Rijndael with only the encryption routine
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand tables.  The decryption and self--test function pointers of both \textit{encrypt only} descriptors are set to \textbf{NULL} and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectshould not be called.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{encrypt only} descriptors are useful for applications that only use the encryption function of the cipher.  Algorithms such
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas EAX, PMAC and OMAC only require the encryption function.  So far this \textit{encrypt only} functionality has only been implemented for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRijndael as it makes the most sense for this cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\item
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that for \textit{DES} and \textit{3DES} they use 8 and 24 byte keys but only 7 and 21 [respectively] bytes of the keys are in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfact used for the purposes of encryption.  My suggestion is just to use random 8/24 byte keys instead of trying to make a 8/24
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbyte string from the real 7/21 byte key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\item
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that \textit{Twofish} has additional configuration options (Figure \ref{fig:twofishopts}) that take place at build time.  These options are found in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe file \textit{tomcrypt\_cfg.h}.  The first option is \textit{TWOFISH\_SMALL} which when defined will force the Twofish code
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto not pre-compute the Twofish \textit{$g(X)$} function as a set of four $8 \times 32$ s-boxes.  This means that a scheduled
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectkey will require less ram but the resulting cipher will be slower.  The second option is \textit{TWOFISH\_TABLES} which when
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdefined will force the Twofish code to use pre-computed tables for the two s-boxes $q_0, q_1$ as well as the multiplication
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby the polynomials 5B and EF used in the MDS multiplication.  As a result the code is faster and slightly larger.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspeed increase is useful when \textit{TWOFISH\_SMALL} is defined since the s-boxes and MDS multiply form the heart of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTwofish round function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[hpbt]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Twofish build options} \index{TWOFISH\_SMALL} \index{TWOFISH\_TABLES}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|l|l|l|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline \textbf{TWOFISH\_SMALL} & \textbf{TWOFISH\_TABLES} & \textbf{Speed and Memory (per key)} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline undefined & undefined & Very fast, 4.2KB of ram. \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline undefined & defined & Faster key setup, larger code. \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline defined & undefined & Very slow, 0.2KB of ram. \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline defined & defined & Faster, 0.2KB of ram, larger code. \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{Twofish Build Options}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\label{fig:twofishopts}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo work with the cipher\_descriptor array there is a function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{find\_cipher()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint find_cipher(char *name)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will search for a given name in the array.  It returns $-1$ if the cipher is not found, otherwise it returns
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe location in the array where the cipher was found.  For example, to indirectly setup Blowfish you can also use:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{register\_cipher()} \index{find\_cipher()} \index{error\_to\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[8];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   symmetric_key skey;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* you must register a cipher before you use it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&blowfish_desc)) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Unable to register Blowfish cipher.");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* generic call to function (assuming the key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    * in key[] was already setup) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        cipher_descriptor[find_cipher("blowfish")].
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          setup(key, 8, 0, &skey)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error setting up Blowfish: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ... use cipher ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA good safety would be to check the return value of \textit{find\_cipher()} before accessing the desired function.  In order
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto use a cipher with the descriptor table you must register it first using:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{register\_cipher()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint register_cipher(const struct _cipher_descriptor *cipher);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich accepts a pointer to a descriptor and returns the index into the global descriptor table.  If an error occurs such
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas there is no more room (it can have 32 ciphers at most) it will return {\bf{-1}}.  If you try to add the same cipher more
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthan once it will just return the index of the first copy.  To remove a cipher call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{unregister\_cipher()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint unregister_cipher(const struct _cipher_descriptor *cipher);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if it removes the cipher, otherwise it returns {\bf CRYPT\_ERROR}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register the cipher */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&rijndael_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering Rijndael\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* use Rijndael */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* remove it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = unregister_cipher(&rijndael_desc)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error removing Rijndael: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis snippet is a small program that registers Rijndael.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Symmetric Modes of Operations}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Background}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA typical symmetric block cipher can be used in chaining modes to effectively encrypt messages larger than the block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsize of the cipher.  Given a key $k$, a plaintext $P$ and a cipher $E$ we shall denote the encryption of the block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$P$ under the key $k$ as $E_k(P)$.  In some modes there exists an initial vector denoted as $C_{-1}$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{ECB Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ECB mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECB or Electronic Codebook Mode is the simplest method to use.  It is given as:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_i = E_k(P_i)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis mode is very weak since it allows people to swap blocks and perform replay attacks if the same key is used more
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthan once.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{CBC Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{CBC mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCBC or Cipher Block Chaining mode is a simple mode designed to prevent trivial forms of replay and swap attacks on ciphers.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is given as:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_i = E_k(P_i \oplus C_{i - 1})
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is important that the initial vector be unique and preferably random for each message encrypted under the same key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{CTR Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{CTR mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCTR or Counter Mode is a mode which only uses the encryption function of the cipher.  Given a initial vector which is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttreated as a large binary counter the CTR mode is given as:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_{-1} = C_{-1} + 1\mbox{ }(\mbox{mod }2^W) \nonumber \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_i = P_i \oplus E_k(C_{-1})
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere $W$ is the size of a block in bits (e.g. 64 for Blowfish).  As long as the initial vector is random for each message
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypted under the same key replay and swap attacks are infeasible.  CTR mode may look simple but it is as secure
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas the block cipher is under a chosen plaintext attack (provided the initial vector is unique).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{CFB Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{CFB mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFB or Ciphertext Feedback Mode is a mode akin to CBC.  It is given as:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_i = P_i \oplus C_{-1} \nonumber \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_{-1} = E_k(C_i)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that in this library the output feedback width is equal to the size of the block cipher.  That is this mode is used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto encrypt whole blocks at a time.  However, the library will buffer data allowing the user to encrypt or decrypt partial
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectblocks without a delay.  When this mode is first setup it will initially encrypt the initial vector as required.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{OFB Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{OFB mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOFB or Output Feedback Mode is a mode akin to CBC as well.  It is given as:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_{-1} = E_k(C_{-1}) \nonumber \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectC_i = P_i \oplus C_{-1}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{eqnarray}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLike the CFB mode the output width in CFB mode is the same as the width of the block cipher.  OFB mode will also
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbuffer the output which will allow you to encrypt or decrypt partial blocks without delay.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Choice of Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectMy personal preference is for the CTR mode since it has several key benefits:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item No short cycles which is possible in the OFB and CFB modes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Provably as secure as the block cipher being used under a chosen plaintext attack.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Technically does not require the decryption routine of the cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Allows random access to the plaintext.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Allows the encryption of block sizes that are not equal to the size of the block cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe CTR, CFB and OFB routines provided allow you to encrypt block sizes that differ from the ciphers block size.  They
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectaccomplish this by buffering the data required to complete a block.  This allows you to encrypt or decrypt any size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectblock of memory with either of the three modes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ECB and CBC modes process blocks of the same size as the cipher at a time.  Therefore, they are less flexible than the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectother modes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Ciphertext Stealing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Ciphertext stealing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCiphertext stealing is a method of dealing with messages in CBC mode which are not a multiple of the block length.  This is accomplished
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby encrypting the last ciphertext block in ECB mode, and XOR'ing the output against the last partial block of plaintext.  LibTomCrypt does not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsupport this mode directly but it is fairly easy to emulate with a call to the cipher's ecb\_encrypt() callback function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe more sane way to deal with partial blocks is to pad them with zeroes, and then use CBC normally.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Initialization}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{CBC Mode} \index{CTR Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{OFB Mode} \index{CFB Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library provides simple support routines for handling CBC, CTR, CFB, OFB and ECB encoded messages.  Assuming the mode
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou want is XXX there is a structure called \textit{symmetric\_XXX} that will contain the information required to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectuse that mode.  They have identical setup routines (except CTR and ECB mode):
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecb\_start()} \index{cfb\_start()} \index{cbc\_start()} \index{ofb\_start()} \index{ctr\_start()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_start(                int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_XXX *XXX);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ctr_start(                int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  ctr_mode,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_CTR *ctr);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecb_start(                int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_ECB *ecb);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn each case, \textit{cipher} is the index into the cipher\_descriptor array of the cipher you want to use.  The \textit{IV} value is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe initialization vector to be used with the cipher.  You must fill the IV yourself and it is assumed they are the same
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlength as the block size\footnote{In other words the size of a block of plaintext for the cipher, e.g. 8 for DES, 16 for AES, etc.}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the cipher you choose.  It is important that the IV  be random for each unique message you want to encrypt.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectparameters \textit{key}, \textit{keylen} and \textit{num\_rounds} are the same as in the XXX\_setup() function call.  The final parameter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis a pointer to the structure you want to hold the information for the mode of operation.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the case of CTR mode there is an additional parameter \textit{ctr\_mode} which specifies the mode that the counter is to be used in.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf \textbf{CTR\_COUNTER\_ LITTLE\_ENDIAN} was specified then the counter will be treated as a little endian value.  Otherwise, if
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{CTR\_COUNTER\_BIG\_ENDIAN} was specified the counter will be treated as a big endian value.  As of v1.15 the RFC 3686 style of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectincrement then encrypt is also supported.  By OR'ing \textbf{LTC\_CTR\_RFC3686} with the CTR \textit{mode} value, ctr\_start() will increment
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe counter before encrypting it for the first time.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe routines return {\bf CRYPT\_OK} if the cipher initialized correctly, otherwise, they return an error code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Encryption and Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo actually encrypt or decrypt the following routines are provided:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecb\_encrypt()} \index{ecb\_decrypt()} \index{cfb\_encrypt()} \index{cfb\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{cbc\_encrypt()} \index{cbc\_decrypt()} \index{ofb\_encrypt()} \index{ofb\_decrypt()} \index{ctr\_encrypt()} \index{ctr\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_encrypt(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_YYY *YYY);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_decrypt(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_YYY *YYY);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{XXX} is one of $\lbrace ecb, cbc, ctr, cfb, ofb \rbrace$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn all cases, \textit{len} is the size of the buffer (as number of octets) to encrypt or decrypt.  The CTR, OFB and CFB modes are order sensitive but not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectchunk sensitive.  That is you can encrypt \textit{ABCDEF} in three calls like \textit{AB}, \textit{CD}, \textit{EF} or two like \textit{ABCDE} and \textit{F}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand end up with the same ciphertext.  However, encrypting \textit{ABC} and \textit{DABC} will result in different ciphertexts.  All
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfive of the modes will return {\bf CRYPT\_OK} on success from the encrypt or decrypt functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the ECB and CBC cases, \textit{len} must be a multiple of the ciphers block size.  In the CBC case, you must manually pad the end of your message (either with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectzeroes or with whatever your protocol requires).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo decrypt in either mode, perform the setup like before (recall you have to fetch the IV value you used), and use the decrypt routine on all of the blocks.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{IV Manipulation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo change or read the IV of a previously initialized chaining mode use the following two functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{cbc\_setiv()} \index{cbc\_getiv()} \index{ofb\_setiv()} \index{ofb\_getiv()} \index{cfb\_setiv()} \index{cfb\_getiv()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ctr\_setiv()} \index{ctr\_getiv()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_getiv(unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              symmetric_XXX *XXX);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_setiv(const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_XXX *XXX);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe XXX\_getiv() functions will read the IV out of the chaining mode and store it into \textit{IV} along with the length of the IV
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstored in \textit{len}.  The XXX\_setiv will initialize the chaining mode state as if the original IV were the new IV specified.  The length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the IV passed in must be the size of the ciphers block size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe XXX\_setiv() functions are handy if you wish to change the IV without re--keying the cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhat the \textit{setiv} function will do depends on the mode being changed.  In CBC mode, the new IV replaces the existing IV as if it
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwere the last ciphertext block.  In CFB mode, the IV is encrypted as if it were the prior encrypted pad.  In CTR mode, the IV is encrypted without
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfirst incrementing it (regardless of the LTC\_RFC\_3686 flag presence).  In F8 mode, the IV is encrypted and becomes the new pad.  It does not change
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe salted IV, and is only meant to allow seeking within a session.  In LRW, it changes the tweak, forcing a computation of the tweak pad, allowing for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectseeking within the session.  In OFB mode, the IV is encrypted and becomes the new pad.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Stream Termination}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo terminate an open stream call the done function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecb\_done()} \index{cbc\_done()}\index{cfb\_done()}\index{ofb\_done()} \index{ctr\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_done(symmetric_XXX *XXX);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will terminate the stream (by terminating the cipher) and return \textbf{CRYPT\_OK} if successful.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newpage
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Examples}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[16], IV[16], buffer[512];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   symmetric_CTR ctr;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int x, err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register twofish first */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&twofish_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering cipher.\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* somehow fill out key and IV */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* start up CTR mode */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ctr_start(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        find_cipher("twofish"), /* index of desired cipher */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            IV, /* the initial vector */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           key, /* the secret key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            16, /* length of secret key (16 bytes) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             0, /* 0 == default # of rounds */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     CTR_COUNTER_LITTLE_ENDIAN, /* Little endian counter */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         &ctr)  /* where to store the CTR state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("ctr_start error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* somehow fill buffer than encrypt it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ctr_encrypt(        buffer, /* plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  buffer, /* ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          sizeof(buffer), /* length of plaintext pt */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                   &ctr)  /* CTR state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("ctr_encrypt error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* make use of ciphertext... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now we want to decrypt so let's use ctr_setiv */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ctr_setiv(  IV, /* the initial IV we gave to ctr_start */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          16, /* the IV is 16 bytes long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        &ctr) /* the ctr state we wish to modify */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("ctr_setiv error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ctr_decrypt(        buffer, /* ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  buffer, /* plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          sizeof(buffer), /* length of plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                   &ctr)  /* CTR state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("ctr_decrypt error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* terminate the stream */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ctr_done(&ctr)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("ctr_done error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* clear up and return */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   zeromem(key, sizeof(key));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   zeromem(&ctr, sizeof(ctr));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LRW Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLRW mode is a cipher mode which is meant for indexed encryption like used to handle storage media.  It is meant to have efficient seeking and overcome the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsecurity problems of ECB mode while not increasing the storage requirements.  It is used much like any other chaining mode except with two key differences.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe key is specified as two strings the first key $K_1$ is the (normally AES) key and can be any length (typically 16, 24 or 32 octets long).  The second key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$K_2$ is the \textit{tweak} key and is always 16 octets long.  The tweak value is \textbf{NOT} a nonce or IV value it must be random and secret.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo initialize LRW mode use:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{lrw\_start()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_start(                int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *tweak,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the LRW context with the given (16 octet) \textit{IV}, cipher $K_1$ \textit{key} of length \textit{keylen} octets and the (16 octet) $K_2$ \textit{tweak}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhile LRW was specified to be used only with AES, LibTomCrypt will allow any 128--bit block cipher to be specified as indexed by \textit{cipher}.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnumber of rounds for the block cipher \textit{num\_rounds} can be 0 to use the default number of rounds for the given cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo process data use the following functions:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{lrw\_encrypt()} \index{lrw\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_encrypt(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_decrypt(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encrypt (or decrypt) the plaintext to the ciphertext buffer (or vice versa).  The length is specified by \textit{len} in octets but must be a multiple
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof 16.  The LRW code uses a fast tweak update such that consecutive blocks are encrypted faster than if random seeking where used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo manipulate the IV use the following functions:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{lrw\_getiv()} \index{lrw\_setiv()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_getiv(unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_setiv(const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will get or set the 16--octet IV.  Note that setting the IV is the same as \textit{seeking} and unlike other modes is not a free operation.  It requires
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectupdating the entire tweak which is slower than sequential use.  Avoid seeking excessively in performance constrained code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo terminate the LRW state use the following:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{lrw\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint lrw_done(symmetric_LRW *lrw);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{F8 Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{F8 Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe F8 Chaining mode (see RFC 3711 for instance) is yet another chaining mode for block ciphers.  It behaves much like CTR mode in that it XORs a keystream
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectagainst the plaintext to encrypt.  F8 mode comes with the additional twist that the counter value is secret, encrypted by a \textit{salt key}.  We
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinitialize F8 mode with the following function call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f8\_start()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_start(                int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *salt_key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  skeylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will start the F8 mode state using \textit{key} as the secret key, \textit{IV} as the counter.  It uses the \textit{salt\_key} as IV encryption key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(\textit{m} in the RFC 3711).  The salt\_key can be shorter than the secret key but it should not be longer.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encrypt or decrypt data we use the following two functions:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f8\_encrypt()} \index{f8\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_encrypt(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_decrypt(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encrypt or decrypt a variable length array of bytes using the F8 mode state specified.  The length is specified in bytes and does not have to be a multiple
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the ciphers block size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo change or retrieve the current counter IV value use the following functions:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f8\_getiv()} \index{f8\_setiv()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_getiv(unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned long *len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_setiv(const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese work with the current IV value only and not the encrypted IV value specified during the call to f8\_start().  The purpose of these two functions is to be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectable to seek within a current session only.  If you want to change the session IV you will have to call f8\_done() and then start a new state with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectf8\_start().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo terminate an F8 state call the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f8\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f8_done(symmetric_F8 *f8);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Encrypt and Authenticate Modes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{EAX Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt provides support for a mode called EAX\footnote{See
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectM. Bellare, P. Rogaway, D. Wagner, A Conventional Authenticated-Encryption Mode.} in a manner similar to the way it was intended to be used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby the designers.  First, a short description of what EAX mode is before we explain how to use it.  EAX is a mode that requires a cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCTR and OMAC support and provides encryption and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectauthentication\footnote{Note that since EAX only requires OMAC and CTR you may use \textit{encrypt only} cipher descriptors with this mode.}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is initialized with a random \textit{nonce} that can be shared publicly, a \textit{header} which can be fixed and public, and a random secret symmetric key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{header} data is meant to be meta--data associated with a stream that isn't private (e.g., protocol messages).  It can
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbe added at anytime during an EAX stream, and is part of the authentication tag.  That is, changes in the meta-data can be detected by changes in the output tag.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe mode can then process plaintext producing ciphertext as well as compute a partial checksum.  The actual checksum
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcalled a \textit{tag} is only emitted when the message is finished.  In the interim, the user can process any arbitrary
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsized message block to send to the recipient as ciphertext.  This makes the EAX mode especially suited for streaming modes
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof operation.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe mode is initialized with the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_init(          eax_state *eax,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *nonce,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  noncelen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *header,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  headerlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{eax} is the EAX state.  The \textit{cipher} parameter is the index of the desired cipher in the descriptor table.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{key} parameter is the shared secret symmetric key of length \textit{keylen} octets.  The \textit{nonce} parameter is the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrandom public string of length \textit{noncelen} octets.  The \textit{header} parameter is the random (or fixed or \textbf{NULL}) header for the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmessage of length \textit{headerlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this function completes, the \textit{eax} state will be initialized such that you can now either have data decrypted or
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypted in EAX mode.  Note: if \textit{headerlen} is zero you may pass \textit{header} as \textbf{NULL} to indicate there is no initial header data.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encrypt or decrypt data in a streaming mode use the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_encrypt()} \index{eax\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_encrypt(          eax_state *eax,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  length);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_decrypt(          eax_state *eax,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  length);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe function \textit{eax\_encrypt} will encrypt the bytes in \textit{pt} of \textit{length} octets, and store the ciphertext in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{ct}.  Note: \textit{ct} and \textit{pt} may be the same region in memory.   This function will also send the ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthrough the OMAC function.  The function \textit{eax\_decrypt} decrypts \textit{ct}, and stores it in \textit{pt}.  This also allows
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{pt} and \textit{ct} to be the same region in memory.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou cannot both encrypt or decrypt with the same \textit{eax} context.  For bi--directional communication you will need to initialize
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttwo EAX contexts (preferably with different headers and nonces).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: both of these functions allow you to send the data in any granularity but the order is important.  While
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe eax\_init() function allows you to add initial header data to the stream you can also add header data during the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEAX stream with the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_addheader()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_addheader(          eax_state *eax,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  const unsigned char *header,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  length);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will add the \textit{length} octet from \textit{header} to the given \textit{eax} header.  Once the message is finished, the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{tag} (checksum) may be computed with the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_done(    eax_state *eax,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *tag,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned long *taglen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will terminate the EAX state \textit{eax}, and store up to \textit{taglen} bytes of the message tag in \textit{tag}.  The function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthen stores how many bytes of the tag were written out back in to \textit{taglen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe EAX mode code can be tested to ensure it matches the test vectors by calling the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis requires that the AES (or Rijndael) block cipher be registered with the cipher\_descriptor table first.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   eax_state     eax;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char pt[64], ct[64], nonce[16], key[16], tag[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long taglen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&rijndael_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering Rijndael");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ... make up random nonce and key ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* initialize context */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = eax_init(            &eax,  /* context */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                find_cipher("rijndael"),  /* cipher id */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  nonce,  /* the nonce */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                     16,  /* nonce is 16 bytes */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              "TestApp",  /* example header */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      7)  /* header length */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error eax_init: %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now encrypt data, say in a loop or whatever */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = eax_encrypt(     &eax, /* eax context */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 pt, /* plaintext  (source) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 ct, /* ciphertext (destination) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          sizeof(pt) /* size of plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error eax_encrypt: %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* finish message and get authentication tag */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   taglen = sizeof(tag);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = eax_done(   &eax,      /* eax context */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           tag,      /* where to put tag */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       &taglen       /* length of tag space */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error eax_done: %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now we have the authentication tag in "tag" and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    * it's taglen bytes long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou can also perform an entire EAX state on a block of memory in a single function call with the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfollowing functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{eax\_encrypt\_authenticate\_memory} \index{eax\_decrypt\_verify\_memory}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_encrypt_authenticate_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *nonce,  unsigned long noncelen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *header, unsigned long headerlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *pt,     unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *tag,    unsigned long *taglen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint eax_decrypt_verify_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *nonce,  unsigned long noncelen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *header, unsigned long headerlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *ct,     unsigned long ctlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *tag,    unsigned long taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          int           *res);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectBoth essentially just call eax\_init() followed by eax\_encrypt() (or eax\_decrypt() respectively) and eax\_done().  The parameters
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthave the same meaning as with those respective functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe only difference is eax\_decrypt\_verify\_memory() does not emit a tag.  Instead you pass it a tag as input and it compares it against
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe tag it computed while decrypting the message.  If the tags match then it stores a $1$ in \textit{res}, otherwise it stores a $0$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{OCB Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt provides support for a mode called OCB\footnote{See
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectP. Rogaway, M. Bellare, J. Black, T. Krovetz, \textit{OCB: A Block Cipher Mode of Operation for Efficient Authenticated Encryption}.}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project.  OCB is an encryption protocol that simultaneously provides authentication.  It is slightly faster to use than EAX mode
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbut is less flexible.  Let's review how to initialize an OCB context.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ocb\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_init(          ocb_state *ocb,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *nonce);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the \textit{ocb} context using cipher descriptor \textit{cipher}.  It will use a \textit{key} of length \textit{keylen}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand the random \textit{nonce}.  Note that \textit{nonce} must be a random (public) string the same length as the block ciphers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectblock size (e.g. 16 bytes for AES).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis mode has no \textit{Associated Data} like EAX mode does which means you cannot authenticate metadata along with the stream.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encrypt or decrypt data use the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ocb\_encrypt()} \index{ocb\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_encrypt(          ocb_state *ocb,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *ct);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_decrypt(          ocb_state *ocb,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *pt);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will encrypt (or decrypt for the latter) a fixed length of data from \textit{pt} to \textit{ct} (vice versa for the latter).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThey assume that \textit{pt} and \textit{ct} are the same size as the block cipher's block size.  Note that you cannot call
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectboth functions given a single \textit{ocb} state.  For bi-directional communication you will have to initialize two \textit{ocb}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstates (with different nonces).  Also \textit{pt} and \textit{ct} may point to the same location in memory.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{State Termination}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen you are finished encrypting the message you call the following function to compute the tag.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ocb\_done\_encrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_done_encrypt(          ocb_state *ocb,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long  ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned char *tag,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long *taglen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will terminate an encrypt stream \textit{ocb}.  If you have trailing bytes of plaintext that will not complete a block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou can pass them here.  This will also encrypt the \textit{ptlen} bytes in \textit{pt} and store them in \textit{ct}.  It will also
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstore up to \textit{taglen} bytes of the tag into \textit{tag}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that \textit{ptlen} must be less than or equal to the block size of block cipher chosen.  Also note that if you have
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectan input message equal to the length of the block size then you pass the data here (not to ocb\_encrypt()) only.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo terminate a decrypt stream and compared the tag you call the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ocb\_done\_decrypt()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_done_decrypt(          ocb_state *ocb,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long  ctlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     const unsigned char *tag,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long  taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                     int *res);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilarly to the previous function you can pass trailing message bytes into this function.  This will compute the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttag of the message (internally) and then compare it against the \textit{taglen} bytes of \textit{tag} provided.  By default
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{res} is set to zero.  If all \textit{taglen} bytes of \textit{tag} can be verified then \textit{res} is set to one (authenticated
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmessage).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Packet Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo make life simpler the following two functions are provided for memory bound OCB.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project%\index{ocb\_encrypt\_authenticate\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_encrypt_authenticate_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *nonce,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *pt,     unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *tag,    unsigned long *taglen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will OCB encrypt the message \textit{pt} of length \textit{ptlen}, and store the ciphertext in \textit{ct}.  The length \textit{ptlen}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcan be any arbitrary length.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ocb\_decrypt\_verify\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ocb_decrypt_verify_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *nonce,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *ct,     unsigned long ctlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *tag,    unsigned long taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          int           *res);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilarly, this will OCB decrypt, and compare the internally computed tag against the tag provided. \textit{res} is set
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectappropriately.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{CCM Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCCM is a NIST proposal for encrypt + authenticate that is centered around using AES (or any 16--byte cipher) as a primitive.  Unlike EAX and OCB mode,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit is only meant for \textit{packet} mode where the length of the input is known in advance.  Since it is a packet mode function, CCM only has one
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction that performs the protocol.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ccm\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ccm_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    symmetric_key       *uskey,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *nonce,  unsigned long noncelen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *header, unsigned long headerlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *pt,     unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *tag,    unsigned long *taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  direction);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis performs the \textit{CCM} operation on the data.  The \textit{cipher} variable indicates which cipher in the descriptor table to use.  It must have a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project16--byte block size for CCM.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe key can be specified in one of two fashions.  First, it can be passed as an array of octets in \textit{key} of length \textit{keylen}.  Alternatively,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit can be passed in as a previously scheduled key in \textit{uskey}.  The latter fashion saves time when the same key is used for multiple packets.  If
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{uskey} is not \textbf{NULL}, then \textit{key} may be \textbf{NULL} (and vice-versa).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe nonce or salt is \textit{nonce} of length \textit{noncelen} octets.  The header is meta--data you want to send with the message but not have
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypted, it is stored in \textit{header} of length \textit{headerlen} octets.  The header can be zero octets long (if $headerlen = 0$ then
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou can pass \textit{header} as \textbf{NULL}).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe plaintext is stored in \textit{pt}, and the ciphertext in \textit{ct}.  The length of both are expected to be equal and is passed in as \textit{ptlen}.  It is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectallowable that $pt = ct$.  The \textit{direction} variable indicates whether encryption (direction $=$ \textbf{CCM\_ENCRYPT}) or
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdecryption (direction $=$ \textbf{CCM\_DECRYPT}) is to be performed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs implemented, this version of CCM cannot handle header or plaintext data longer than $2^{32} - 1$ octets long.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou can test the implementation of CCM with the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ccm\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ccm_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will return \textbf{CRYPT\_OK} if the CCM routine passes known test vectors.  It requires AES or Rijndael to be registered previously, otherwise it will
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectreturn \textbf{CRYPT\_NOP}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{CCM Example}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following is a sample of how to call CCM.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[16], nonce[12], pt[32], ct[32],
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 tag[16], tagcp[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long taglen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register cipher */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   register_cipher(&aes_desc);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* somehow fill key, nonce, pt */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* encrypt it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   taglen = sizeof(tag);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ccm_memory(find_cipher("aes"),
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  key, 16,    /* 128-bit key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  NULL,       /* not prescheduled */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  nonce, 12,  /* 96-bit nonce */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  NULL, 0,    /* no header */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  pt, 32,     /* 32-byte plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  ct,         /* ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  tag, &taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  CCM_ENCRYPT)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("ccm_memory error %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ct[0..31] and tag[0..15] now hold the output */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* decrypt it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   taglen = sizeof(tagcp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ccm_memory(find_cipher("aes"),
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  key, 16,    /* 128-bit key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  NULL,       /* not prescheduled */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  nonce, 12,  /* 96-bit nonce */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  NULL, 0,    /* no header */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  ct, 32,     /* 32-byte ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  pt,         /* plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  tagcp, &taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  CCM_DECRYPT)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("ccm_memory error %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now pt[0..31] should hold the original plaintext,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      tagcp[0..15] and tag[0..15] should have the same contents */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{GCM Mode}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectGalois counter mode is an IEEE proposal for authenticated encryption (also it is a planned NIST standard).  Like EAX and OCB mode, it can be used in a streaming capacity
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthowever, unlike EAX it cannot accept \textit{additional authentication data} (meta--data) after plaintext has been processed.  This mode also only works with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectblock ciphers with a 16--byte block.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA GCM stream is meant to be processed in three modes, one after another.  First, the initial vector (per session) data is processed.  This should be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunique to every session.  Next, the the optional additional authentication data is processed, and finally the plaintext (or ciphertext depending on the direction).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Initialization}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo initialize the GCM context with a secret key call the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_init(          gcm_state *gcm,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis initializes the GCM state \textit{gcm} for the given cipher indexed by \textit{cipher}, with a secret key \textit{key} of length \textit{keylen} octets.  The cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectchosen must have a 16--byte block size (e.g., AES).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Initial Vector}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAfter the state has been initialized (or reset) the next step is to add the session (or packet) initial vector.  It should be unique per packet encrypted.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_add\_iv()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_add_iv(          gcm_state *gcm,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               const unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  IVlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis adds the initial vector octets from \textit{IV} of length \textit{IVlen} to the GCM state \textit{gcm}.  You can call this function as many times as required
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto process the entire IV.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: the GCM protocols provides a \textit{shortcut} for 12--byte IVs where no pre-processing is to be done.  If you want to minimize per packet latency it is ideal
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto only use 12--byte IVs.  You can just increment it like a counter for each packet.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Additional Authentication Data}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAfter the entire IV has been processed, the additional authentication data can be processed.  Unlike the IV, a packet/session does not require additional
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectauthentication data (AAD) for security.  The AAD is meant to be used as side--channel data you want to be authenticated with the packet.  Note:  once
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou begin adding AAD to the GCM state you cannot return to adding IV data until the state has been reset.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_add\_aad()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_add_aad(          gcm_state *gcm,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *adata,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  adatalen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis adds the additional authentication data \textit{adata} of length \textit{adatalen} to the GCM state \textit{gcm}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Plaintext Processing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAfter the AAD has been processed, the plaintext (or ciphertext depending on the direction) can be processed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_process(    gcm_state *gcm,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                unsigned long  ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          int  direction);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis processes message data where \textit{pt} is the plaintext and \textit{ct} is the ciphertext.  The length of both are equal and stored in \textit{ptlen}.  Depending on
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe mode \textit{pt} is the input and \textit{ct} is the output (or vice versa).  When \textit{direction} equals \textbf{GCM\_ENCRYPT} the plaintext is read,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypted and stored in the ciphertext buffer.  When \textit{direction} equals \textbf{GCM\_DECRYPT} the opposite occurs.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{State Termination}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo terminate a GCM state and retrieve the message authentication tag call the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_done(    gcm_state *gcm,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *tag,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned long *taglen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis terminates the GCM state \textit{gcm} and stores the tag in \textit{tag} of length \textit{taglen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{State Reset}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe call to gcm\_init() will perform considerable pre--computation (when \textbf{GCM\_TABLES} is defined) and if you're going to be dealing with a lot of packets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit is very costly to have to call it repeatedly.  To aid in this endeavour, the reset function has been provided.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_reset()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_reset(gcm_state *gcm);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will reset the GCM state \textit{gcm} to the state that gcm\_init() left it.  The user would then call gcm\_add\_iv(), gcm\_add\_aad(), etc.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{One--Shot Packet}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo process a single packet under any given key the following helper function can be used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint gcm_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *IV,    unsigned long IVlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *adata, unsigned long adatalen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *pt,    unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *tag,   unsigned long *taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  direction);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the GCM state with the given key, IV and AAD value then proceed to encrypt or decrypt the message text and store the final
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmessage tag.  The definition of the variables is the same as it is for all the manual functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf you are processing many packets under the same key you shouldn't use this function as it invokes the pre--computation with each call.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Example Usage}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following is an example usage of how to use GCM over multiple packets with a shared secret key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint send_packet(const unsigned char *pt,  unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *iv,  unsigned long ivlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *aad, unsigned long aadlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      gcm_state     *gcm)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long taglen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char tag[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* reset the state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = gcm_reset(gcm)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* Add the IV */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = gcm_add_iv(gcm, iv, ivlen)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* Add the AAD (note: aad can be NULL if aadlen == 0) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = gcm_add_aad(gcm, aad, aadlen)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* process the plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        gcm_process(gcm, pt, ptlen, pt, GCM_ENCRYPT)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* Finish up and get the MAC tag */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   taglen = sizeof(tag);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = gcm_done(gcm, tag, &taglen)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ... send a header describing the lengths ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* depending on the protocol and how IV is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    * generated you may have to send it too... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   send(socket, iv, ivlen, 0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* send the aad */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   send(socket, aad, aadlen, 0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* send the ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   send(socket, pt, ptlen, 0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* send the tag */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   send(socket, tag, taglen, 0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return CRYPT_OK;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   gcm_state     gcm;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[16], IV[12], pt[PACKET_SIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err, x;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long ptlen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* somehow fill key/IV with random values */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register AES */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   register_cipher(&aes_desc);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* init the GCM state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        gcm_init(&gcm, find_cipher("aes"), key, 16)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      whine_and_pout(err);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* handle us some packets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   for (;;) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ptlen = make_packet_we_want_to_send(pt);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       /* use IV as counter (12 byte counter) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       for (x = 11; x >= 0; x--) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project           if (++IV[x]) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              break;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project           }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       if ((err = send_packet(pt, ptlen, iv, 12, NULL, 0, &gcm))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project           != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project           whine_and_pout(err);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return EXIT_SUCCESS;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{One-Way Cryptographic Hash Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Core Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLike the ciphers, there are hash core functions and a universal data type to hold the hash state called \textit{hash\_state}.  To initialize hash
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectXXX (where XXX is the name) call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Hash Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid XXX_init(hash_state *md);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis simply sets up the hash to the default state governed by the specifications of the hash.  To add data to the message being hashed call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_process(         hash_state *md,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEssentially all hash messages are virtually infinitely\footnote{Most hashes are limited to $2^{64}$ bits or 2,305,843,009,213,693,952 bytes.} long message which
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare buffered.  The data can be passed in any sized chunks as long as the order of the bytes are the same the message digest (hash output) will be the same.  For example,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthis means that:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmd5_process(&md, "hello ", 6);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmd5_process(&md, "world", 5);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWill produce the same message digest as the single call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Message Digest}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmd5_process(&md, "hello world", 11);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo finally get the message digest (the hash) call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_done(   hash_state *md,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will finish up the hash and store the result in the \textit{out} array.  You must ensure that \textit{out} is long
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectenough for the hash in question.  Often hashes are used to get keys for symmetric ciphers so the \textit{XXX\_done()} functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill wipe the \textit{md} variable before returning automatically.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test a hash function call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will return {\bf CRYPT\_OK} if the hash matches the test vectors, otherwise it returns an error code.  An
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectexample snippet that hashes a message with md5 is given below.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    hash_state md;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned char *in = "hello world", out[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* setup the hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    md5_init(&md);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* add the message */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    md5_process(&md, in, strlen(in));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* get the hash in out[0..15] */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    md5_done(&md, out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Hash Descriptors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLike the set of ciphers, the set of hashes have descriptors as well.  They are stored in an array called \textit{hash\_descriptor} and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare defined by:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct _hash_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long hashsize;    /* digest output size in bytes  */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long blocksize;   /* the block size the hash uses */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void (*init)   (hash_state *hash);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  (*process)(         hash_state *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  (*done)   (hash_state *hash, unsigned char *out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  (*test)   (void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{find\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{name} member is the name of the hash function (all lowercase).  The \textit{hashsize} member is the size of the digest output
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin bytes, while \textit{blocksize} is the size of blocks the hash expects to the compression function.  Technically, this detail is not important
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfor high level developers but is useful to know for performance reasons.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{init} member initializes the hash, \textit{process} passes data through the hash, \textit{done} terminates the hash and retrieves the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdigest.  The \textit{test} member tests the hash against the specified test vectors.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere is a function to search the array as well called \textit{int find\_hash(char *name)}.  It returns -1 if the hash is not found, otherwise, the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectposition in the descriptor table of the hash.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn addition, there is also find\_hash\_oid() which finds a hash by the ASN.1 OBJECT IDENTIFIER string.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{find\_hash\_oid()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint find_hash_oid(const unsigned long *ID, unsigned long IDlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou can use the table to indirectly call a hash function that is chosen at run-time.  For example:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char buffer[100], hash[MAXBLOCKSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int idx, x;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hash_state md;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register hashes .... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_hash(&md5_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering MD5.\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register other hashes ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* prompt for name and strip newline */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("Enter hash name: \n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   fgets(buffer, sizeof(buffer), stdin);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   buffer[strlen(buffer) - 1] = 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get hash index */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   idx = find_hash(buffer);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (idx == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Invalid hash name!\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* hash input until blank line */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hash_descriptor[idx].init(&md);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   while (fgets(buffer, sizeof(buffer), stdin) != NULL)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project         hash_descriptor[idx].process(&md, buffer, strlen(buffer));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hash_descriptor[idx].done(&md, hash);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* dump to screen */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   for (x = 0; x < hash_descriptor[idx].hashsize; x++)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("%02x ", hash[x]);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote the usage of \textbf{MAXBLOCKSIZE}.  In LibTomCrypt, no symmetric block, key or hash digest is larger than \textbf{MAXBLOCKSIZE} in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlength.  This provides a simple size you can set your automatic arrays to that will not get overrun.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are three helper functions to make working with hashes easier.  The first is a function to hash a buffer, and produce the digest in a single
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction call.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hash\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hash_memory(                int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will hash the data pointed to by \textit{in} of length \textit{inlen}.  The hash used is indexed by the \textit{hash} parameter.  The message
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdigest is stored in \textit{out}, and the \textit{outlen} parameter is updated to hold the message digest size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe next helper function allows for the hashing of a file based on a file name.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hash\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hash_file(          int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const char *fname,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will hash the file named by \textit{fname} using the hash indexed by \textit{hash}.  The file named in this function call must be readable by the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectuser owning the process performing the request.  This function can be omitted by the \textbf{LTC\_NO\_FILE} define, which forces it to return \textbf{CRYPT\_NOP}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhen it is called.  The message digest is stored in \textit{out}, and the \textit{outlen} parameter is updated to hold the message digest size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hash\_filehandle()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hash_filehandle(          int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             FILE *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will hash the file identified by the handle \textit{in} using the hash indexed by \textit{hash}.  This will begin hashing from the current file pointer position, and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill not rewind the file pointer when finished.  This function can be omitted by the \textbf{LTC\_NO\_FILE} define, which forces it to return \textbf{CRYPT\_NOP}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhen it is called.  The message digest is stored in \textit{out}, and the \textit{outlen} parameter is updated to hold the message digest size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo perform the above hash with md5 the following code could be used:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int idx, err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long len;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char out[MAXBLOCKSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register the hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_hash(&md5_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering MD5.\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get the index of the hash  */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   idx = find_hash("md5");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* call the hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   len = sizeof(out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       hash_memory(idx, "hello world", 11, out, &len)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error hashing data: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Hash Registration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to the cipher descriptor table you must register your hash algorithms before you can use them.  These functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwork exactly like those of the cipher registration code.  The functions are:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{register\_hash()} \index{unregister\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint register_hash(const struct _hash_descriptor *hash);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint unregister_hash(const struct _hash_descriptor *hash);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following hashes are provided as of this release within the LibTomCrypt library:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Hash descriptor table}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline \textbf{Name} & \textbf{Descriptor Name} & \textbf{Size of Message Digest (bytes)} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline WHIRLPOOL & whirlpool\_desc & 64 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline SHA-512 & sha512\_desc & 64 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline SHA-384 & sha384\_desc & 48 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline RIPEMD-320 & rmd160\_desc & 40 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline SHA-256 & sha256\_desc & 32 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline RIPEMD-256 & rmd160\_desc & 32 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline SHA-224 & sha224\_desc & 28 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline TIGER-192 & tiger\_desc & 24 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline SHA-1 & sha1\_desc & 20 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline RIPEMD-160 & rmd160\_desc & 20 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline RIPEMD-128 & rmd128\_desc & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline MD5 & md5\_desc & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline MD4 & md4\_desc & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline MD2 & md2\_desc & 16 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{Built--In Software Hashes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Cipher Hash Construction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Cipher Hash Construction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn addition to the suite of hash functions is the \textit{Cipher Hash Construction} or \textit{CHC} mode.  In this mode
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectapplicable block ciphers (such as AES) can be turned into hash functions that other LTC functions can use.  In
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectparticular this allows a cryptosystem to be designed using very few moving parts.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn order to use the CHC system the developer will have to take a few extra steps.  First the \textit{chc\_desc} hash
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdescriptor must be registered with register\_hash().  At this point the CHC hash cannot be used to hash
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdata.  While it is in the hash system you still have to tell the CHC code which cipher to use.  This is accomplished
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvia the chc\_register() function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{chc\_register()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint chc_register(int cipher);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA cipher has to be registered with CHC (and also in the cipher descriptor tables with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectregister\_cipher()).  The chc\_register() function will bind a cipher to the CHC system.  Only one cipher can
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbe bound to the CHC hash at a time.  There are additional requirements for the system to work.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item The cipher must have a block size greater than 64--bits.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item The cipher must allow an input key the size of the block size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectExample of using CHC with the AES block cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register cipher and hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&aes_enc_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Could not register cipher\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_hash(&chc_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Could not register hash\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* start chc with AES */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = chc_register(find_cipher("aes"))) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error binding AES to CHC: %s\n",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now you can use chc_hash in any LTC function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    * [aside from pkcs...] */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Notice}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is highly recommended that you \textbf{not} use the MD4 or MD5 hashes for the purposes of digital signatures or authentication codes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese hashes are provided for completeness and they still can be used for the purposes of password hashing or one-way accumulators
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(e.g. Yarrow).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe other hashes such as the SHA-1, SHA-2 (that includes SHA-512, SHA-384 and SHA-256) and TIGER-192 are still considered secure
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfor all purposes you would normally use a hash for.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Message Authentication Codes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{HMAC Protocol}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThanks to Dobes Vandermeer, the library now includes support for hash based message authentication codes, or HMAC for short.  An HMAC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof a message is a keyed authentication code that only the owner of a private symmetric key will be able to verify.  The purpose is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto allow an owner of a private symmetric key to produce an HMAC on a message then later verify if it is correct.  Any impostor or
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecteavesdropper will not be able to verify the authenticity of a message.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe HMAC support works much like the normal hash functions except that the initialization routine requires you to pass a key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand its length.  The key is much like a key you would pass to a cipher.  That is, it is simply an array of octets stored in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned characters.  The initialization routine is:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_init(         hmac_state *hmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{hmac} parameter is the state for the HMAC code.  The \textit{hash} parameter is the index into the descriptor table of the hash you want
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto use to authenticate the message.  The \textit{key} parameter is the pointer to the array of chars that make up the key.  The \textit{keylen} parameter is the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlength (in octets) of the key you want to use to authenticate the message.  To send octets of a message through the HMAC system you must use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_process(         hmac_state *hmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{hmac} is the HMAC state you are working with. \textit{buf} is the array of octets to send into the HMAC process.  \textit{len} is the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnumber of octets to process.  Like the hash process routines you can send the data in arbitrarily sized chunks. When you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare finished with the HMAC process you must call the following function to get the HMAC code:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_done(   hmac_state *hmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{hmac} parameter is the HMAC state you are working with.  The \textit{out} parameter is the array of octets where the HMAC code should be stored.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou must set \textit{outlen} to the size of the destination buffer before calling this function.  It is updated with the length of the HMAC code
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectproduced (depending on which hash was picked).  If \textit{outlen} is less than the size of the message digest (and ultimately
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe HMAC code) then the HMAC code is truncated as per FIPS-198 specifications (e.g. take the first \textit{outlen} bytes).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are two utility functions provided to make using HMACs easier to do.  They accept the key and information about the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmessage (file pointer, address in memory), and produce the HMAC result in one shot.  These are useful if you want to avoid
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcalling the three step process yourself.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   const unsigned char *key, unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   const unsigned char *in,  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project         unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will produce an HMAC code for the array of octets in \textit{in} of length \textit{inlen}.  The index into the hash descriptor
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttable must be provided in \textit{hash}.  It uses the key from \textit{key} with a key length of \textit{keylen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe result is stored in the array of octets \textit{out} and the length in \textit{outlen}.  The value of \textit{outlen} must be set
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto the size of the destination buffer before calling this function.  Similarly for files there is the  following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_file(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            const char *fname,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   const unsigned char *key, unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project         unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{hash} is the index into the hash descriptor table of the hash you want to use.  \textit{fname} is the filename to process.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{key} is the array of octets to use as the key of length \textit{keylen}.  \textit{out} is the array of octets where the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectresult should be stored.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test if the HMAC code is working there is the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{hmac\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint hmac_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code.  Some example code for using the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectHMAC system is given below.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int idx, err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hmac_state hmac;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[16], dst[MAXBLOCKSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long dstlen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register SHA-1 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_hash(&sha1_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering SHA1\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get index of SHA1 in hash descriptor table */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   idx = find_hash("sha1");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* we would make up our symmetric key in "key[]" here */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* start the HMAC */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = hmac_init(&hmac, idx, key, 16)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error setting up hmac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* process a few octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if((err = hmac_process(&hmac, "hello", 5) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error processing hmac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get result (presumably to use it somehow...) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   dstlen = sizeof(dst);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = hmac_done(&hmac, dst, &dstlen)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error finishing hmac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("The hmac is %lu bytes long\n", dstlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* return */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{OMAC Support}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{OMAC} \index{CMAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOMAC\footnote{\url{http://crypt.cis.ibaraki.ac.jp/omac/omac.html}}, which stands for \textit{One-Key CBC MAC} is an
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectalgorithm which produces a Message Authentication Code (MAC) using only a block cipher such as AES.  Note:  OMAC has been standardized as
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCMAC within NIST, for the purposes of this library OMAC and CMAC are synonymous.  From an API standpoint, the OMAC routines work much like the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectHMAC routines.  Instead, in this case a cipher is used instead of a hash.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo start an OMAC state you call
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_init(         omac_state *omac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{omac} parameter is the state for the OMAC algorithm.  The \textit{cipher} parameter is the index into the cipher\_descriptor table
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the cipher\footnote{The cipher must have a 64 or 128 bit block size.  Such as CAST5, Blowfish, DES, AES, Twofish, etc.} you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwish to use.  The \textit{key} and \textit{keylen} parameters are the keys used to authenticate the data.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo send data through the algorithm call
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_process(         omac_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will send \textit{inlen} bytes from \textit{in} through the active OMAC state \textit{state}.  Returns \textbf{CRYPT\_OK} if the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction succeeds.  The function is not sensitive to the granularity of the data.  For example,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectomac_process(&mystate, "hello",  5);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectomac_process(&mystate, " world", 6);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWould produce the same result as,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectomac_process(&mystate, "hello world",  11);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen you are done processing the message you can call the following to compute the message tag.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_done(   omac_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will terminate the OMAC and output the \textit{tag} (MAC) to \textit{out}.  Note that unlike the HMAC and other code
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{outlen} can be smaller than the default MAC size (for instance AES would make a 16-byte tag).  Part of the OMAC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecification states that the output may be truncated.  So if you pass in $outlen = 5$ and use AES as your cipher than
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe output MAC code will only be five bytes long.  If \textit{outlen} is larger than the default size it is set to the default
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsize to show how many bytes were actually used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to the HMAC code the file and memory functions are also provided.  To OMAC a buffer of memory in one shot use the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfollowing function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key, unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,  unsigned long inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will compute the OMAC of \textit{inlen} bytes of \textit{in} using the key \textit{key} of length \textit{keylen} bytes and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrules as omac\_done.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo OMAC a file use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_file(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,      unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const char *filename,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will OMAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand the cipher specified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe same rules as omac\_done.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test if the OMAC code is working there is the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint omac_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code.  Some example code for using the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOMAC system is given below.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int idx, err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   omac_state omac;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[16], dst[MAXBLOCKSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long dstlen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register Rijndael */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_cipher(&rijndael_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering Rijndael\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get index of Rijndael in cipher descriptor table */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   idx = find_cipher("rijndael");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* we would make up our symmetric key in "key[]" here */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* start the OMAC */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = omac_init(&omac, idx, key, 16)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error setting up omac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* process a few octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if((err = omac_process(&omac, "hello", 5) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error processing omac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* get result (presumably to use it somehow...) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   dstlen = sizeof(dst);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = omac_done(&omac, dst, &dstlen)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error finishing omac: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("The omac is %lu bytes long\n", dstlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* return */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{PMAC Support}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe PMAC\footnote{J.Black, P.Rogaway, \textit{A Block--Cipher Mode of Operation for Parallelizable Message Authentication}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectprotocol is another MAC algorithm that relies solely on a symmetric-key block cipher.  It uses essentially the same
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAPI as the provided OMAC code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA PMAC state is initialized with the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_init(         pmac_state *pmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich initializes the \textit{pmac} state with the given \textit{cipher} and \textit{key} of length \textit{keylen} bytes.  The chosen cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmust have a 64 or 128 bit block size (e.x. AES).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo MAC data simply send it through the process function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_process(         pmac_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will process \textit{inlen} bytes of \textit{in} in the given \textit{state}.  The function is not sensitive to the granularity of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdata.  For example,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpmac_process(&mystate, "hello",  5);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpmac_process(&mystate, " world", 6);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWould produce the same result as,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpmac_process(&mystate, "hello world",  11);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen a complete message has been processed the following function can be called to compute the message tag.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_done(   pmac_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will store up to \textit{outlen} bytes of the tag for the given \textit{state} into \textit{out}.  Note that if \textit{outlen} is larger
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthan the size of the tag it is set to the amount of bytes stored in \textit{out}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to the OMAC code the file and memory functions are also provided.  To PMAC a buffer of memory in one shot use the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfollowing function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key, unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will compute the PMAC of \textit{msglen} bytes of \textit{msg} using the key \textit{key} of length \textit{keylen} bytes, and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrules as pmac\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo PMAC a file use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_file(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,      unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const char *filename,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will PMAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand the cipher specified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe same rules as pmac\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test if the PMAC code is working there is the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pmac\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pmac_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if the code passes otherwise it returns an error code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Pelican MAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPelican MAC is a new (experimental) MAC by the AES team that uses four rounds of AES as a \textit{mixing function}.  It achieves a very high
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrate of processing and is potentially very secure.  It requires AES to be enabled to function.  You do not have to register\_cipher() AES first though
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas it calls AES directly.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pelican\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pelican_init(      pelican_state *pelmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the Pelican state with the given AES key.  Once this has been done you can begin processing data.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pelican\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pelican_process(      pelican_state *pelmac,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will process \textit{inlen} bytes of \textit{in} through the Pelican MAC.  It's best that you pass in multiples of 16 bytes as it makes the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectroutine more efficient but you may pass in any length of text.  You can call this function as many times as required to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectan entire message.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pelican\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pelican_done(pelican_state *pelmac, unsigned char *out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis terminates a Pelican MAC and writes the 16--octet tag to \textit{out}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Example}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   pelican_state pelstate;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char key[32], tag[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* somehow initialize a key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* initialize pelican mac */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = pelican_init(&pelstate, /* the state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           key,       /* user key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           32         /* key length in octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          )) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error initializing Pelican: %s",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* MAC some data */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = pelican_process(&pelstate,       /* the state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              "hello world",   /* data to mac */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              11               /* length of data */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              )) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error processing Pelican: %s",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* Terminate the MAC */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = pelican_done(&pelstate,/* the state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           tag       /* where to store the tag */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           )) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error terminating Pelican: %s",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* tag[0..15] has the MAC output now */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return EXIT_SUCCESS;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{XCBC-MAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of LibTomCrypt v1.15, XCBC-MAC (RFC 3566) has been provided to support TLS encryption suites.  Like OMAC, it computes a message authentication code
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby using a cipher in CBC mode.  It also uses a single key which it expands into the requisite three keys for the MAC function.  A XCBC--MAC state is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinitialized with the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_init(         xcbc_state *xcbc,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the XCBC--MAC state \textit{xcbc}, with the key specified in \textit{key} of length \textit{keylen} octets.  The cipher indicated
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby the \textit{cipher} index can be either a 64 or 128--bit block cipher.  This will return \textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo process data through XCBC--MAC use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_process(         xcbc_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will add the message octets pointed to by \textit{in} of length \textit{inlen} to the XCBC--MAC state pointed to by \textit{state}.  Like the other MAC functions,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe granularity of the input is not important but the order is.  This will return \textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo compute the MAC tag value use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_done(   xcbc_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will retrieve the XCBC--MAC tag from the state pointed to by \textit{state}, and store it in the array pointed to by \textit{out}.  The \textit{outlen} parameter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecifies the maximum size of the destination buffer, and is updated to hold the final size of the tag when the function returns.  This will return \textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectHelper functions are provided to make parsing memory buffers and files easier.  The following functions are provided:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key, unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will compute the XCBC--MAC of \textit{msglen} bytes of \textit{msg}, using the key \textit{key} of length \textit{keylen} bytes, and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same rules as xcbc\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo xcbc a file use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_file(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,      unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const char *filename,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will XCBC--MAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes, and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same rules as xcbc\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test XCBC--MAC for RFC 3566 compliance use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint xcbc_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will return \textbf{CRYPT\_OK} on success.  This requires the AES or Rijndael descriptor be previously registered, otherwise, it will return
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{CRYPT\_NOP}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{F9--MAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe F9--MAC is yet another CBC--MAC variant proposed for the 3GPP standard.  Originally specified to be used with the KASUMI block cipher, it can also be used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith other ciphers.  For LibTomCrypt, the F9--MAC code can use any cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Usage Notice}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectF9--MAC differs slightly from the other MAC functions in that it requires the caller to perform the final message padding.  The padding quite simply is a direction
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbit followed by a 1 bit and enough zeros to make the message a multiple of the cipher block size.  If the message is byte aligned, the padding takes on the form of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta single 0x40 or 0xC0 byte followed by enough 0x00 bytes to make the message proper multiple.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the user simply wants a MAC function (hint: use OMAC) padding with a single 0x40 byte should be sufficient for security purposes and still be reasonably compatible
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith F9--MAC.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{F9--MAC Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA F9--MAC state is initialized with the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_init()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_init(           f9_state *f9,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  unsigned long  keylen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will initialize the F9--MAC state \textit{f9}, with the key specified in \textit{key} of length \textit{keylen} octets.  The cipher indicated
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby the \textit{cipher} index can be either a 64 or 128--bit block cipher.  This will return \textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo process data through F9--MAC use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_process()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_process(           f9_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will add the message octets pointed to by \textit{in} of length \textit{inlen} to the F9--MAC state pointed to by \textit{state}.  Like the other MAC functions,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe granularity of the input is not important but the order is.  This will return \textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo compute the MAC tag value use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_done()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_done(     f9_state *state,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will retrieve the F9--MAC tag from the state pointed to by \textit{state}, and store it in the array pointed to by \textit{out}.  The \textit{outlen} parameter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecifies the maximum size of the destination buffer, and is updated to hold the final size of the tag when the function returns.  This will return
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{CRYPT\_OK} on success.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectHelper functions are provided to make parsing memory buffers and files easier.  The following functions are provided:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_memory(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key, unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will compute the F9--MAC of \textit{msglen} bytes of \textit{msg}, using the key \textit{key} of length \textit{keylen} bytes, and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same rules as f9\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo F9--MAC a file use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_file()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_file(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  cipher,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *key,      unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             const char *filename,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will F9--MAC the entire contents of the file specified by \textit{filename} using the key \textit{key} of length \textit{keylen} bytes, and the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecified by the \textit{cipher}'th entry in the cipher\_descriptor table.  It will store the MAC in \textit{out} with the same rules as f9\_done().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test f9--MAC for RFC 3566 compliance use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_test()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint f9_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will return \textbf{CRYPT\_OK} on success.  This requires the AES or Rijndael descriptor be previously registered, otherwise, it will return
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{CRYPT\_NOP}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Pseudo-Random Number Generators}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Core Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library provides an array of core functions for Pseudo-Random Number Generators (PRNGs) as well.  A cryptographic PRNG is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectused to expand a shorter bit string into a longer bit string.  PRNGs are used wherever random data is required such as Public Key (PK)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectkey generation.  There is a universal structure called \textit{prng\_state}.  To initialize a PRNG call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG start}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_start(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will setup the PRNG for future use and not seed it.  In order for the PRNG to be cryptographically useful you must give it
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectentropy.  Ideally you'd have some OS level source to tap like in UNIX.  To add entropy to the PRNG call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG add\_entropy}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_add_entropy(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if the entropy was accepted.  Once you think you have enough entropy you call another
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction to put the entropy into action.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG ready}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_ready(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns {\bf CRYPT\_OK} if it is ready.  Finally to actually read bytes call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG read}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long XXX_read(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long  outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich returns the number of bytes read from the PRNG.  When you are finished with a PRNG state you call
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG done}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid XXX_done(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will terminate a PRNG state and free any memory (if any) allocated.  To export a PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectso that you can later resume the PRNG call the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_export(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will write a \textit{PRNG state} to the buffer \textit{out} of length \textit{outlen} bytes.  The idea of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe export is meant to be used as a \textit{seed file}.  That is, when the program starts up there will not likely
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbe that much entropy available.   To import a state to seed a PRNG call the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_import(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will call the start and add\_entropy functions of the given PRNG.  It will use the state in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{in} of length \textit{inlen} as the initial seed.  You must pass the same seed length as was exported
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby the corresponding export function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that importing a state will not \textit{resume} the PRNG from where it left off.  That is, if you export
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta state, emit (say) 8 bytes and then import the previously exported state the next 8 bytes will not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectspecifically equal the 8 bytes you generated previously.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen a program is first executed the normal course of operation is:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Gather entropy from your sources for a given period of time or number of events.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item Start, use your entropy via add\_entropy and ready the PRNG yourself.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen your program is finished you simply call the export function and save the state to a medium (disk,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectflash memory, etc).  The next time your application starts up you can detect the state, feed it to the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectimport function and go on your way.  It is ideal that (as soon as possible) after start up you export a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfresh state.  This helps in the case that the program aborts or the machine is powered down without
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbeing given a chance to exit properly.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that even if you have a state to import it is important to add new entropy to the state.  However,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthere is less pressure to do so.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test a PRNG for operational conformity call the following functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG test}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint XXX_test(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will return \textbf{CRYPT\_OK} if PRNG is operating properly.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Remarks}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is possible to be adding entropy and reading from a PRNG at the same time.  For example, if you first seed the PRNG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand call ready() you can now read from it.  You can also keep adding new entropy to it.  The new entropy will not be used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin the PRNG until ready() is called again.  This allows the PRNG to be used and re-seeded at the same time.  No real error
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectchecking is guaranteed to see if the entropy is sufficient, or if the PRNG is even in a ready state before reading.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Example}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectBelow is a simple snippet to read 10 bytes from Yarrow.  It is important to note that this snippet is {\bf NOT} secure since
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe entropy added is not random.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   prng_state prng;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char buf[10];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* start it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = yarrow_start(&prng)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Start error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* add entropy */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = yarrow_add_entropy("hello world", 11, &prng))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Add_entropy error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* ready and read */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = yarrow_ready(&prng)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Ready error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("Read %lu bytes from yarrow\n",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          yarrow_read(buf, sizeof(buf), &prng));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{PRNG Descriptors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PRNG Descriptor}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPRNGs have descriptors that allow plugin driven functions to be created using PRNGs. The plugin descriptors are stored in the structure \textit{prng\_descriptor}.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectformat of an element is:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct _prng_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  export_size;    /* size in bytes of exported state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*start)      (prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*add_entropy)(const unsigned char *, unsigned long,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*ready)      (prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long (*read)(unsigned char *, unsigned long len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void (*done)(prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*export)(unsigned char *, unsigned long *, prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*import)(const unsigned char *, unsigned long, prng_state *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*test)(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo find a PRNG in the descriptor table the following function can be used:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{find\_prng()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint find_prng(const char *name);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will search the PRNG descriptor table for the PRNG named \textit{name}.  It will return -1 if the PRNG is not found, otherwise, it returns
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe index into the descriptor table.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectJust like the ciphers and hashes, you must register your prng before you can use it.  The two functions provided work exactly as those for the cipher registry functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThey are the following:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{register\_prng()} \index{unregister\_prng()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint register_prng(const struct _prng_descriptor *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint unregister_prng(const struct _prng_descriptor *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe register function will register the PRNG, and return the index into the table where it was placed (or -1 for error).  It will avoid registering the same
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdescriptor twice, and will return the index of the current placement in the table if the caller attempts to register it more than once.  The unregister function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill return \textbf{CRYPT\_OK} if the PRNG was found and removed.  Otherwise, it returns \textbf{CRYPT\_ERROR}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PRNGs Provided}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|l|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline \textbf{Name} & \textbf{Descriptor} & \textbf{Usage} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline Yarrow & yarrow\_desc & Fast short-term PRNG \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline Fortuna & fortuna\_desc & Fast long-term PRNG (recommended) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline RC4 & rc4\_desc & Stream Cipher \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline SOBER-128 & sober128\_desc & Stream Cipher (also very fast PRNG) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{List of Provided PRNGs}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Yarrow}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYarrow is fast PRNG meant to collect an unspecified amount of entropy from sources
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(keyboard, mouse, interrupts, etc), and produce an unbounded string of random bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{Note:} This PRNG is still secure for most tasks but is no longer recommended.  Users
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectshould use Fortuna instead.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Fortuna}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFortuna is a fast attack tolerant and more thoroughly designed PRNG suitable for long term
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectusage.  It is faster than the default implementation of Yarrow\footnote{Yarrow has been implemented
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto work with most cipher and hash combos based on which you have chosen to build into the library.} while
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectproviding more security.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFortuna is slightly less flexible than Yarrow in the sense that it only works with the AES block cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand SHA--256 hash function.  Technically, Fortuna will work with any block cipher that accepts a 256--bit
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectkey, and any hash that produces at least a 256--bit output.  However, to make the implementation simpler
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit has been fixed to those choices.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFortuna is more secure than Yarrow in the sense that attackers who learn parts of the entropy being
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectadded to the PRNG learn far less about the state than that of Yarrow.  Without getting into to many
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdetails Fortuna has the ability to recover from state determination attacks where the attacker starts
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto learn information from the PRNGs output about the internal state.  Yarrow on the other hand, cannot
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrecover from that problem until new entropy is added to the pool and put to use through the ready() function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{RC4}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRC4 is an old stream cipher that can also double duty as a PRNG in a pinch.  You key RC4 by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcalling add\_entropy(), and setup the key by calling ready().  You can only add up to 256 bytes via
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectadd\_entropy().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen you read from RC4, the output is XOR'ed against your buffer you provide.  In this manner, you can use rc4\_read()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas an encrypt (and decrypt) function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectYou really should not use RC4.  This is not because RC4 is weak, (though biases are known to exist) but simply due to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe fact that faster alternatives exist.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SOBER-128}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSOBER--128 is a stream cipher designed by the QUALCOMM Australia team.  Like RC4, you key it by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcalling add\_entropy().  There is no need to call ready() for this PRNG as it does not do anything.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: this cipher has several oddities about how it operates.  The first call to add\_entropy() sets the cipher's key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEvery other time call to the add\_entropy() function sets the cipher's IV variable.  The IV mechanism allows you to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypt several messages with the same key, and not re--use the same key material.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectUnlike Yarrow and Fortuna, all of the entropy (and hence security) of this algorithm rests in the data
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectyou pass it on the \textbf{first} call to add\_entropy().  All buffers sent to add\_entropy() must have a length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat is a multiple of four bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLike RC4, the output of SOBER--128 is XOR'ed against the buffer you provide it.  In this manner, you can use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsober128\_read() as an encrypt (and decrypt) function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSince SOBER-128 has a fixed keying scheme, and is very fast (faster than RC4) the ideal usage of SOBER-128 is to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectkey it from the output of Fortuna (or Yarrow), and use it to encrypt messages.  It is also ideal for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsimulations which need a high quality (and fast) stream of bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Example Usage}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   prng_state prng;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char buf[32];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rc4_start(&prng)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("RC4 init error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      exit(-1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* use "key" as the key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rc4_add_entropy("key", 3, &prng)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("RC4 add entropy error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      exit(-1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* setup RC4 for use */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rc4_ready(&prng)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("RC4 ready error: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      exit(-1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* encrypt buffer */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   strcpy(buf,"hello world");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (rc4_read(buf, 11, &prng) != 11) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("RC4 read error\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      exit(-1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo decrypt you have to do the exact same steps.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{The Secure RNG}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Secure RNG}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn RNG is related to a PRNG in many ways, except that it does not expand a smaller seed to get the data.  They generate their random bits
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby performing some computation on fresh input bits.  Possibly the hardest thing to get correctly in a cryptosystem is the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPRNG.  Computers are deterministic that try hard not to stray from pre--determined paths.  This makes gathering entropy needed to seed a PRNG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta hard task.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere is one small function that may help on certain platforms:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rng\_get\_bytes()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long rng_get_bytes(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned char *buf,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void         (*callback)(void));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will try one of three methods of getting random data.  The first is to open the popular \textit{/dev/random} device which
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton most *NIX platforms provides cryptographic random bits\footnote{This device is available in Windows through the Cygwin compiler suite.  It emulates \textit{/dev/random} via the Microsoft CSP.}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe second method is to try the Microsoft Cryptographic Service Provider, and read the RNG.  The third method is an ANSI C
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectclock drift method that is also somewhat popular but gives bits of lower entropy.  The \textit{callback} parameter is a pointer to a function that returns void.  It is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectused when the slower ANSI C RNG must be used so the calling application can still work.  This is useful since the ANSI C RNG has a throughput of roughly three
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbytes a second.  The callback pointer may be set to {\bf NULL} to avoid using it if you do not want to.  The function returns the number of bytes actually read from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectany RNG source.  There is a function to help setup a PRNG as well:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rng\_make\_prng()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rng_make_prng(       int  bits,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       void (*callback)(void));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will try to initialize the prng with a state of at least \textit{bits} of entropy.  The \textit{callback} parameter works much like
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe callback in \textit{rng\_get\_bytes()}.  It is highly recommended that you use this function to setup your PRNGs unless you have a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectplatform where the RNG does not work well.  Example usage of this function is given below:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   ecc_key mykey;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   prng_state prng;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register yarrow */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_prng(&yarrow_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering Yarrow\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* setup the PRNG */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rng_make_prng(128, find_prng("yarrow"), &prng, NULL))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error setting up PRNG, %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* make a 192-bit ECC key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ecc_make_key(&prng, find_prng("yarrow"), 24, &mykey))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error making key: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{The Secure PRNG Interface}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is possible to access the secure RNG through the PRNG interface, and in turn use it within dependent functions such
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas the PK API.  This simplifies the cryptosystem on platforms where the secure RNG is fast.  The secure PRNG never
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrequires to be started, that is you need not call the start, add\_entropy, or ready functions.  For example, consider
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe previous example using this PRNG.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   ecc_key mykey;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register SPRNG */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_prng(&sprng_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering SPRNG\n");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* make a 192-bit ECC key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = ecc_make_key(NULL, find_prng("sprng"), 24, &mykey))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error making key: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return -1;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   return 0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{RSA Public Key Cryptography}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRSA wrote the PKCS \#1 specifications which detail RSA Public Key Cryptography.  In the specifications are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpadding algorithms for encryption and signatures.  The standard includes the \textit{v1.5} and \textit{v2.1} algorithms.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo simplify matters a little the v2.1 encryption and signature padding algorithms are called OAEP and PSS respectively.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{PKCS \#1 Padding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPKCS \#1 v1.5 padding is so simple that both signature and encryption padding are performed by the same function.  Note: the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsignature padding does \textbf{not} include the ASN.1 padding required.  That is performed by the rsa\_sign\_hash\_ex() function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdocumented later on in this chapter.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PKCS \#1 v1.5 Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function performs PKCS \#1 v1.5 padding:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_v1\_5\_encode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_v1_5_encode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msg,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  block_type,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will encode the message pointed to by \textit{msg} of length \textit{msglen} octets.  The \textit{block\_type} parameter must be set to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{LTC\_PKCS\_1\_EME} to perform encryption padding.  It must be set to \textbf{LTC\_PKCS\_1\_EMSA} to perform signature padding.  The \textit{modulus\_bitlen}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectparameter indicates the length of the modulus in bits.  The padded data is stored in \textit{out} with a length of \textit{outlen} octets.  The output will not be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlonger than the modulus which helps allocate the correct output buffer size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOnly encryption padding requires a PRNG.  When performing signature padding the \textit{prng\_idx} parameter may be left to zero as it is not checked for validity.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PKCS \#1 v1.5 Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function performs PKCS \#1 v1.5 de--padding:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_v1\_5\_decode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_v1_5_decode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msg,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  block_type,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *is_valid);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LTC\_PKCS\_1\_EME} \index{LTC\_PKCS\_1\_EMSA}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will remove the PKCS padding data pointed to by \textit{msg} of length \textit{msglen}.  The decoded data is stored in \textit{out} of length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{outlen}.  If the padding is valid, a 1 is stored in \textit{is\_valid}, otherwise, a 0 is stored.  The \textit{block\_type} parameter must be set to either
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{LTC\_PKCS\_1\_EME} or \textbf{LTC\_PKCS\_1\_EMSA} depending on whether encryption or signature padding is being removed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{PKCS \#1 v2.1 Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPKCS \#1 RSA Encryption amounts to OAEP padding of the input message followed by the modular exponentiation.  As far as this portion of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe library is concerned we are only dealing with th OAEP padding of the message.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{OAEP Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function performs PKCS \#1 v2.1 encryption padding:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_oaep\_encode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_oaep_encode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msg,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis accepts \textit{msg} as input of length \textit{msglen} which will be OAEP padded.  The \textit{lparam} variable is an additional system specific
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttag that can be applied to the encoding.  This is useful to identify which system encoded the message.  If no variance is desired then
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{lparam} can be set to \textbf{NULL}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOAEP encoding requires the length of the modulus in bits in order to calculate the size of the output.  This is passed as the parameter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{modulus\_bitlen}.  \textit{hash\_idx} is the index into the hash descriptor table of the hash desired.  PKCS \#1 allows any hash to be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectused but both the encoder and decoder must use the same hash in order for this to succeed.  The size of hash output affects the maximum
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project sized input message.  \textit{prng\_idx} and \textit{prng} are the random number generator arguments required to randomize the padding process.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe padded message is stored in \textit{out} along with the length in \textit{outlen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf $h$ is the length of the hash and $m$ the length of the modulus (both in octets) then the maximum payload for \textit{msg} is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$m - 2h - 2$.  For example, with a $1024$--bit RSA key and SHA--1 as the hash the maximum payload is $86$ bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that when the message is padded it still has not been RSA encrypted.  You must pass the output of this function to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrsa\_exptmod() to encrypt it.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{OAEP Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_oaep\_decode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_oaep_decode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msg,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *res);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function decodes an OAEP encoded message and outputs the original message that was passed to the OAEP encoder.  \textit{msg} is the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectoutput of pkcs\_1\_oaep\_encode() of length \textit{msglen}.  \textit{lparam} is the same system variable passed to the OAEP encoder.  If it does not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmatch what was used during encoding this function will not decode the packet.  \textit{modulus\_bitlen} is the size of the RSA modulus in bits
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand must match what was used during encoding.  Similarly the \textit{hash\_idx} index into the hash descriptor table must match what was used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectduring encoding.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the function succeeds it decodes the OAEP encoded message into \textit{out} of length \textit{outlen} and stores a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$1$ in \textit{res}.  If the packet is invalid it stores $0$ in \textit{res} and if the function fails for another reason
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit returns an error code.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{PKCS \#1 Digital Signatures}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PSS Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPSS encoding is the second half of the PKCS \#1 standard which is padding to be applied to messages that are signed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_pss\_encode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_pss_encode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msghash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msghashlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function assumes the message to be PSS encoded has previously been hashed.  The input hash \textit{msghash} is of length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{msghashlen}.  PSS allows a variable length random salt (it can be zero length) to be introduced in the signature process.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{hash\_idx} is the index into the hash descriptor table of the hash to use.  \textit{prng\_idx} and \textit{prng} are the random
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnumber generator information required for the salt.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to OAEP encoding \textit{modulus\_bitlen} is the size of the RSA modulus (in bits).  It limits the size of the salt.  If $m$ is the length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the modulus $h$ the length of the hash output (in octets) then there can be $m - h - 2$ bytes of salt.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function does not actually sign the data it merely pads the hash of a message so that it can be processed by rsa\_exptmod().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PSS Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo decode a PSS encoded signature block you have to use the following.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_1\_pss\_decode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_1_pss_decode(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *msghash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  msghashlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *sig,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  siglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  modulus_bitlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *res);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decode the PSS encoded message in \textit{sig} of length \textit{siglen} and compare it to values in \textit{msghash} of length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{msghashlen}.  If the block is a valid PSS block and the decoded hash equals the hash supplied \textit{res} is set to non--zero.  Otherwise,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit is set to zero.  The rest of the parameters are as in the PSS encode call.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt's important to use the same \textit{saltlen} and hash for both encoding and decoding as otherwise the procedure will not work.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Key Operations}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Background}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRSA is a public key algorithm that is based on the inability to find the \textit{e-th} root modulo a composite of unknown
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfactorization.  Normally the difficulty of breaking RSA is associated with the integer factoring problem but they are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnot strictly equivalent.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe system begins with with two primes $p$ and $q$ and their product $N = pq$.  The order or \textit{Euler totient} of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmultiplicative sub-group formed modulo $N$ is given as $\phi(N) = (p - 1)(q - 1)$ which can be reduced to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$\mbox{lcm}(p - 1, q - 1)$.  The public key consists of the composite $N$ and some integer $e$ such that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$\mbox{gcd}(e, \phi(N)) = 1$.  The private key consists of the composite $N$ and the inverse of $e$ modulo $\phi(N)$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectoften simply denoted as $de \equiv 1\mbox{ }(\mbox{mod }\phi(N))$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA person who wants to encrypt with your public key simply forms an integer (the plaintext) $M$ such that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$1 < M < N-2$ and computes the ciphertext $C = M^e\mbox{ }(\mbox{mod }N)$.  Since finding the inverse exponent $d$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectgiven only $N$ and $e$ appears to be intractable only the owner of the private key can decrypt the ciphertext and compute
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$C^d \equiv \left (M^e \right)^d \equiv M^1 \equiv M\mbox{ }(\mbox{mod }N)$.  Similarly the owner of the private key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcan sign a message by \textit{decrypting} it.  Others can verify it by \textit{encrypting} it.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCurrently RSA is a difficult system to cryptanalyze provided that both primes are large and not close to each other.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIdeally $e$ should be larger than $100$ to prevent direct analysis.  For example, if $e$ is three and you do not pad
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe plaintext to be encrypted than it is possible that $M^3 < N$ in which case finding the cube-root would be trivial.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe most often suggested value for $e$ is $65537$ since it is large enough to make such attacks impossible and also well
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdesigned for fast exponentiation (requires 16 squarings and one multiplication).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is important to pad the input to RSA since it has particular mathematical structure.  For instance
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$M_1^dM_2^d = (M_1M_2)^d$ which can be used to forge a signature.  Suppose $M_3 = M_1M_2$ is a message you want
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto have a forged signature for.  Simply get the signatures for $M_1$ and $M_2$ on their own and multiply the result
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttogether.  Similar tricks can be used to deduce plaintexts from ciphertexts.  It is important not only to sign
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe hash of documents only but also to pad the inputs with data to remove such structure.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{RSA Key Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor RSA routines a single \textit{rsa\_key} structure is used.  To make a new RSA key call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_make\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_make_key(prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  size,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       long  e,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{wprng} is the index into the PRNG descriptor array.  The \textit{size} parameter is the size in bytes of the RSA modulus desired.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{e} parameter is the encryption exponent desired, typical values are 3, 17, 257 and 65537.  Stick with 65537 since it is big enough to prevent
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttrivial math attacks, and not super slow.  The \textit{key} parameter is where the constructed key is placed.  All keys must be at
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectleast 128 bytes, and no more than 512 bytes in size (\textit{that is from 1024 to 4096 bits}).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_free()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: the \textit{rsa\_make\_key()} function allocates memory at run--time when you make the key.  Make sure to call
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{rsa\_free()} (see below) when you are finished with the key.  If \textit{rsa\_make\_key()} fails it will automatically
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfree the memory allocated.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PK\_PRIVATE} \index{PK\_PUBLIC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are two types of RSA keys.  The types are {\bf PK\_PRIVATE} and {\bf PK\_PUBLIC}.  The first type is a private
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRSA key which includes the CRT parameters\footnote{As of v0.99 the PK\_PRIVATE\_OPTIMIZED type has been deprecated, and has been replaced by the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectPK\_PRIVATE type.} in the form of a RSAPrivateKey (PKCS \#1 compliant).  The second type, is a public RSA key which only includes the modulus and public exponent.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt takes the form of a RSAPublicKey (PKCS \#1 compliant).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{RSA Exponentiation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo do raw work with the RSA function, that is without padding, use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_exptmod()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_exptmod(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                int  which,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will load the bignum from \textit{in} as a big endian integer in the format PKCS \#1 specifies, raises it to either \textit{e} or \textit{d} and stores the result
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin \textit{out} and the size of the result in \textit{outlen}. \textit{which} is set to {\bf PK\_PUBLIC} to use \textit{e}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(i.e. for encryption/verifying) and set to {\bf PK\_PRIVATE} to use \textit{d} as the exponent (i.e. for decrypting/signing).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: the output of this function is zero--padded as per PKCS \#1 specification.  This allows this routine to work with PKCS \#1 padding functions properly.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Key Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNormally RSA is used to encrypt short symmetric keys which are then used in block ciphers to encrypt a message.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo facilitate encrypting short keys the following functions have been provided.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_encrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_encrypt_key(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will OAEP pad \textit{in} of length \textit{inlen} bytes, RSA encrypt it, and store the ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin \textit{out} of length \textit{outlen} octets.  The \textit{lparam} and \textit{lparamlen} are the same parameters you would pass
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto \index{pkcs\_1\_oaep\_encode()} pkcs\_1\_oaep\_encode().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.15, the library supports both v1.5 and v2.1 PKCS \#1 style paddings in these higher level functions.  The following is the extended
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencryption function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_encrypt\_key\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_encrypt_key_ex(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  padding,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LTC\_PKCS\_1\_OAEP} \index{LTC\_PKCS\_1\_V1\_5}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe parameters are all the same as for rsa\_encrypt\_key() except for the addition of the \textit{padding} parameter.  It must be set to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{LTC\_PKCS\_1\_V1\_5} to perform v1.5 encryption, or set to \textbf{LTC\_PKCS\_1\_OAEP} to perform v2.1 encryption.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen performing v1.5 encryption, the hash and lparam parameters are totally ignored and can be set to \textbf{NULL} or zero (respectively).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Key Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_decrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_decrypt_key(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will RSA decrypt \textit{in} of length \textit{inlen} then OAEP de-pad the resulting data and store it in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{out} of length \textit{outlen}.  The \textit{lparam} and \textit{lparamlen} are the same parameters you would pass
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto pkcs\_1\_oaep\_decode().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the RSA decrypted data is not a valid OAEP packet then \textit{stat} is set to $0$.  Otherwise, it is set to $1$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.15, the library supports both v1.5 and v2.1 PKCS \#1 style paddings in these higher level functions.  The following is the extended
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdecryption function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_decrypt\_key\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_decrypt_key_ex(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *lparam,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  lparamlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  padding,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to the extended encryption, the new parameter \textit{padding} indicates which version of the PKCS \#1 standard to use.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt must be set to \textbf{LTC\_PKCS\_1\_V1\_5} to perform v1.5 decryption, or set to \textbf{LTC\_PKCS\_1\_OAEP} to perform v2.1 decryption.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen performing v1.5 decryption, the hash and lparam parameters are totally ignored and can be set to \textbf{NULL} or zero (respectively).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Signature Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilar to RSA key encryption RSA is also used to \textit{digitally sign} message digests (hashes).  To facilitate this
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectprocess the following functions have been provided.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_sign\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_sign_hash(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will PSS encode the message digest pointed to by \textit{in} of length \textit{inlen} octets.  Next, the PSS encoded hash will be RSA
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{signed} and the output stored in the buffer pointed to by \textit{out} of length \textit{outlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{hash\_idx} parameter indicates which hash will be used to create the PSS encoding.  It should be the same as the hash used to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthash the message being signed.  The \textit{saltlen} parameter indicates the length of the desired salt, and should typically be small.  A good
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdefault value is between 8 and 16 octets.  Strictly, it must be small than $modulus\_len - hLen - 2$ where \textit{modulus\_len} is the size of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe RSA modulus (in octets), and \textit{hLen} is the length of the message digest produced by the chosen hash.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Signatures}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.15, the library supports both v1.5 and v2.1 signatures.  The extended signature generation function has the following prototype:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_sign\_hash\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_sign_hash_ex(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  padding,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          prng_state    *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  prng_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will PKCS encode the message digest pointed to by \textit{in} of length \textit{inlen} octets.  Next, the PKCS encoded hash will be RSA
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{signed} and the output stored in the buffer pointed to by \textit{out} of length \textit{outlen} octets.  The \textit{padding} parameter
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmust be set to \textbf{LTC\_PKCS\_1\_V1\_5} to produce a v1.5 signature, otherwise, it must be set to \textbf{LTC\_PKCS\_1\_PSS} to produce a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectv2.1 signature.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen performing a v1.5 signature the \textit{prng}, \textit{prng\_idx}, and \textit{hash\_idx} parameters are not checked and can be left to any
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvalues such as $\lbrace$\textbf{NULL}, 0, 0$\rbrace$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Signature Verification}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_verify\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_verify_hash(const unsigned char *sig,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  siglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    const unsigned char *msghash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  msghashlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will RSA \textit{verify} the signature pointed to by \textit{sig} of length \textit{siglen} octets.  Next, the RSA decoded data is PSS decoded
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand the extracted hash is compared against the message digest pointed to by \textit{msghash} of length \textit{msghashlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the RSA decoded data is not a valid PSS message, or if the PSS decoded hash does not match the \textit{msghash}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvalue, \textit{res} is set to $0$.  Otherwise, if the function succeeds, and signature is valid \textit{res} is set to $1$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Verification}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.15, the library supports both v1.5 and v2.1 signature verification.  The extended signature verification function has the following prototype:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_verify\_hash\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_verify_hash_ex(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *sig,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  siglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    const unsigned char *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  hashlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  padding,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project          unsigned long  saltlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will RSA \textit{verify} the signature pointed to by \textit{sig} of length \textit{siglen} octets.  Next, the RSA decoded data is PKCS decoded
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand the extracted hash is compared against the message digest pointed to by \textit{msghash} of length \textit{msghashlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf the RSA decoded data is not a valid PSS message, or if the PKCS decoded hash does not match the \textit{msghash}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvalue, \textit{res} is set to $0$.  Otherwise, if the function succeeds, and signature is valid \textit{res} is set to $1$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{padding} parameter must be set to \textbf{LTC\_PKCS\_1\_V1\_5} to perform a v1.5 verification.  Otherwise, it must be set to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{LTC\_PKCS\_1\_PSS} to perform a v2.1 verification.  When performing a v1.5 verification the \textit{hash\_idx} parameter is ignored.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Encryption Example}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int           err, hash_idx, prng_idx, res;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long l1, l2;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char pt[16], pt2[16], out[1024];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   rsa_key       key;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register prng/hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_prng(&sprng_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering sprng");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* register a math library (in this case TomsFastMath)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   ltc_mp = tfm_desc;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if (register_hash(&sha1_desc) == -1) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      printf("Error registering sha1");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hash_idx = find_hash("sha1");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   prng_idx = find_prng("sprng");
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* make an RSA-1024 key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rsa_make_key(NULL,     /* PRNG state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           prng_idx, /* PRNG idx */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           1024/8,   /* 1024-bit key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           65537,    /* we like e=65537 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           &key)     /* where to store the key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("rsa_make_key %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* fill in pt[] with a key we want to send ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   l1 = sizeof(out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rsa_encrypt_key(pt, /* data we wish to encrypt */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              16, /* data is 16 bytes long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             out, /* where to store ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             &l1, /* length of ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       "TestApp", /* our lparam for this program */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               7, /* lparam is 7 bytes long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            NULL, /* PRNG state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        prng_idx, /* prng idx */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        hash_idx, /* hash idx */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            &key) /* our RSA key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("rsa_encrypt_key %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* now let's decrypt the encrypted key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   l2 = sizeof(pt2);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err = rsa_decrypt_key(out, /* encrypted data */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               l1, /* length of ciphertext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              pt2, /* where to put plaintext */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              &l2, /* plaintext length */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        "TestApp", /* lparam for this program */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                7, /* lparam is 7 bytes long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         hash_idx, /* hash idx */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             &res, /* validity of data */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             &key) /* our RSA key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        ) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       printf("rsa_decrypt_key %s", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       return EXIT_FAILURE;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /* if all went well pt == pt2, l2 == 16, res == 1 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{RSA Key Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe RSA key format adopted for exporting and importing keys is the PKCS \#1 format defined by the ASN.1 constructs known as
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRSAPublicKey and RSAPrivateKey.  Additionally, the OpenSSL key format is supported by the import function only.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{RSA Key Export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo export a RSA key use the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_export()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_export(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         int  type,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will export the RSA key in either a RSAPublicKey or RSAPrivateKey (PKCS \#1 types) depending on the value of \textit{type}.  When it is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectset to \textbf{PK\_PRIVATE} the export format will be RSAPrivateKey and otherwise it will be RSAPublicKey.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{RSA Key Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo import a RSA key use the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{rsa\_import()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rsa_import(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the key stored in \textit{inlen} and import it to \textit{key}.  If the function fails it will automatically free any allocated memory.  This
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction can import both RSAPublicKey and RSAPrivateKey formats.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.06 this function can also import OpenSSL DER formatted public RSA keys.  They are essentially encapsulated RSAPublicKeys.  LibTomCrypt will
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectimport the key, strip off the additional data (it's the preferred hash) and fill in the rsa\_key structure as if it were a native RSAPublicKey.  Note that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthere is no function provided to export in this format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Elliptic Curve Cryptography}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Background}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library provides a set of core ECC functions as well that are designed to be the Elliptic Curve analogy of all of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectDiffie-Hellman routines in the previous chapter.  Elliptic curves (of certain forms) have the benefit that they are harder
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto attack (no sub-exponential attacks exist unlike normal DH crypto) in fact the fastest attack requires the square root
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the order of the base point in time.  That means if you use a base point of order $2^{192}$ (which would represent a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project192-bit key) then the work factor is $2^{96}$ in order to find the secret key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe curves in this library are taken from the following website:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthttp://csrc.nist.gov/cryptval/dss.htm
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.15 three new curves from the SECG standards are also included they are the secp112r1, secp128r1, and secp160r1 curves.  These curves were added to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsupport smaller devices which do not need as large keys for security.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThey are all curves over the integers modulo a prime.  The curves have the basic equation that is:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecty^2 = x^3 - 3x + b\mbox{ }(\mbox{mod }p)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe variable $b$ is chosen such that the number of points is nearly maximal.  In fact the order of the base points $\beta$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectprovided are very close to $p$ that is $\vert \vert \phi(\beta) \vert \vert \approx \vert \vert p \vert \vert$.  The curves
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrange in order from $\approx 2^{112}$ points to $\approx 2^{521}$.  According to the source document any key size greater
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthan or equal to 256-bits is sufficient for long term security.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Fixed Point Optimizations}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Fixed Point ECC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{MECC\_FP}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.12 of LibTomCrypt, support for Fixed Point ECC point multiplication has been added.  It is a generic optimization that is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsupported by any conforming math plugin.  It is enabled by defining \textbf{MECC\_FP} during the build, such as
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DTFM_DESC -DMECC_FP" make
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhich will build LTC using the TFM math library and enabling this new feature.  The feature is not enabled by default as it is \textbf{NOT} thread
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsafe (by default).  It supports the LTC locking macros (such as by enabling LTC\_PTHREAD), but by default is not locked.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{FP\_ENTRIES}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe optimization works by using a Fixed Point multiplier on any base point you use twice or more in a short period of time.  It has a limited size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcache (of FP\_ENTRIES entries) which it uses to hold recent bases passed to ltc\_ecc\_mulmod().  Any base detected to be used twice is sent through the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpre--computation phase, and then the fixed point algorithm can be used.  For example, if you use a NIST base point twice in a row, the 2$^{nd}$ and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectall subsequent point multiplications with that point will use the faster algorithm.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{FP\_LUT}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe optimization uses a window on the multiplicand of FP\_LUT bits (default: 8, min: 2, max: 12), and this controls the memory/time trade-off. The larger the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvalue the faster the algorithm will be but the more memory it will take.  The memory usage is $3 \cdot 2^{FP\_LUT}$ integers which by default
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith TFM amounts to about 400kB of memory.  Tuning TFM (by changing FP\_SIZE) can decrease the usage by a fair amount.  Memory is only used by a cache entry
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif it is active.  Both FP\_ENTRIES and FP\_LUT are definable on the command line if you wish to override them. For instance,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DTFM_DESC -DMECC_FP -DFP_ENTRIES=8 -DFP_LUT=6" make
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{flushleft}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{FP\_SIZE} \index{TFM} \index{tfm.h}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwould define a window of 6 bits and limit the cache to 8 entries.  Generally, it is better to first tune TFM by adjusting FP\_SIZE (from tfm.h).  It defaults
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto 4096 bits (512 bytes) which is way more than what is required by ECC.  At most, you need 1152 bits to accommodate ECC--521.  If you're only using (say)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECC--256 you will only need 576 bits, which would reduce the memory usage by 700\%.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{flushleft}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt uses a unique format for ECC public and private keys.  While ANSI X9.63 partially specifies key formats, it does it in a less than ideally simple manner.  \
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the case of LibTomCrypt, it is meant \textbf{solely} for NIST and SECG $GF(p)$ curves.  The format of the keys is as follows:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ECC Key Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECCPublicKey ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    flags       BIT STRING(0), -- public/private flag (always zero),
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    keySize     INTEGER,       -- Curve size (in bits) divided by eight
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               -- and rounded down, e.g. 521 => 65
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    pubkey.x    INTEGER,       -- The X co-ordinate of the public key point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    pubkey.y    INTEGER,       -- The Y co-ordinate of the public key point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECCPrivateKey ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    flags       BIT STRING(1), -- public/private flag (always one),
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    keySize     INTEGER,       -- Curve size (in bits) divided by eight
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               -- and rounded down, e.g. 521 => 65
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    pubkey.x    INTEGER,       -- The X co-ordinate of the public key point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    pubkey.y    INTEGER,       -- The Y co-ordinate of the public key point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    secret.k    INTEGER,       -- The secret key scalar
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe first flags bit denotes whether the key is public (zero) or private (one).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\vfil
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{ECC Curve Parameters}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library uses the following structure to describe an elliptic curve.  This is used internally, as well as by the new
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectextended ECC functions which allow the user to specify their own curves.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ltc\_ecc\_set\_type}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/** Structure defines a NIST GF(p) curve */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The size of the curve in octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int size;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** name of curve */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The prime that defines the field (encoded in hex) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *prime;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The fields B param (hex) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *B;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The order of the curve (hex) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *order;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The x co-ordinate of the base point on the curve (hex) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *Gx;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** The y co-ordinate of the base point on the curve (hex) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *Gy;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} ltc_ecc_set_type;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe curve must be of the form $y^2 = x^3 - 3x + b$, and all of the integer parameters are encoded in hexadecimal format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Core Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Key Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere is a key structure called \textit{ecc\_key} used by the ECC functions.  There is a function to make a key:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_make\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_make_key(prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  keysize,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{keysize} is the size of the modulus in bytes desired.  Currently directly supported values are 12, 16, 20, 24, 28, 32, 48, and 65 bytes which
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcorrespond to key sizes of 112, 128, 160, 192, 224, 256, 384, and 521 bits respectively.  If you pass a key size that is between any key size it will round
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe keysize up to the next available one.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe function will free any internally allocated resources if there is an error.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Key Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.16, the library supports an extended key generation routine which allows the user to specify their own curve.  It is specified as follows:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_make\_key\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint  ecc_make_key_ex(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                 prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_key *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     const ltc_ecc_set_type *dp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function generates a random ECC key over the curve specified by the parameters by \textit{dp}.  The rest of the parameters are equivalent to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthose from the original key generation function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Key Free}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo free the memory allocated by a ecc\_make\_key(), ecc\_make\_key\_ex(), ecc\_import(), or ecc\_import\_ex() call use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_free()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid ecc_free(ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Key Export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo export an ECC key using the LibTomCrypt format call the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_export()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_export(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         int  type,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will export the key with the given \textit{type} (\textbf{PK\_PUBLIC} or \textbf{PK\_PRIVATE}), and store it to \textit{out}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Key Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function imports a LibTomCrypt format ECC key:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_import()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_import(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the ECC key from \textit{in}, and store it in the ecc\_key structure pointed to by \textit{key}.  If the operation fails it will free
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectany allocated memory automatically.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended Key Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function imports a LibTomCrypt format ECC key using a specified set of curve parameters:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_import\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint  ecc_import_ex(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               ecc_key *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const ltc_ecc_set_type *dp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the key from the array pointed to by \textit{in} of length \textit{inlen} octets.  The key is stored in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe ECC structure pointed to by \textit{key}.  The curve is specified by the parameters pointed to by \textit{dp}.  The function will free
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectall internally allocated memory upon error.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ANSI X9.63 Export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function exports an ECC public key in the ANSI X9.63 format:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_ansi\_x963\_export()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_ansi_x963_export(      ecc_key *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ECC key pointed to by \textit{key} is exported in public fashion to the array pointed to by \textit{out}.  The ANSI X9.63 format used is from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsection 4.3.6 of the standard.  It does not allow for the export of private keys.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ANSI X9.63 Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function imports an ANSI X9.63 section 4.3.6 format public ECC key:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_ansi\_x963\_import()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_ansi_x963_import(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                     ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the key stored in the array pointed to by \textit{in} of length \textit{inlen} octets.  The imported key is stored in the ECC key pointed to by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{key}.  The function will free any allocated memory upon error.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Extended ANSI X9.63 Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function allows the importing of an ANSI x9.63 section 4.3.6 format public ECC key using user specified domain parameters:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_ansi\_x963\_import\_ex()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_ansi_x963_import_ex(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                        ecc_key *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               ltc_ecc_set_type *dp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the key stored in the array pointed to by \textit{in} of length \textit{inlen} octets using the domain parameters pointed to by \textit{dp}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe imported key is stored in the ECC key pointed to by \textit{key}.  The function will free any allocated memory upon error.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Shared Secret}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo construct a Diffie-Hellman shared secret with a private and public ECC key, use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_shared\_secret()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_shared_secret(      ecc_key *private_key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            ecc_key *public_key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{private\_key} is typically the local private key, and \textit{public\_key} is the key the remote party has shared.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote: this function stores only the $x$ co-ordinate of the shared elliptic point as described in ANSI X9.63 ECC--DH.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{ECC Diffie-Hellman Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECC--DH Encryption is performed by producing a random key, hashing it, and XOR'ing the digest against the plaintext.  It is not strictly ANSI X9.63 compliant
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbut it is very similar.  It has been extended by using an ASN.1 sequence and hash object identifiers to allow portable usage.  The following function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencrypts a short string (no longer than the message digest) using this technique:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC-DH Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_encrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_encrypt_key(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs the name implies this function encrypts a (symmetric) key, and is not intended for encrypting long messages directly.  It will encrypt the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectplaintext in the array pointed to by \textit{in} of length \textit{inlen} octets.  It uses the public ECC key pointed to by \textit{key}, and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthash algorithm indexed by \textit{hash} to construct a shared secret which may be XOR'ed against the plaintext.  The ciphertext is stored in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe output buffer pointed to by \textit{out} of length \textit{outlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe data is encrypted to the public ECC \textit{key} such that only the holder of the private key can decrypt the payload.  To have multiple
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrecipients multiple call to this function for each public ECC key is required.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC-DH Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_decrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_decrypt_key(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will decrypt an encrypted payload.  The \textit{key} provided must be the private key corresponding to the public key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectused during encryption.  If the wrong key is provided the function will not specifically return an error code.  It is important
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto use some form of challenge response in that case (e.g. compute a MAC of a known string).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Encryption Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe packet format for the encrypted keys is the following ASN.1 SEQUENCE:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectECCEncrypt ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   hashID        OBJECT IDENTIFIER, -- OID of hash used
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   pubkey        OCTET STRING     , -- Encapsulated ECCPublicKey
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   skey          OCTET STRING       -- xor of plaintext and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    --"hash of shared secret"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{EC DSA Signatures}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are also functions to sign and verify messages.  They use the ANSI X9.62 EC-DSA algorithm to generate and verify signatures in the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectANSI X9.62 format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{EC-DSA Signature Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo sign a message digest (hash) use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_sign\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_sign_hash(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will EC--DSA sign the message digest stored in the array pointed to by \textit{in} of length \textit{inlen} octets.  The signature
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill be stored in the array pointed to by \textit{out} of length \textit{outlen} octets.  The function requires a properly seeded PRNG, and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe ECC \textit{key} provided must be a private key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{EC-DSA Signature Verification}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ecc\_verify\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint ecc_verify_hash(const unsigned char *sig,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  siglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    const unsigned char *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  hashlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                ecc_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will verify the EC-DSA signature in the array pointed to by \textit{sig} of length \textit{siglen} octets, against the message digest
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpointed to by the array \textit{hash} of length \textit{hashlen}.  It will store a non--zero value in \textit{stat} if the signature is valid.  Note:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe function will not return an error if the signature is invalid.  It will return an error, if the actual signature payload is an invalid format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ECC \textit{key} must be the public (or private) ECC key corresponding to the key that performed the signature.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Signature Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe signature code is an implementation of X9.62 EC--DSA, and the output is compliant for GF(p) curves.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{ECC Keysizes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWith ECC if you try to sign a hash that is bigger than your ECC key you can run into problems.  The math will still work, and in effect the signature will still
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwork.  With ECC keys the strength of the signature is limited by the size of the hash, or the size of they key, whichever is smaller.  For example, if you sign with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSHA256 and an ECC-192 key, you in effect have 96--bits of security.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library will not warn you if you make this mistake, so it is important to check yourself before using the signatures.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Digital Signature Algorithm}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe Digital Signature Algorithm (or DSA) is a variant of the ElGamal Signature scheme which has been modified to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectreduce the bandwidth of the signatures.  For example, to have \textit{80-bits of security} with ElGamal, you need a group with an order of at least 1024--bits.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWith DSA, you need a group of order at least 160--bits.  By comparison, the ElGamal signature would require at least 256 bytes of storage, whereas the DSA signature
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwould require only at least 40 bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Format}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSince no useful public standard for DSA key storage was presented to me during the course of this development I made my own ASN.1 SEQUENCE which I document
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnow so that others can interoperate with this library.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectDSAPublicKey ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    publicFlags    BIT STRING(0), -- must be 0
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    g              INTEGER      , -- base generator
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- check that g^q mod p == 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- and that 1 < g < p - 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    p              INTEGER      , -- prime modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    q              INTEGER      , -- order of sub-group
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- (must be prime)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    y              INTEGER      , -- public key, specifically,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- g^x mod p,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- check that y^q mod p == 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- and that 1 < y < p - 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectDSAPrivateKey ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    publicFlags    BIT STRING(1), -- must be 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    g              INTEGER      , -- base generator
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- check that g^q mod p == 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- and that 1 < g < p - 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    p              INTEGER      , -- prime modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    q              INTEGER      , -- order of sub-group
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- (must be prime)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    y              INTEGER      , -- public key, specifically,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- g^x mod p,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- check that y^q mod p == 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  -- and that 1 < y < p - 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    x              INTEGER        -- private key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe leading BIT STRING has a single bit in it which is zero for public keys and one for private keys.  This makes the structure uniquely decodable,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand easy to work with.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo make a DSA key you must call the following function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_make_key(prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  group_size,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        int  modulus_size,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe variable \textit{prng} is an active PRNG state and \textit{wprng} the index to the descriptor.  \textit{group\_size} and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{modulus\_size} control the difficulty of forging a signature.  Both parameters are in bytes.  The larger the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{group\_size} the more difficult a forgery becomes upto a limit.  The value of $group\_size$ is limited by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$15 < group\_size < 1024$ and $modulus\_size - group\_size < 512$.  Suggested values for the pairs are as follows.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline \textbf{Bits of Security} & \textbf{group\_size} & \textbf{modulus\_size} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline 80  & 20 & 128 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline 120 & 30 & 256 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline 140 & 35 & 384 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline 160 & 40 & 512 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{DSA Key Sizes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen you are finished with a DSA key you can call the following function to free the memory used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_free()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid dsa_free(dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Verification}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEach DSA key is composed of the following variables.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project  \item $q$ a small prime of magnitude $256^{group\_size}$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project  \item $p = qr + 1$ a large prime of magnitude $256^{modulus\_size}$ where $r$ is a random even integer.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project  \item $g = h^r \mbox{ (mod }p\mbox{)}$ a generator of order $q$ modulo $p$.  $h$ can be any non-trivial random
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        value.  For this library they start at $h = 2$ and step until $g$ is not $1$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project  \item $x$ a random secret (the secret key) in the range $1 < x < q$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project  \item $y = g^x \mbox{ (mod }p\mbox{)}$ the public key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA DSA key is considered valid if it passes all of the following tests.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $q$ must be prime.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $p$ must be prime.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $g$ cannot be one of $\lbrace -1, 0, 1 \rbrace$ (modulo $p$).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $g$ must be less than $p$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $(p-1) \equiv 0 \mbox{ (mod }q\mbox{)}$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $g^q \equiv 1 \mbox{ (mod }p\mbox{)}$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $1 < y < p - 1$
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item $y^q \equiv 1 \mbox{ (mod }p\mbox{)}$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTests one and two ensure that the values will at least form a field which is required for the signatures to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction.  Tests three and four ensure that the generator $g$ is not set to a trivial value which would make signature
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectforgery easier.  Test five ensures that $q$ divides the order of multiplicative sub-group of $\Z/p\Z$. Test six
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectensures that the generator actually generates a prime order group.  Tests seven and eight ensure that the public key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis within range and belongs to a group of prime order.  Note that test eight does not prove that $g$ generated $y$ only
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat $y$ belongs to a multiplicative sub-group of order $q$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following function will perform these tests.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_verify\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_verify_key(dsa_key *key, int *stat);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will test \textit{key} and store the result in \textit{stat}.  If the result is $stat = 0$ the DSA key failed one of the tests
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand should not be used at all.  If the result is $stat = 1$ the DSA key is valid (as far as valid mathematics are concerned).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Signatures}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Signature Generation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo generate a DSA signature call the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_sign\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_sign_hash(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will sign the data in \textit{in} of length \textit{inlen} bytes.  The signature is stored in \textit{out} and the size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof the signature in \textit{outlen}.  If the signature is longer than the size you initially specify in \textit{outlen} nothing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis stored and the function returns an error code.  The DSA \textit{key} must be of the \textbf{PK\_PRIVATE} persuasion.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Signature Verification}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo verify a hash created with that function use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_verify\_hash()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_verify_hash(const unsigned char *sig,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  siglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    const unsigned char *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int *stat,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhich will verify the data in \textit{hash} of length \textit{inlen} against the signature stored in \textit{sig} of length \textit{siglen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt will set \textit{stat} to $1$ if the signature is valid, otherwise it sets \textit{stat} to $0$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{DSA Encrypt and Decrypt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of version 1.07, the DSA keys can be used to encrypt and decrypt small payloads.  It works similar to the ECC encryption where
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta shared key is computed, and the hash of the shared key XOR'ed against the plaintext forms the ciphertext.  The format used is functional port of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe ECC encryption format to the DSA algorithm.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{DSA Encryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will encrypt a small payload with a recipients public DSA key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_encrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_encrypt_key(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    int  hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will encrypt the payload in \textit{in} of length \textit{inlen} and store the ciphertext in the output buffer \textit{out}.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlength of the ciphertext \textit{outlen} must be originally set to the length of the output buffer.  The DSA \textit{key} can be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta public key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{DSA Decryption}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_decrypt\_key()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_decrypt_key(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decrypt the ciphertext \textit{in} of length \textit{inlen}, and store the original payload in \textit{out} of length \textit{outlen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe DSA \textit{key} must be a private key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{DSA Key Import and Export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{DSA Key Export}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo export a DSA key so that it can be transported use the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_export()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_export(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         int  type,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will export the DSA \textit{key} to the buffer \textit{out} and set the length in \textit{outlen} (which must have been previously
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinitialized to the maximum buffer size).  The \textit{type} variable may be either \textbf{PK\_PRIVATE} or \textbf{PK\_PUBLIC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdepending on whether you want to export a private or public copy of the DSA key.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{DSA Key Import}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo import an exported DSA key use the following function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{dsa\_import()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint dsa_import(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           dsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will import the DSA key from the buffer \textit{in} of length \textit{inlen} to the \textit{key}.  If the process fails the function
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill automatically free all of the heap allocated in the process (you don't have to call dsa\_free()).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Standards Support}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{ASN.1 Formats}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt supports a variety of ASN.1 data types encoded with the Distinguished Encoding Rules (DER) suitable for various cryptographic protocols.  The data types
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectare all provided with three basic functions with \textit{similar} prototypes.  One function has been dedicated to calculate the length in octets of a given
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectformat, and two functions have been dedicated to encoding and decoding the format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOn top of the basic data types are the SEQUENCE and SET data types which are collections of other ASN.1 types.  They are provided
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin the same manner as the other data types except they use list of objects known as the \textbf{ltc\_asn1\_list} structure.  It is defined as the following:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ltc\_asn1\_list structure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int                    type;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   void                  *data;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long          size;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int                    used;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   struct ltc_asn1_list_ *prev,  *next,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         *child, *parent;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} ltc_asn1_list;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LTC\_SET\_ASN1 macro}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{type} field is one of the following ASN.1 field definitions.  The \textit{data} pointer is a void pointer to the data to be encoded (or the destination) and the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{size} field is specific to what you are encoding (e.g. number of bits in the BIT STRING data type).  The \textit{used} field is primarily for the CHOICE decoder
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand reflects if the particular member of a list was the decoded data type.  To help build the lists in an orderly fashion the macro
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{LTC\_SET\_ASN1(list, index, Type, Data, Size)} has been provided.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt will assign to the \textit{index}th position in the \textit{list} the triplet (Type, Data, Size).  An example usage would be:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project...
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectltc_asn1_list   sequence[3];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long   three=3;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, 0, LTC_ASN1_IA5_STRING,    "hello", 5);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, 1, LTC_ASN1_SHORT_INTEGER, &three,  1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, 2, LTC_ASN1_NULL,           NULL,   0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe macro is relatively safe with respect to modifying variables, for instance the following code is equivalent.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project...
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectltc_asn1_list   sequence[3];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long   three=3;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint             x=0;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, x++, LTC_ASN1_IA5_STRING,    "hello", 5);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, x++, LTC_ASN1_SHORT_INTEGER, &three,  1);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLTC_SET_ASN1(sequence, x++, LTC_ASN1_NULL,           NULL,   0);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|l|l|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline \textbf{Definition}           & \textbf{ASN.1 Type} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_EOL                & End of a ASN.1 list structure. \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_BOOLEAN            & BOOLEAN type \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_INTEGER            & INTEGER (uses mp\_int) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_SHORT\_INTEGER     & INTEGER (32--bit using unsigned long) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_BIT\_STRING        & BIT STRING (one bit per char) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_OCTET\_STRING      & OCTET STRING (one octet per char) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_NULL               & NULL \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_OBJECT\_IDENTIFIER & OBJECT IDENTIFIER  \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_IA5\_STRING        & IA5 STRING (one octet per char) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_UTF8\_STRING       & UTF8 STRING (one wchar\_t per char) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_PRINTABLE\_STRING  & PRINTABLE STRING (one octet per char) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_UTCTIME            & UTCTIME (see ltc\_utctime structure) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_SEQUENCE           & SEQUENCE (and SEQUENCE OF) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_SET                & SET \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_SETOF              & SET OF \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline LTC\_ASN1\_CHOICE             & CHOICE \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{List of ASN.1 Supported Types}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{SEQUENCE Type}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe SEQUENCE data type is a collection of other ASN.1 data types encapsulated with a small header which is a useful way of sending multiple data types in one packet.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SEQUENCE Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encode a sequence a \textbf{ltc\_asn1\_list} array must be initialized with the members of the sequence and their respective pointers.  The encoding is performed
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwith the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_sequence()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_sequence(ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis encodes a sequence of items pointed to by \textit{list} where the list has \textit{inlen} items in it.  The SEQUENCE will be encoded to \textit{out} and of length \textit{outlen}.  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction will terminate when it reads all the items out of the list (upto \textit{inlen}) or it encounters an item in the list with a type of \textbf{LTC\_ASN1\_EOL}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{data} pointer in the list would be the same pointer you would pass to the respective ASN.1 encoder (e.g. der\_encode\_bit\_string()) and it is simply passed on
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectverbatim to the dependent encoder.  The list can contain other SEQUENCE or SET types which enables you to have nested SEQUENCE and SET definitions.  In these cases
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe \textit{data} pointer is simply a pointer to another \textbf{ltc\_asn1\_list}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SEQUENCE Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_decode\_sequence()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectDecoding a SEQUENCE is similar to encoding.  You set up an array of \textbf{ltc\_asn1\_list} where in this case the \textit{size} member is the maximum size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project(in certain cases).  For types such as IA5 STRING, BIT STRING, OCTET STRING (etc) the \textit{size} field is updated after successful decoding to reflect how many
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunits of the respective type has been loaded.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_sequence(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              unsigned long  outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decode upto \textit{outlen} items from the input buffer \textit{in} of length \textit{inlen} octets.  The function will stop (gracefully) when it runs out of items to decode.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt will fail (for among other reasons) when it runs out of input bytes to read, a data type is invalid or a heap failure occurred.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor the following types the \textit{size} field will be updated to reflect the number of units read of the given type.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item BIT STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item OCTET STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item OBJECT IDENTIFIER
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item IA5 STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item PRINTABLE STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SEQUENCE Length}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe length of a SEQUENCE can be determined with the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_length\_sequence()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_sequence(ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will get the encoding size for the given \textit{list} of length \textit{inlen} and store it in \textit{outlen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SEQUENCE Multiple Argument Lists}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor small or simple sequences an encoding or decoding can be performed with one of the following two functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_sequence\_multi()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_decode\_sequence\_multi()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_sequence_multi(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                              unsigned long *outlen, ...);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_sequence_multi(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    unsigned long  inlen, ...);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese either encode or decode (respectively) a SEQUENCE data type where the items in the sequence are specified after the length parameter.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe list of items are specified as a triple of the form \textit{(type, size, data)}  where \textit{type} is an \textbf{int}, \textit{size} is a \textbf{unsigned long}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand \textit{data} is \textbf{void} pointer.  The list of items must be terminated with an item with the type \textbf{LTC\_ASN1\_EOL}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is ideal that you cast the \textit{size} values to unsigned long to ensure that the proper data type is passed to the function.  Constants such as \textit{1} without
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta cast or prototype are of type \textbf{int} by default.  Appending \textit{UL} or pre-pending \textit{(unsigned long)} is enough to cast it to the correct type.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned char buf[MAXBUFSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long buflen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   buflen = sizeof(buf);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   if ((err =
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        der_encode_sequence_multi(buf, &buflen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        LTC_ASN1_IA5_STRING, 5UL, "Hello",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        LTC_ASN1_IA5_STRING, 7UL, " World!",
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        LTC_ASN1_EOL,        0UL, NULL)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      // error handling
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis example encodes a SEQUENCE with two IA5 STRING types containing ``Hello'' and `` World!'' respectively.  Note the usage of the \textbf{UL} modifier
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton the size parameters.  This forces the compiler to pass the numbers as the required \textbf{unsigned long} type that the function expects.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{SET and SET OF}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{SET} \index{SET OF}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSET and SET OF are related to the SEQUENCE type in that they can be pretty much be decoded with the same code.  However, they are different, and they should
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbe carefully noted.  The SET type is an unordered array of ASN.1 types sorted by the TAG (type identifier), whereas the SET OF type is an ordered array of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta \textbf{single} ASN.1 object sorted in ascending order by the DER their respective encodings.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSETs use the same array structure of ltc\_asn1\_list that the SEQUENCE functions use.  They are encoded with the following function:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_set()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_set(ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will encode the list of ASN.1 objects in \textit{list} of length \textit{inlen} objects, and store the output in \textit{out} of length \textit{outlen} bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe function will make a copy of the list provided, and sort it by the TAG.  Objects with identical TAGs are additionally sorted on their original placement in the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectarray (to make the process deterministic).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function will \textbf{NOT} recognize \textit{DEFAULT} objects, and it is the responsibility of the caller to remove them as required.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe SET type can be decoded with the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_decode\_set()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_set(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long  outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decode the SET specified by \textit{list} of length \textit{outlen} objects from the input buffer \textit{in} of length \textit{inlen} octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt handles the fact that SETs are not strictly ordered and will make multiple passes (as required) through the list to decode all the objects.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET Length}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe length of a SET can be determined by calling der\_length\_sequence() since they have the same encoding length.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET OF Encoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA \textit{SET OF} object is an array of identical objects (e.g. OCTET STRING) sorted in ascending order by the DER encoding of the object.  They are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectused to store objects deterministically based solely on their encoding.  It uses the same array structure of ltc\_asn1\_list that the SEQUENCE functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectuse.  They are encoded with the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_setof()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_setof(ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                     unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will encode a \textit{SET OF} containing the \textit{list} of \textit{inlen} ASN.1 objects and store the encoding in the output buffer \textit{out} of length \textit{outlen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe routine will first encode the SET OF in an unordered fashion (in a temporary buffer) then sort using the XQSORT macro and copy back to the output buffer.  This
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmeans you need at least enough memory to keep an additional copy of the output on the heap.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET OF Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSince the decoding of a \textit{SET OF} object is unambiguous it can be decoded with der\_decode\_sequence().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{SET OF Length}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLike the SET type the der\_length\_sequence() function can be used to determine the length of a \textit{SET OF} object.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 INTEGER}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encode or decode INTEGER data types use the following functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_integer()}\index{der\_decode\_integer()}\index{der\_length\_integer()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_integer(         void *num,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_integer(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      void *num);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_integer(         void *num,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long *len);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode a signed INTEGER data type using the bignum data type to store the large INTEGER.  To encode smaller values without allocating
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta bignum to store the value, the \textit{short} INTEGER functions were made available.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_short\_integer()}\index{der\_decode\_short\_integer()}\index{der\_length\_short\_integer()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_short_integer(unsigned long  num,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_short_integer(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                   unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                   unsigned long *num);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_short_integer(unsigned long  num,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an unsigned \textbf{unsigned long} type (only reads upto 32--bits).  For values in the range $0 \dots 2^{32} - 1$ the integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand short integer functions can encode and decode each others outputs.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 BIT STRING}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_bit\_string()}\index{der\_decode\_bit\_string()}\index{der\_length\_bit\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_bit_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_bit_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_bit_string(unsigned long  nbits,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode a BIT STRING data type.  The bits are passed in (or read out) using one \textbf{char} per bit.  A non--zero value will be interpreted
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas a one bit, and a zero value a zero bit.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 OCTET STRING}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_octet\_string()}\index{der\_decode\_octet\_string()}\index{der\_length\_octet\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_octet_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_octet_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_octet_string(unsigned long  noctets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an OCTET STRING data type.  The octets are stored using one \textbf{unsigned char} each.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 OBJECT IDENTIFIER}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_object\_identifier()}\index{der\_decode\_object\_identifier()}\index{der\_length\_object\_identifier()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_object_identifier(unsigned long *words,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long  nwords,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_object_identifier(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                       unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                       unsigned long *words,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                       unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_object_identifier(unsigned long *words,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long  nwords,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an OBJECT IDENTIFIER object.  The words of the OID are stored in individual \textbf{unsigned long} elements, and must be in the range
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$0 \ldots 2^{32} - 1$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 IA5 STRING}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_ia5\_string()}\index{der\_decode\_ia5\_string()}\index{der\_length\_ia5\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_ia5_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_ia5_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_ia5_string(const unsigned char *octets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long  noctets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an IA5 STRING.  The characters are read or stored in individual \textbf{char} elements.  These functions performs internal character
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto numerical conversions based on the conventions of the compiler being used.  For instance, on an x86\_32 machine 'A' == 65 but the same may not be true on
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsay a SPARC machine.  Internally, these functions have a table of literal characters and their numerical ASCII values.  This provides a stable conversion provided
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat the build platform honours the run--time platforms character conventions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 PRINTABLE STRING}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_printable\_string()}\index{der\_decode\_printable\_string()}\index{der\_length\_printable\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_printable_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_printable_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_printable_string(const unsigned char *octets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long  noctets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                      unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an PRINTABLE STRING.  The characters are read or stored in individual \textbf{char} elements.  These functions performs internal character
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto numerical conversions based on the conventions of the compiler being used.  For instance, on an x86\_32 machine 'A' == 65 but the same may not be true on
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsay a SPARC machine.  Internally, these functions have a table of literal characters and their numerical ASCII values.  This provides a stable conversion provided
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat the build platform honours the run-time platforms character conventions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 UTF8 STRING}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_utf8\_string()}\index{der\_decode\_utf8\_string()}\index{der\_length\_utf8\_string()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_utf8_string(const wchar_t *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_utf8_string(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                       wchar_t *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_utf8_string(const wchar_t *octets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long  noctets,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese will encode or decode an UTF8 STRING.  The characters are read or stored in individual \textbf{wchar\_t} elements.  These function performs no internal
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmapping and treat the characters as literals.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese functions use the \textbf{wchar\_t} type which is not universally available.  In those cases, the library will typedef it to \textbf{unsigned long}.  If you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectintend to use the ISO C functions for working with wide--char arrays, you should make sure that wchar\_t has been defined previously.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 UTCTIME}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe UTCTIME type is to store a date and time in ASN.1 format.  It uses the following structure to organize the time.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ltc\_utctime structure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned YY, /* year    00--99 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            MM, /* month   01--12 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            DD, /* day     01--31 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            hh, /* hour    00--23 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            mm, /* minute  00--59 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            ss, /* second  00--59 */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            off_dir, /* timezone offset direction 0 == +, 1 == - */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            off_hh, /* timezone offset hours */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project            off_mm; /* timezone offset minutes */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} ltc_utctime;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe time can be offset plus or minus a set amount of hours (off\_hh) and minutes (off\_mm).  When \textit{off\_dir} is zero, the time will be added otherwise it
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill be subtracted.  For instance, the array $\lbrace 5, 6, 20, 22, 4, 00, 0, 5, 0 \rbrace$ represents the current time of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{2005, June 20th, 22:04:00} with a time offset of +05h00.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_encode\_utctime()}\index{der\_decode\_utctime()}\index{der\_length\_utctime()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_encode_utctime(  ltc_utctime *utctime,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_utctime(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long *inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                               ltc_utctime *out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_length_utctime(  ltc_utctime *utctime,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe encoder will store time in one of the two ASN.1 formats, either \textit{YYMMDDhhmmssZ} or \textit{YYMMDDhhmmss$\pm$hhmm}, and perform minimal error checking on the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinput.  The decoder will read all valid ASN.1 formats and perform range checking on the values (not complete but rational) useful for catching packet errors.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt is suggested that decoded data be further scrutinized (e.g. days of month in particular).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 CHOICE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe CHOICE ASN.1 type represents a union of ASN.1 types all of which are stored in a \textit{ltc\_asn1\_list}.  There is no encoder for the CHOICE type, only a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdecoder.  The decoder will scan through the provided list attempting to use the appropriate decoder on the input packet.  The list can contain any ASN.1 data
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttype\footnote{Except it cannot have LTC\_ASN1\_INTEGER and LTC\_ASN1\_SHORT\_INTEGER simultaneously.} except for other CHOICE types.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere is no encoder for the CHOICE type as the actual DER encoding is the encoding of the chosen type.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_decode\_choice()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint der_decode_choice(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            unsigned long *inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            ltc_asn1_list *list,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            unsigned long  outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decode the input in the \textit{in} field of length \textit{inlen}.  It uses the provided ASN.1 list specified in the \textit{list} field which has
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{outlen} elements.  The \textit{inlen} field will be updated with the length of the decoded data type, as well as the respective entry in the \textit{list} field
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill have the \textit{used} flag set to non--zero to reflect it was the data type decoded.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ASN.1 Flexi Decoder}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ASN.1 \textit{flexi} decoder allows the developer to decode arbitrary ASN.1 DER packets (provided they use data types LibTomCrypt supports) without first knowing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe structure of the data.  Where der\_decode \_sequence() requires the developer to specify the data types to decode in advance the flexi decoder is entirely
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfree form.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe flexi decoder uses the same \textit{ltc\_asn1\_list} but instead of being stored in an array it uses the linked list pointers \textit{prev}, \textit{next}, \textit{parent}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand \textit{child}.  The list works as a \textit{doubly-linked list} structure where decoded items at the same level are siblings (using next and prev) and items
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectencoded in a SEQUENCE are stored as a child element.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen a SEQUENCE or SET has been encountered a SEQUENCE (or SET resp.) item will be added as a sibling (e.g. list.type == LTC\_ASN1\_SEQUENCE) and the child
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpointer points to a new list of items contained within the object.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_decode\_sequence\_flexi()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint  der_decode_sequence_flexi(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                     unsigned long *inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                    ltc_asn1_list **out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will decode items in the \textit{in} buffer of max input length \textit{inlen} and store the newly created pointer to the list in \textit{out}.  This function allocates
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectall required memory for the decoding.  It stores the number of octets read back into \textit{inlen}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe function will terminate when either it hits an invalid ASN.1 tag, or it reads \textit{inlen} octets.  An early termination is a soft error, and returns
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnormally.  The decoded list \textit{out} will point to the very first element of the list (e.g. both parent and prev pointers will be \textbf{NULL}).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn invalid decoding will terminate the process, and free the allocated memory automatically.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{Note:} the list decoded by this function is \textbf{NOT} in the correct form for der\_encode\_sequence() to use directly.  You will have to first
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthave to convert the list by first storing all of the siblings in an array then storing all the children as sub-lists of a sequence using the \textit{.data}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpointer.  Currently no function in LibTomCrypt provides this ability.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Sample Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSuppose we decode the following structure:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectUser ::= SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   Name        IA5 STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   LoginToken  SEQUENCE {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      passwdHash   OCTET STRING
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      pubkey       ECCPublicKey
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   LastOn      UTCTIME
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{flushleft}and we decoded it with the following code:\end{flushleft}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned char inbuf[MAXSIZE];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectunsigned long inbuflen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectltc_asn1_list *list;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint           err;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* somehow fill inbuf/inbuflen */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif ((err = der_decode_sequence_flexi(inbuf, inbuflen, &list)) != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   printf("Error decoding: %s\n", error_to_string(err));
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   exit(EXIT_FAILURE);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAt this point \textit{list} would point to the SEQUENCE identified by \textit{User}.  It would have no sibblings (prev or next), and only a child node.  Walking to the child
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnode with the following code will bring us to the \textit{Name} portion of the SEQUENCE:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlist = list->child;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNow \textit{list} points to the \textit{Name} member (with the tag IA5 STRING).  The \textit{data}, \textit{size}, and \textit{type} members of \textit{list} should reflect
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat of an IA5 STRING.  The sibbling will now be the \textit{LoginToken} SEQUENCE.  The sibbling has a child node which points to the \textit{passwdHash} OCTET STRING.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWe can walk to this node with the following code:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* list already pointing to 'Name' */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlist = list->next->child;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAt this point, \textit{list} will point to the \textit{passwdHash} member of the innermost SEQUENCE.  This node has a sibbling, the \textit{pubkey} member of the SEQUENCE.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{LastOn} member of the SEQUENCE is a sibbling of the LoginToken node, if we wanted to walk there we would have to go up and over via:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlist = list->parent->next;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAt this point, we are pointing to the last node of the list.  Lists are terminated in all directions by a \textbf{NULL} pointer.  All nodes are doubly linked so that you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcan walk up and down the nodes without keeping pointers lying around.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Free'ing a Flexi List}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo free the list use the following function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{der\_sequence\_free()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectvoid der_sequence_free(ltc_asn1_list *in);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will free all of the memory allocated by der\_decode\_sequence\_flexi().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Password Based Cryptography}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{PKCS \#5}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{PKCS \#5}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn order to securely handle user passwords for the purposes of creating session keys and chaining IVs the PKCS \#5 was drafted.   PKCS \#5
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis made up of two algorithms, Algorithm One and Algorithm Two.  Algorithm One is the older fairly limited algorithm which has been implemented
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfor completeness.  Algorithm Two is a bit more modern and more flexible to work with.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Algorithm One}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAlgorithm One accepts as input a password, an 8--byte salt, and an iteration counter.  The iteration counter is meant to act as delay for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpeople trying to brute force guess the password.  The higher the iteration counter the longer the delay.  This algorithm also requires a hash
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectalgorithm and produces an output no longer than the output of the hash.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_5\_alg1()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_5_alg1(const unsigned char *password,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  password_len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *salt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                int  iteration_count,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long *outlen)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{password} is the user's password.  Since the algorithm allows binary passwords you must also specify the length in \textit{password\_len}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{salt} is a fixed size 8--byte array which should be random for each user and session.  The \textit{iteration\_count} is the delay desired
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton the password.  The \textit{hash\_idx} is the index of the hash you wish to use in the descriptor table.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe output of length up to \textit{outlen} is stored in \textit{out}.  If \textit{outlen} is initially larger than the size of the hash functions output
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit is set to the number of bytes stored.  If it is smaller than not all of the hash output is stored in \textit{out}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Algorithm Two}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAlgorithm Two is the recommended algorithm for this task.  It allows variable length salts, and can produce outputs larger than the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthash functions output.  As such, it can easily be used to derive session keys for ciphers and MACs as well initial vectors as required
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfrom a single password and invocation of this algorithm.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{pkcs\_5\_alg2()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint pkcs_5_alg2(const unsigned char *password,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  password_len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                const unsigned char *salt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long  salt_len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                int  iteration_count,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                int  hash_idx,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      unsigned long *outlen)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{alltt}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{password} is the users password.  Since the algorithm allows binary passwords you must also specify the length in \textit{password\_len}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{salt} is an array of size \textit{salt\_len}.  It should be random for each user and session.  The \textit{iteration\_count} is the delay desired
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton the password.  The \textit{hash\_idx} is the index of the hash you wish to use in the descriptor table.   The output of length up to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{outlen} is stored in \textit{out}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* demo to show how to make session state material
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project * from a password */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project#include <tomcrypt.h>
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint main(void)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project{
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned char password[100], salt[100],
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  cipher_key[16], cipher_iv[16],
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  mac_key[16], outbuf[48];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int           err, hash_idx;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long outlen, password_len, salt_len;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* register hash and get it's idx .... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* get users password and make up a salt ... */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* create the material (100 iterations in algorithm) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    outlen = sizeof(outbuf);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    if ((err = pkcs_5_alg2(password, password_len, salt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           salt_len, 100, hash_idx, outbuf,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           &outlen))
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       != CRYPT_OK) {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       /* error handle */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    }
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* now extract it */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    memcpy(cipher_key, outbuf, 16);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    memcpy(cipher_iv,  outbuf+16, 16);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    memcpy(mac_key,    outbuf+32, 16);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* use material (recall to store the salt in the output) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Miscellaneous}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Base64 Encoding and Decoding}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library provides functions to encode and decode a RFC 1521 base--64 coding scheme.  The characters used in the mappings are:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThose characters are supported in the 7-bit ASCII map, which means they can be used for transport over
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcommon e-mail, usenet and HTTP mediums.  The format of an encoded stream is just a literal sequence of ASCII characters
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhere a group of four represent 24-bits of input.  The first four chars of the encoders output is the length of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectoriginal input.  After the first four characters is the rest of the message.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOften, it is desirable to line wrap the output to fit nicely in an e-mail or usenet posting.  The decoder allows you to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectput any character (that is not in the above sequence) in between any character of the encoders output.  You may not however,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbreak up the first four characters.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo encode a binary string in base64 call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{base64\_encode()}  \index{base64\_decode()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint base64_encode(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{in} is the binary string and \textit{out} is where the ASCII output is placed.  You must set the value of \textit{outlen} prior
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto calling this function and it sets the length of the base64 output in \textit{outlen} when it is done.  To decode a base64
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstring call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint base64_decode(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Primality Testing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Primality Testing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library includes primality testing and random prime functions as well.  The primality tester will perform the test in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttwo phases.  First it will perform trial division by the first few primes.  Second it will perform eight rounds of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRabin-Miller primality testing algorithm.  If the candidate passes both phases it is declared prime otherwise it is declared
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcomposite.  No prime number will fail the two phases but composites can.  Each round of the Rabin-Miller algorithm reduces
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe probability of a pseudo-prime by $1 \over 4$ therefore after sixteen rounds the probability is no more than
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$\left ( { 1 \over 4 } \right )^{8} = 2^{-16}$.  In practice the probability of error is in fact much lower than that.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen making random primes the trial division step is in fact an optimized implementation of \textit{Implementation of Fast RSA Key Generation on Smart Cards}\footnote{Chenghuai Lu, Andre L. M. dos Santos and Francisco R. Pimentel}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn essence a table of machine-word sized residues are kept of a candidate modulo a set of primes.  When the candidate
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis rejected and ultimately incremented to test the next number the residues are updated without using multi-word precision
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmath operations.  As a result the routine can scan ahead to the next number required for testing with very little work
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinvolved.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the event that a composite did make it through it would most likely cause the the algorithm trying to use it to fail.  For
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinstance, in RSA two primes $p$ and $q$ are required.  The order of the multiplicative sub-group (modulo $pq$) is given
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectas $\phi(pq)$ or $(p - 1)(q - 1)$.  The decryption exponent $d$ is found as $de \equiv 1\mbox{ }(\mbox{mod } \phi(pq))$.  If either $p$ or $q$ is composite the value of $d$ will be incorrect and the user
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill not be able to sign or decrypt messages at all.  Suppose $p$ was prime and $q$ was composite this is just a variation of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe multi-prime RSA.  Suppose $q = rs$ for two primes $r$ and $s$ then $\phi(pq) = (p - 1)(r - 1)(s - 1)$ which clearly is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectnot equal to $(p - 1)(rs - 1)$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese are not technically part of the LibTomMath library but this is the best place to document them.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo test if a \textit{mp\_int} is prime call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint is_prime(mp_int *N, int *result);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis puts a one in \textit{result} if the number is probably prime, otherwise it places a zero in it.  It is assumed that if
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit returns an error that the value in \textit{result} is undefined.  To make
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta random prime call:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectint rand_prime(       mp_int *N,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               unsigned long len,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         int  wprng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhere \textit{len} is the size of the prime in bytes ($2 \le len \le 256$).  You can set \textit{len} to the negative size you want
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto get a prime of the form $p \equiv 3\mbox{ }(\mbox{mod } 4)$.  So if you want a 1024-bit prime of this sort pass
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textit{len = -128} to the function.  Upon success it will return {\bf CRYPT\_OK} and \textit{N} will contain an integer which
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis very likely prime.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Programming Guidelines}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Secure Pseudo Random Number Generators}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectProbably the single most vulnerable point of any cryptosystem is the PRNG.  Without one, generating and protecting secrets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwould be impossible.  The requirement that one be setup correctly is vitally important, and to address this point the library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdoes provide two RNG sources that will address the largest amount of end users as possible.  The \textit{sprng} PRNG provides an easy to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectaccess source of entropy for any application on a UNIX (and the like) or Windows computer.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectHowever, when the end user is not on one of these platforms, the application developer must address the issue of finding
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectentropy.  This manual is not designed to be a text on cryptography.  I would just like to highlight that when you design
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecta cryptosystem make sure the first problem you solve is getting a fresh source of entropy.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Preventing Trivial Errors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTwo simple ways to prevent trivial errors is to prevent overflows, and to check the return values.  All of the functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhich output variable length strings will require you to pass the length of the destination.  If the size of your output
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbuffer is smaller than the output it will report an error.  Therefore, make sure the size you pass is correct!
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAlso, virtually all of the functions return an error code or {\bf CRYPT\_OK}.  You should detect all errors, as simple
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypos can cause algorithms to fail to work as desired.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Registering Your Algorithms}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo avoid linking and other run--time errors it is important to register the ciphers, hashes and PRNGs you intend to use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbefore you try to use them.  This includes any function which would use an algorithm indirectly through a descriptor table.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA neat bonus to the registry system is that you can add external algorithms that are not part of the library without
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecthaving to hack the library.  For example, suppose you have a hardware specific PRNG on your system.  You could easily
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwrite the few functions required plus a descriptor.  After registering your PRNG, all of the library functions that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectneed a PRNG can instantly take advantage of it.  The same applies for ciphers, hashes, and bignum math routines.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Key Sizes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Symmetric Ciphers}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectFor symmetric ciphers, use as large as of a key as possible.  For the most part \textit{bits are cheap} so using a 256--bit key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis not a hard thing to do.  As a good rule of thumb do not use a key smaller than 128 bits.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Asymmetric Ciphers}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe following chart gives the work factor for solving a DH/RSA public key using the NFS.  The work factor for a key of order
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$n$ is estimated to be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecte^{1.923 \cdot ln(n)^{1 \over 3} \cdot ln(ln(n))^{2 \over 3}}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{equation}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that $n$ is not the bit-length but the magnitude.  For example, for a 1024-bit key $n = 2^{1024}$.  The work required
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline RSA/DH Key Size (bits) & Work Factor ($log_2$) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 512 & 63.92 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 768 & 76.50 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 1024 & 86.76 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 1536 & 103.37 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 2048 & 116.88 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 2560 & 128.47 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 3072 & 138.73 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 4096 & 156.49 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{RSA/DH Key Strength}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe work factor for ECC keys is much higher since the best attack is still fully exponential.  Given a key of magnitude
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project$n$ it requires $\sqrt n$ work.  The following table summarizes the work required:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{figure}[here]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline ECC Key Size (bits) & Work Factor ($log_2$) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 112 & 56 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 128 & 64 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 160 & 80 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 192 & 96  \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 224 & 112 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 256 & 128 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 384 & 192 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline 521 & 260.5 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\caption{ECC Key Strength}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{figure}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectUsing the above tables the following suggestions for key sizes seems appropriate:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|c|c|c|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline Security Goal & RSA/DH Key Size (bits) & ECC Key Size (bits) \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline Near term   & 1024 & 160 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline Short term  & 1536 & 192 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline Long Term   & 2560 & 384 \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    \hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Thread Safety}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library is not fully thread safe but several simple precautions can be taken to avoid any problems.  The registry functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsuch as register\_cipher() are not thread safe no matter what you do.  It is best to call them from your programs initialization
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcode before threads are initiated.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe rest of the code uses state variables you must pass it such as hash\_state, hmac\_state, etc.  This means that if each
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthread has its own state variables then they will not affect each other, and are fully thread safe.  This is fairly simple with symmetric ciphers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand hashes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LTC\_PTHREAD}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe only sticky issue is a shared PRNG which can be alleviated with the careful use of mutex devices.  Defining LTC\_PTHREAD for instance, enables
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpthreads based mutex locking in various routines such as the Yarrow and Fortuna PRNGs, the fixed point ECC multiplier, and other routines.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Configuring and Building the Library}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library is fairly flexible about how it can be built, used, and generally distributed.  Additions are being made with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecteach new release that will make the library even more flexible.  Each of the classes of functions can be disabled during
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe build process to make a smaller library.  This is particularly useful for shared libraries.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAs of v1.06 of the library, the build process has been moved to two steps for the typical LibTomCrypt application.  This is because
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt no longer provides a math API on its own and relies on third party libraries (such as LibTomMath, GnuMP, or TomsFastMath).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe build process now consists of installing a math library first, and then building and installing LibTomCrypt with a math library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectconfigured.  Note that LibTomCrypt can be built with no internal math descriptors.  This means that one must be provided at either
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbuild, or run time for the application.  LibTomCrypt comes with three math descriptors that provide a standard interface to math
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlibraries.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Makefile variables}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll GNU driven makefiles (including the makefile for ICC) use a set of common variables to control the build and install process.  Most of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsettings can be overwritten from the command line which makes custom installation a breeze.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{MAKE}\index{CC}\index{AR}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{MAKE, CC and AR}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe MAKE, CC and AR flags can all be overwritten.  They default to \textit{make}, \textit{\$CC} and \textit{\$AR} respectively.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectChanging MAKE allows you to change what program will be invoked to handle sub--directories. For example, this
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectMAKE=gmake gmake install
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{flushleft} will build and install the libraries with the \textit{gmake} tool.  Similarly, \end{flushleft}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCC=arm-gcc AR=arm-ar make
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{flushleft} will build the library using \textit{arm--gcc} as the compiler and \textit{arm--ar} as the archiver. \end{flushleft}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{IGNORE\_SPEED}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{IGNORE\_SPEED}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen \textbf{IGNORE\_SPEED} has been defined the default optimization flags for CFLAGS will be disabled which allows the developer to specify new
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS on the command line.  E.g. to add debugging
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-g3" make IGNORE_SPEED=1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will turn off optimizations and add \textit{-g3} to the CFLAGS which enables debugging.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LIBNAME and LIBNAME\_S}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LIBNAME} \index{LIBNAME\_S}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{LIBNAME} is the name of the output library (archive) to create.  It defaults to \textit{libtomcrypt.a} for static builds and \textit{libtomcrypt.la} for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectshared.  The \textbf{LIBNAME\_S} variable is the static name while doing shared builds.  Ideally they should have the same prefix but don't have to.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LIBTEST} \index{LIBTEST\_S}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSimilarly \textbf{LIBTEST} and \textbf{LIBTEST\_S} are the names for the profiling and testing library.  The default is \textit{libtomcrypt\_prof.a} for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstatic and \textit{libtomcrypt\_prof.la} for shared.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Installation Directories}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{DESTDIR} \index{LIBPATH} \index{INCPATH} \index{DATADIR}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{DESTDIR} is the prefix for the installation directories.  It defaults to an empty string.  \textbf{LIBPATH} is the prefix for the library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdirectory which defaults to \textit{/usr/lib}.  \textbf{INCPATH} is the prefix for the header file directory which defaults to \textit{/usr/include}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{DATADIR} is the prefix for the data (documentation) directory which defaults to \textit{/usr/share/doc/libtomcrypt/pdf}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll four can be used to create custom install locations depending on the nature of the OS and file system in use.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmake LIBPATH=/home/tom/project/lib INCPATH=/home/tom/project/include \
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     DATAPATH=/home/tom/project/docs install
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will build the library and install it to the directories under \textit{/home/tom/project/}.  e.g.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/home/tom/project/:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttotal 1
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdrwxr-xr-x  2 tom users  80 Jul 30 16:02 docs
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdrwxr-xr-x  2 tom users 528 Jul 30 16:02 include
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdrwxr-xr-x  2 tom users  80 Jul 30 16:02 lib
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/home/tom/project/docs:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttotal 452
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 459009 Jul 30 16:02 crypt.pdf
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/home/tom/project/include:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttotal 132
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  2482 Jul 30 16:02 tomcrypt.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users   702 Jul 30 16:02 tomcrypt_argchk.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  2945 Jul 30 16:02 tomcrypt_cfg.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 22763 Jul 30 16:02 tomcrypt_cipher.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  5174 Jul 30 16:02 tomcrypt_custom.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 11314 Jul 30 16:02 tomcrypt_hash.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 11571 Jul 30 16:02 tomcrypt_mac.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 13614 Jul 30 16:02 tomcrypt_macros.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 14714 Jul 30 16:02 tomcrypt_math.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users   632 Jul 30 16:02 tomcrypt_misc.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 10934 Jul 30 16:02 tomcrypt_pk.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  2634 Jul 30 16:02 tomcrypt_pkcs.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  7067 Jul 30 16:02 tomcrypt_prng.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users  1467 Jul 30 16:02 tomcrypt_test.h
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/home/tom/project/lib:
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttotal 1073
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project-rwxr-xr-x  1 tom users 1096284 Jul 30 16:02 libtomcrypt.a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Extra libraries}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{EXTRALIBS}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{EXTRALIBS} specifies any extra libraries required to link the test programs and shared libraries.  They are specified in the notation
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat GCC expects for global archives.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DTFM_DESC -DUSE_TFM" EXTRALIBS=-ltfm make install \
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                                   test timing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will install the library using the TomsFastMath library and link the \textit{libtfm.a} library out of the default library search path.  The two
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdefines are explained below.  You can specify multiple archives (say if you want to support two math libraries, or add on additional code) to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe \textbf{EXTRALIBS} variable by separating them by a space.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that \textbf{EXTRALIBS} is not required if you are only making and installing the static library but none of the test programs.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Building a Static Library}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectBuilding a static library is fairly trivial as it only requires one invocation of the GNU make command.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DTFM_DESC" make install
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThat will build LibTomCrypt (including the TomsFastMath descriptor), and install it in the default locations indicated previously.  You can enable
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe built--in LibTomMath descriptor as well (or in place of the TomsFastMath descriptor).  Similarly, you can build the library with no built--in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmath descriptors.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmake install
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn this case, no math descriptors are present in the library and they will have to be made available at build or run time before you can use any of the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpublic key functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that even if you include the built--in descriptors you must link against the source library as well.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectgcc -DTFM_DESC myprogram.c -ltomcrypt -ltfm -o myprogram
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will compile \textit{myprogram} and link it against the LibTomCrypt library as well as TomsFastMath (which must have been previously installed).  Note that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwe define \textbf{TFM\_DESC} for compilation.  This is so that the TFM descriptor symbol will be defined for the client application to make use of without
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectgiving warnings.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Building a Shared Library}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectLibTomCrypt can also be built as a shared library through the \textit{makefile.shared} make script.  It is similar to use as the static script except
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthat you \textbf{must} specify the \textbf{EXTRALIBS} variable at install time.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DTFM_DESC" EXTRALIBS=-ltfm make -f makefile.shared install
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will build and install the library and link the shared object against the TomsFastMath library (which must be installed as a shared object as well).  The
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectshared build process requires libtool to be installed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Header Configuration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe file \textit{tomcrypt\_cfg.h} is what lets you control various high level macros which control the behaviour of the library.  Build options are also
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstored in \textit{tomcrypt\_custom.h} which allow the enabling and disabling of various algorithms.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{ARGTYPE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis lets you control how the LTC\_ARGCHK macro will behave.  The macro is used to check pointers inside the functions against
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNULL.  There are four settings for ARGTYPE.  When set to 0, it will have the default behaviour of printing a message to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstderr and raising a SIGABRT signal.  This is provided so all platforms that use LibTomCrypt can have an error that functions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectsimilarly.  When set to 1, it will simply pass on to the assert() macro.  When set to 2, the macro will display the error to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstderr then return execution to the caller.  This could lead to a segmentation fault (e.g. when a pointer is \textbf{NULL}) but is useful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif you handle signals on your own.  When set to 3, it will resolve to a empty macro and no error checking will be performed.  Finally, when set
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto 4, it will return CRYPT\_INVALID\_ARG to the caller.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Endianess}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are five macros related to endianess issues.  For little endian platforms define, \textbf{ENDIAN\_LITTLE}.  For big endian
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectplatforms define \textbf{ENDIAN\_BIG}.  Similarly when the default word size of an \textit{unsigned long} is 32-bits define \textbf{ENDIAN\_32BITWORD}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projector define \textbf{ENDIAN\_64BITWORD} when its 64-bits.  If you do not define any of them the library will automatically use \textbf{ENDIAN\_NEUTRAL}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhich will work on all platforms.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCurrently LibTomCrypt will detect x86-32, x86-64, MIPS R5900, SPARC and SPARC64 running GCC as well as x86-32 running MSVC.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{The Configure Script}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are also options you can specify from the \textit{tomcrypt\_custom.h} header file.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{X memory routines}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{XMALLOC}\index{XCALLOC}\index{XREALLOC}\index{XFREE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAt the top of tomcrypt\_custom.h are a series of macros denoted as XMALLOC, XCALLOC, XREALLOC, XFREE, and so on.  They resolve to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe name of the respective functions from the standard C library by default.  This lets you substitute in your own memory routines.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf you substitute in your own functions they must behave like the standard C library functions in terms of what they expect as input and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectoutput.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese macros are handy for working with platforms which do not have a standard C library.  For instance, the OLPC\footnote{See http://dev.laptop.org/git?p=bios-crypto;a=summary}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbios code uses these macros to redirect to very compact heap and string operations.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{X clock routines}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe rng\_get\_bytes() function can call a function that requires the clock() function.  These macros let you override
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe default clock() used with a replacement.  By default the standard C library clock() function is used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_NO\_FILE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectDuring the build if LTC\_NO\_FILE is defined then any function in the library that uses file I/O will not call the file I/O
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunctions and instead simply return CRYPT\_NOP.  This should help resolve any linker errors stemming from a lack of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfile I/O on embedded platforms.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_CLEAN\_STACK}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this functions is defined the functions that store key material on the stack will clean up afterwards.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAssumes that you have no memory paging with the stack.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_TEST}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this has been defined the various self--test functions (for ciphers, hashes, prngs, etc) are included in the build.  This is the default configuration.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf LTC\_NO\_TEST has been defined, the testing routines will be compacted and only return CRYPT\_NOP.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_NO\_FAST}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this has been defined the library will not use faster word oriented operations.  By default, they are only enabled for platforms
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhich can be auto-detected.  This macro ensures that they are never enabled.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_FAST}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis mode (auto-detected with x86\_32,x86\_64 platforms with GCC or MSVC) configures various routines such as ctr\_encrypt() or
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcbc\_encrypt() that it can safely XOR multiple octets in one step by using a larger data type.  This has the benefit of
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcutting down the overhead of the respective functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis mode does have one downside.  It can cause unaligned reads from memory if you are not careful with the functions.  This is why
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit has been enabled by default only for the x86 class of processors where unaligned accesses are allowed.  Technically LTC\_FAST
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectis not \textit{portable} since unaligned accesses are not covered by the ISO C specifications.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn practice however, you can use it on pretty much any platform (even MIPS) with care.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectBy design the \textit{fast} mode functions won't get unaligned on their own.  For instance, if you call ctr\_encrypt() right after calling
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectctr\_start() and all the inputs you gave are aligned than ctr\_encrypt() will perform aligned memory operations only.  However, if you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcall ctr\_encrypt() with an odd amount of plaintext then call it again the CTR pad (the IV) will be partially used.  This will
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcause the ctr routine to first use up the remaining pad bytes.  Then if there are enough plaintext bytes left it will use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhole word XOR operations.  These operations will be unaligned.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe simplest precaution is to make sure you process all data in power of two blocks and handle \textit{remainder} at the end.  e.g. If you are
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCTR'ing a long stream process it in blocks of (say) four kilobytes and handle any remaining incomplete blocks at the end of the stream.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{LTC\_FAST\_TYPE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIf you do plan on using the \textit{LTC\_FAST} mode you have to also define a \textit{LTC\_FAST\_TYPE} macro which resolves to an optimal sized
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdata type you can perform integer operations with.  Ideally it should be four or eight bytes since it must properly divide the size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof your block cipher (e.g. 16 bytes for AES).  This means sadly if you're on a platform with 57--bit words (or something) you can't
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectuse this mode.  So sad.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_NO\_ASM}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this has been defined the library will not use any inline assembler.  Only a few platforms support assembler inlines but various versions of ICC and GCC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcannot handle all of the assembler functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Symmetric Ciphers, One-way Hashes, PRNGS and Public Key Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThere are a plethora of macros for the ciphers, hashes, PRNGs and public key functions which are fairly
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectself-explanatory.  When they are defined the functionality is included otherwise it is not.  There are some
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdependency issues which are noted in the file.  For instance, Yarrow requires CTR chaining mode, a block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcipher and a hash function.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAlso see technical note number five for more details.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_EASY}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen defined the library is configured to build fewer algorithms and modes.  Mostly it sticks to NIST and ANSI approved algorithms.  See
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe header file \textit{tomcrypt\_custom.h} for more details.  It is meant to provide literally an easy method of trimming the library
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbuild to the most minimum of useful functionality.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{TWOFISH\_SMALL and TWOFISH\_TABLES}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTwofish is a 128-bit symmetric block cipher that is provided within the library.  The cipher itself is flexible enough
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto allow some trade-offs in the implementation.  When TWOFISH\_SMALL is defined the scheduled symmetric key for Twofish
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrequires only 200 bytes of memory.  This is achieved by not pre-computing the substitution boxes.  Having this
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdefined will also greatly slow down the cipher.  When this macro is not defined Twofish will pre-compute the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttables at a cost of 4KB of memory.  The cipher will be much faster as a result.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen TWOFISH\_TABLES is defined the cipher will use pre-computed (and fixed in code) tables required to work.  This is
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectuseful when TWOFISH\_SMALL is defined as the table values are computed on the fly.  When this is defined the code size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwill increase by approximately 500 bytes.  If this is defined but TWOFISH\_SMALL is not the cipher will still work but
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit will not speed up the encryption or decryption functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{GCM\_TABLES}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen defined GCM will use a 64KB table (per GCM state) which will greatly speed up the per--packet latency.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIt also increases the initialization time and is not suitable when you are going to use a key a few times only.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{GCM\_TABLES\_SSE2}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{SSE2}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen defined GCM will use the SSE2 instructions to perform the $GF(2^x)$ multiply using 16 128--bit XOR operations.  It shaves a few cycles per byte
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectof GCM output on both the AMD64 and Intel Pentium 4 platforms.  Requires GCC and an SSE2 equipped platform.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_SMALL\_CODE}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this is defined some of the code such as the Rijndael and SAFER+ ciphers are replaced with smaller code variants.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese variants are slower but can save quite a bit of code space.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_PTHREAD}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this is activated all of the descriptor table functions will use pthread locking to ensure thread safe updates to the tables.  Note that
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit doesn't prevent a thread that is passively using a table from being messed up by another thread that updates the table.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectGenerally the rule of thumb is to setup the tables once at startup and then leave them be.  This added build flag simply makes updating
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe tables safer.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{LTC\_ECC\_TIMING\_RESISTANT}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen this has been defined the ECC point multiplier (built--in to the library) will use a timing resistant point multiplication
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectalgorithm which prevents leaking key bits of the private key (scalar).  It is a slower algorithm but useful for situations
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectwhere timing side channels pose a significant threat.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Math Descriptors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library comes with three math descriptors that allow you to interface the public key cryptography API to freely available math
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlibraries.  When \textbf{GMP\_DESC}, \textbf{LTM\_DESC}, or \textbf{TFM\_DESC} are defined
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdescriptors for the respective library are built and included in the library as \textit{gmp\_desc}, \textit{ltm\_desc}, or \textit{tfm\_desc} respectively.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectIn the test demos that use the libraries the additional flags \textbf{USE\_GMP}, \textbf{USE\_LTM}, and \textbf{USE\_TFM} can be defined
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto tell the program which library to use.  Only one of the USE flags can be defined at once.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{GMP\_DESC} \index{USE\_GMP} \index{LTM\_DESC} \index{TFM\_DESC} \index{USE\_LTM} \index{USE\_TFM}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectCFLAGS="-DGMP_DESC -DLTM_DESC -DTFM_DESC -DUSE_TFM" \
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectEXTRALIBS="-lgmp -ltommath -ltfm" make -f makefile.shared install timing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThat will build and install the library with all descriptors (and link against all), but only use TomsFastMath in the timing demo.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\chapter{Optimizations}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Introduction}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe entire API was designed with plug and play in mind at the low level.  That is you can swap out any cipher, hash, PRNG or bignum library and the dependent API will not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectrequire updating.  This has the nice benefit that one can add ciphers (etc.) not have to re--write portions of the API.  For the most part, LibTomCrypt has also been written
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto be highly portable and easy to build out of the box on pretty much any platform.  As such there are no assembler inlines throughout the code, I make no assumptions
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectabout the platform, etc...
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThat works well for most cases but there are times where performance is of the essence.  This API allows optimized routines to be dropped in--place of the existing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectportable routines.  For instance, hand optimized assembler versions of AES could be provided.  Any existing function that uses the cipher could automatically use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe optimized code without re--writing.  This also paves the way for hardware drivers that can access hardware accelerated cryptographic devices.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAt the heart of this flexibility is the \textit{descriptor} system.  A descriptor is essentially just a C \textit{struct} which describes the algorithm and provides pointers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto functions that do the required work.  For a given class of operation (e.g. cipher, hash, prng, bignum) the functions of a descriptor have identical prototypes which makes
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectdevelopment simple.  In most dependent routines all an end developer has to do is register\_XXX() the descriptor and they are set.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Ciphers}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ciphers in LibTomCrypt are accessed through the ltc\_cipher\_descriptor structure.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\label{sec:cipherdesc}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct ltc_cipher_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** name of cipher */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** internal ID */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned char ID;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** min keysize (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int  min_key_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** max keysize (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        max_key_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** block size (octets) */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        block_length,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** default number of rounds */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        default_rounds;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Setup the cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param key         The input symmetric key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param keylen      The length of the input key (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param num_rounds  The requested number of rounds (0==default)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param skey        [out] The destination of the scheduled key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int  (*setup)(const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 int  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                 int  num_rounds,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Encrypt a block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param pt      The plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param ct      [out] The ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param skey    The scheduled key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecb_encrypt)(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Decrypt a block
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param ct      The ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param pt      [out] The plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param skey    The scheduled key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecb_decrypt)(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Test the block cipher
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               CRYPT_NOP if self-testing has been disabled
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*test)(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Terminate the context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param skey    The scheduled key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   void (*done)(symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Determine a key size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keysize    [in/out] The size of the key desired
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  The suggested size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int  (*keysize)(int *keysize);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/** Accelerators **/
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated ECB encryption
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_ecb_encrypt)(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated ECB decryption
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_ecb_decrypt)(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated CBC encryption
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV      The initial value (input/output)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_cbc_encrypt)(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated CBC decryption
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV      The initial value (input/output)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_cbc_decrypt)(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated CTR encryption
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV      The initial value (input/output)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param mode    little or big endian counter (mode=0 or mode=1)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_ctr_encrypt)(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                            int  mode,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated LRW
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV      The initial value (input/output)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param tweak   The LRW tweak
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_lrw_encrypt)(const unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            const unsigned char *tweak,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated LRW
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct      Ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt      Plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param blocks  The number of complete blocks to process
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV      The initial value (input/output)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param tweak   The LRW tweak
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param skey    The scheduled key context
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_lrw_decrypt)(const unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *pt,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned long  blocks,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  unsigned char *IV,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            const unsigned char *tweak,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  symmetric_key *skey);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated CCM packet (one-shot)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key        The secret key to use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keylen     The length of the secret key (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param uskey      A previously scheduled key [can be NULL]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param nonce      The session nonce [use once]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param noncelen   The length of the nonce
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param header     The header for the session
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param headerlen  The length of the header (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt         [out] The plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ptlen      The length of the plaintext (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct         [out] The ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param tag        [out] The destination tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param taglen     [in/out] The max size and resulting size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                  of the authentication tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param direction  Encrypt or Decrypt direction (0 or 1)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_ccm_memory)(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       symmetric_key       *uskey,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *nonce,  unsigned long noncelen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *header, unsigned long headerlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *pt,     unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *tag,    unsigned long *taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       int  direction);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated GCM packet (one shot)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key        The secret key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keylen     The length of the secret key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IV         The initial vector
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param IVlen      The length of the initial vector
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param adata      The additional authentication data (header)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param adatalen   The length of the adata
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param pt         The plaintext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ptlen      The length of the plaintext/ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param ct         The ciphertext
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param tag        [out] The MAC tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param taglen     [in/out] The MAC tag length
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param direction  Encrypt or Decrypt mode (GCM_ENCRYPT or GCM_DECRYPT)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*accel_gcm_memory)(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *key,    unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *IV,     unsigned long IVlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *adata,  unsigned long adatalen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *pt,     unsigned long ptlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *ct,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *tag,    unsigned long *taglen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       int direction);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated one shot OMAC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key            The secret key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keylen         The key length (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param in             The message
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param inlen          Length of message (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param out            [out] Destination for tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param outlen         [in/out] Initial and final size of out
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*omac_memory)(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *key, unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *in,  unsigned long inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated one shot XCBC
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key            The secret key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keylen         The key length (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param in             The message
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param inlen          Length of message (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param out            [out] Destination for tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param outlen         [in/out] Initial and final size of out
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*xcbc_memory)(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *key, unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *in,  unsigned long inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Accelerated one shot F9
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key            The secret key
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param keylen         The key length (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param in             The message
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param inlen          Length of message (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param out            [out] Destination for tag
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param outlen         [in/out] Initial and final size of out
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @remark Requires manual padding
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*f9_memory)(
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *key, unsigned long keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       const unsigned char *in,  unsigned long inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             unsigned char *out, unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Name}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{find\_cipher()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{name} parameter specifies the name of the cipher.  This is what a developer would pass to find\_cipher() to find the cipher in the descriptor
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttables.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Internal ID}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis is a single byte Internal ID you can use to distinguish ciphers from each other.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Key Lengths}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe minimum key length is \textit{min\_key\_length} and is measured in octets.  Similarly the maximum key length is \textit{max\_key\_length}.  They can be equal
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectand both must valid key sizes for the cipher.  Values in between are not assumed to be valid though they may be.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Block Length}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe size of the ciphers plaintext or ciphertext is \textit{block\_length} and is measured in octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Rounds}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSome ciphers allow different number of rounds to be used.  Usually you just use the default.  The default round count is \textit{default\_rounds}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Setup}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo initialize a cipher (for ECB mode) the function setup() was provided.  It accepts an array of key octets \textit{key} of length \textit{keylen} octets.  The user
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcan specify the number of rounds they want through \textit{num\_rounds} where $num\_rounds = 0$ means use the default.  The destination of a scheduled key is stored
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectin \textit{skey}.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectInside the \textit{symmetric\_key} union there is a \textit{void *data} which you can use to allocate data if you need a data structure that does not fit with the existing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectones provided.  Just make sure in your \textit{done()} function that you free the allocated memory.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Single block ECB}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo process a single block in ECB mode the ecb\_encrypt() and ecb\_decrypt() functions were provided.  The plaintext and ciphertext buffers are allowed to overlap so you
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmust make sure you do not overwrite the output before you are finished with the input.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Testing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe test() function is used to self--test the \textit{device}.  It takes no arguments and returns \textbf{CRYPT\_OK} if all is working properly.  You may return
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\textbf{CRYPT\_NOP} to indicate that no testing was performed.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Key Sizing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectOccasionally, a function will want to find a suitable key size to use since the input is oddly sized.  The keysize() function is for this case.  It accepts a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpointer to an integer which represents the desired size.  The function then has to match it to the exact or a lower key size that is valid for the cipher.  For
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectexample, if the input is $25$ and $24$ is valid then it stores $24$ back in the pointed to integer.  It must not round up and must return an error if the keysize
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project cannot be mapped to a valid key size for the cipher.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Acceleration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe next set of functions cover the accelerated functionality of the cipher descriptor.  Any combination of these functions may be set to \textbf{NULL} to indicate
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit is not supported.  In those cases the software defaults are used (using the single ECB block routines).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated ECB}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese two functions are meant for cases where a user wants to encrypt (in ECB mode no less) an array of blocks.  These functions are accessed
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthrough the accel\_ecb\_encrypt and accel\_ecb\_decrypt pointers.  The \textit{blocks} count is the number of complete blocks to process.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated CBC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese two functions are meant for accelerated CBC encryption.  These functions are accessed through the accel\_cbc\_encrypt and accel\_cbc\_decrypt pointers.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{blocks} value is the number of complete blocks to process.  The \textit{IV} is the CBC initial vector.  It is an input upon calling this function and must be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectupdated by the function before returning.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated CTR}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant for accelerated CTR encryption.  It is accessible through the accel\_ctr\_encrypt pointer.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{blocks} value is the number of complete blocks to process.  The \textit{IV} is the CTR counter vector.  It is an input upon calling this function and must be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectupdated by the function before returning.  The \textit{mode} value indicates whether the counter is big (mode = CTR\_COUNTER\_BIG\_ENDIAN) or
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectlittle (mode = CTR\_COUNTER\_LITTLE\_ENDIAN) endian.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function (and the way it's called) differs from the other two since ctr\_encrypt() allows any size input plaintext.  The accelerator will only be
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcalled if the following conditions are met.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item The accelerator is present
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item The CTR pad is empty
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   \item The remaining length of the input to process is greater than or equal to the block size.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{enumerate}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{CTR pad} is empty when a multiple (including zero) blocks of text have been processed.  That is, if you pass in seven bytes to AES--CTR mode you would have to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectpass in a minimum of nine extra bytes before the accelerator could be called.  The CTR accelerator must increment the counter (and store it back into the
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbuffer provided) before encrypting it to create the pad.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe accelerator will only be used to encrypt whole blocks.  Partial blocks are always handled in software.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated LRW}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThese functions are meant for accelerated LRW.  They process blocks of input in lengths of multiples of 16 octets.  They must accept the \textit{IV} and \textit{tweak}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstate variables and updated them prior to returning.  Note that you may want to disable \textbf{LRW\_TABLES} in \textit{tomcrypt\_custom.h} if you intend
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto use accelerators for LRW.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhile both encrypt and decrypt accelerators are not required it is suggested as it makes lrw\_setiv() more efficient.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectNote that calling lrw\_done() will only invoke the cipher\_descriptor[].done() function on the \textit{symmetric\_key} parameter of the LRW state.  That means
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif your device requires any (LRW specific) resources you should free them in your ciphers() done function.  The simplest way to think of it is to write
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe plugin solely to do LRW with the cipher.  That way cipher\_descriptor[].setup() means to init LRW resources and cipher\_descriptor[].done() means to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfree them.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated CCM}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant for accelerated CCM encryption or decryption.  It processes the entire packet in one call.  You can optimize the work flow somewhat
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectby allowing the caller to call the setup() function first to schedule the key if your accelerator cannot do the key schedule on the fly (for instance).  This
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfunction MUST support both key passing methods.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{tabular}{|r|r|l|}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline \textbf{key} & \textbf{uskey} & \textbf{Source of key} \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline NULL         & NULL           & Error, not supported \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline non-NULL     & NULL           & Use key, do a key schedule \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline NULL         & non-NULL       & Use uskey, key schedule not required \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline non-NULL     & non-NULL       & Use uskey, key schedule not required \\
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\hline
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{tabular}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{center}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ccm\_memory()} This function is called when the user calls ccm\_memory().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated GCM}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{gcm\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant for accelerated GCM encryption or decryption.  It processes the entire packet in one call.  Note that the setup() function will not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbe called prior to this.  This function must handle scheduling the key provided on its own.  It is called when the user calls gcm\_memory().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated OMAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{omac\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant to perform an optimized OMAC1 (CMAC) message authentication code computation when the user calls omac\_memory().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated XCBC-MAC}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{xcbc\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant to perform an optimized XCBC-MAC message authentication code computation when the user calls xcbc\_memory().
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Accelerated F9}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{f9\_memory()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function is meant to perform an optimized F9 message authentication code computation when the user calls f9\_memory().  Like f9\_memory(), it requires
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe caller to perform any 3GPP related padding before calling in order to ensure proper compliance with F9.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{One--Way Hashes}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe hash functions are accessed through the ltc\_hash\_descriptor structure.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct ltc_hash_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** name of hash */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** internal ID */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned char ID;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Size of digest in octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long hashsize;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Input block size in octets */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long blocksize;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** ASN.1 OID */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long OID[16];
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Length of DER encoding */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long OIDlen;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Init a hash state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param hash   The hash to initialize
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*init)(hash_state *hash);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Process a block of data
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param hash   The hash state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param in     The data to hash
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param inlen  The length of the data (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*process)(         hash_state *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long  inlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Produce the digest and store it
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param hash   The hash state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param out    [out] The destination of the digest
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*done)(   hash_state *hash,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                unsigned char *out);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Self-test
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK if successful,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project              CRYPT_NOP if self-tests have been disabled
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*test)(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /* accelerated hmac callback: if you need to-do
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       multiple packets just use the generic hmac_memory
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       and provide a hash callback
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  (*hmac_block)(const unsigned char *key,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long  keylen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long *outlen);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Name}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis is the name the hash is known by and what find\_hash() will look for.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Internal ID}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis is the internal ID byte used to distinguish the hash from other hashes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Digest Size}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{hashsize} variable indicates the length of the output in octets.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Block Size}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe \textit{blocksize} variable indicates the length of input (in octets) that the hash processes in a given
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectinvocation.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{OID Identifier}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis is the universal ASN.1 Object Identifier for the hash.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Initialization}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe init function initializes the hash and prepares it to process message bytes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Process}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis processes message bytes.  The algorithm must accept any length of input that the hash would allow.  The input is not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectguaranteed to be a multiple of the block size in length.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Done}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe done function terminates the hash and returns the message digest.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Acceleration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectA compatible accelerator must allow processing data in any granularity which may require internal padding on the driver side.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{HMAC Acceleration}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe hmac\_block() callback is meant for single--shot optimized HMAC implementations.  It is called directly by hmac\_memory() if present.  If you need
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto be able to process multiple blocks per MAC then you will have to simply provide a process() callback and use hmac\_memory() as provided in LibTomCrypt.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{Pseudo--Random Number Generators}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe pseudo--random number generators are accessible through the ltc\_prng\_descriptor structure.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectstruct ltc_prng_descriptor {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Name of the PRNG */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** size in bytes of exported state */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int  export_size;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Start a PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng   [out] The state to initialize
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*start)(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Add entropy to the PRNG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param in         The entropy
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param inlen      Length of the entropy (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng       The PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*add_entropy)(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                                prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Ready a PRNG state to read from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng       The PRNG state to ready
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*ready)(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Read from the PRNG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param out     [out] Where to store the data
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param outlen  Length of data desired (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng    The PRNG state to read from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return Number of octets read
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    unsigned long (*read)(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          unsigned long  outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Terminate a PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng   The PRNG state to terminate
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*done)(prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Export a PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param out     [out] The destination for the state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param outlen  [in/out] The max size and resulting size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng    The PRNG to export
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*pexport)(unsigned char *out,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                   unsigned long *outlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Import a PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param in      The data to import
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param inlen   The length of the data to import (octets)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @param prng    The PRNG to initialize/import
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*pimport)(const unsigned char *in,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         unsigned long  inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            prng_state *prng);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Self-test the PRNG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project        @return CRYPT_OK if successful,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                CRYPT_NOP if self-testing has been disabled
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*test)(void);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project};
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Name}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe name by which find\_prng() will find the PRNG.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Export Size}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectWhen an PRNG state is to be exported for future use you specify the space required in this variable.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Start}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectInitialize the PRNG and make it ready to accept entropy.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Entropy Addition}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAdd entropy to the PRNG state.  The exact behaviour of this function depends on the particulars of the PRNG.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Ready}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis function makes the PRNG ready to read from by processing the entropy added.  The behaviour of this function depends
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecton the specific PRNG used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Read}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectRead from the PRNG and return the number of bytes read.  This function does not have to fill the buffer but it is best
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectif it does as many protocols do not retry reads and will fail on the first try.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Done}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTerminate a PRNG state.  The behaviour of this function depends on the particular PRNG used.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Exporting and Importing}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAn exported PRNG state is data that the PRNG can later import to resume activity.  They're not meant to resume \textit{the same session}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectbut should at least maintain the same level of state entropy.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\mysection{BigNum Math Descriptors}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe library also makes use of the math descriptors to access math functions.  While bignum math libraries usually differ in implementation
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectit hasn't proven hard to write \textit{glue} to use math libraries so far.  The basic descriptor looks like.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/** math descriptor */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Name of the math provider */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   char *name;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Bits per digit, amount of bits must fit in an unsigned long */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int  bits_per_digit;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- init/deinit functions ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** initialize a bignum
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param   a     The number to initialize
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return  CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*init)(void **a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** init copy
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param  dst    The number to initialize and write to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param  src    The number to copy from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*init_copy)(void **dst, void *src);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** deinit
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param   a    The number to free
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   void (*deinit)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- data movement ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** copy
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param   src   The number to copy from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param   dst   The number to write to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*copy)(void *src, void *dst);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- trivial low level functions ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** set small constant
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param a    Number to write to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param n    Source upto bits_per_digit (meant for small constants)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*set_int)(void *a, unsigned long n);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** get small constant
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param a  Small number to read
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return   The lower bits_per_digit of the integer (unsigned)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long (*get_int)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** get digit n
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a  The number to read from
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param n  The number of the digit to fetch
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return  The bits_per_digit  sized n'th digit of a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long (*get_digit)(void *a, int n);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Get the number of digits that represent the number
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The number to count
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return The number of digits used to represent the number
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*get_digit_count)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** compare two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The left side integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The right side integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return LTC_MP_LT if a < b,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             LTC_MP_GT if a > b and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             LTC_MP_EQ otherwise.  (signed comparison)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*compare)(void *a, void *b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** compare against int
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The left side integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The right side integer (upto bits_per_digit)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return LTC_MP_LT if a < b,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             LTC_MP_GT if a > b and
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project             LTC_MP_EQ otherwise.  (signed comparison)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*compare_d)(void *a, unsigned long n);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Count the number of bits used to represent the integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The integer to count
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return The number of bits required to represent the integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*count_bits)(void * a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Count the number of LSB bits which are zero
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The integer to count
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return The number of contiguous zero LSB bits
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*count_lsb_bits)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Compute a power of two
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a  The integer to store the power in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param n  The power of two you want to store (a = 2^n)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*twoexpt)(void *a , int n);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- radix conversions ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** read ascii string
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a     The integer to store into
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param str   The string to read
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param radix The radix the integer has been represented in (2-64)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*read_radix)(void *a, const char *str, int radix);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** write number to string
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a     The integer to store
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param str   The destination for the string
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param radix The radix the integer is to be represented in (2-64)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*write_radix)(void *a, char *str, int radix);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** get size as unsigned char string
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a  The integer to get the size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return   The length of the integer in octets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   unsigned long (*unsigned_size)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** store an integer as an array of octets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param src   The integer to store
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param dst   The buffer to store the integer in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*unsigned_write)(void *src, unsigned char *dst);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** read an array of octets and store as integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param dst   The integer to load
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param src   The array of octets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param len   The number of octets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*unsigned_read)(         void *dst,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned char *src,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                        unsigned long  len);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- basic math ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** add two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a + b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*add)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** add two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               (single digit of upto bits_per_digit in length)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a + b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*addi)(void *a, unsigned long b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** subtract two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a - b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*sub)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** subtract two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                (single digit of upto bits_per_digit in length)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a - b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*subi)(void *a, unsigned long b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** multiply two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                (single digit of upto bits_per_digit in length)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a * b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*mul)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** multiply two integers
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a   The first source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b   The second source integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                (single digit of upto bits_per_digit in length)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c   The destination of "a * b"
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*muli)(void *a, unsigned long b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Square an integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a    The integer to square
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b    The destination
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*sqr)(void *a, void *b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Divide an integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param a    The dividend
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param b    The divisor
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param c    The quotient (can be NULL to signify don't care)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @param d    The remainder (can be NULL to signify don't care)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project     @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*div)(void *a, void *b, void *c, void *d);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** divide by two
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a   The integer to divide (shift right)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b   The destination
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*div_2)(void *a, void *b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Get remainder (small value)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a    The integer to reduce
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b    The modulus (upto bits_per_digit in length)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c    The destination for the residue
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*modi)(void *a, unsigned long b, unsigned long *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** gcd
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a     The first integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b     The second integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c     The destination for (a, b)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*gcd)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** lcm
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a     The first integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b     The second integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c     The destination for [a, b]
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*lcm)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Modular multiplication
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a     The first source
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b     The second source
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c     The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  d     The destination (a*b mod c)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*mulmod)(void *a, void *b, void *c, void *d);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Modular squaring
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a     The first source
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b     The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c     The destination (a*a mod b)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*sqrmod)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Modular inversion
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  a     The value to invert
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  b     The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param  c     The destination (1/a mod b)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*invmod)(void *, void *, void *);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- reduction ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** setup Montgomery
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a  The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param b  The destination for the reduction digit
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*montgomery_setup)(void *a, void **b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** get normalization value
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a   The destination for the normalization value
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param b   The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return  CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*montgomery_normalization)(void *a, void *b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** reduce a number
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a   The number [and dest] to reduce
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param b   The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param c   The value "b" from montgomery_setup()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*montgomery_reduce)(void *a, void *b, void *c);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** clean up  (frees memory)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a   The value "b" from montgomery_setup()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   void (*montgomery_deinit)(void *a);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- exponentiation ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Modular exponentiation
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a    The base integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param b    The power (can be negative) integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param c    The modulus integer
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param d    The destination
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*exptmod)(void *a, void *b, void *c, void *d);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Primality testing
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param a     The integer to test
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param b     The destination of the result (FP_YES if prime)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*isprime)(void *a, int *b);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ----  (optional) ecc point math ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** ECC GF(p) point multiplication (from the NIST curves)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param k   The integer to multiply the point by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param G   The point to multiply
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param R   The destination for kG
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param modulus  The modulus for the field
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param map Boolean indicated whether to map back to affine or not
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                  (can be ignored if you work in affine only)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecc_ptmul)(     void *k,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_point *G,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_point *R,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         void *modulus,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                          int  map);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** ECC GF(p) point addition
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param P    The first point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param Q    The second point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param R    The destination of P + Q
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param modulus  The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param mp   The "b" value from montgomery_setup()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecc_ptadd)(ecc_point *P,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_point *Q,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_point *R,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         void *modulus,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         void *mp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** ECC GF(p) point double
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param P    The first point
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param R    The destination of 2P
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param modulus  The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param mp   The "b" value from montgomery_setup()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecc_ptdbl)(ecc_point *P,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                    ecc_point *R,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         void *modulus,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         void *mp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** ECC mapping from projective to affine,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       currently uses (x,y,z) => (x/z^2, y/z^3, 1)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param P     The point to map
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param modulus The modulus
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param mp    The "b" value from montgomery_setup()
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @remark The mapping can be different but keep in mind a
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               ecc_point only has three integers (x,y,z) so if
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project               you use a different mapping you have to make it fit.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecc_map)(ecc_point *P, void *modulus, void *mp);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** Computes kA*A + kB*B = C using Shamir's Trick
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param A        First point to multiply
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param kA       What to multiple A by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param B        Second point to multiply
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param kB       What to multiple B by
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param C        [out] Destination point (can overlap with A or B)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param modulus  Modulus for curve
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*ecc_mul2add)(ecc_point *A, void *kA,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      ecc_point *B, void *kB,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      ecc_point *C,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                           void *modulus);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/* ---- (optional) rsa optimized math (for internal CRT) ---- */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** RSA Key Generation
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param prng     An active PRNG state
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param wprng    The index of the PRNG desired
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param size     The size of the key in octets
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param e        The "e" value (public key).
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       e==65537 is a good choice
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @param key      [out] Destination of a newly created private key pair
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project       @return CRYPT_OK if successful, upon error all allocated ram is freed
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int (*rsa_keygen)(prng_state *prng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  wprng,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                             int  size,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                            long  e,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                         rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   /** RSA exponentiation
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param in       The octet array representing the base
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param inlen    The length of the input
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param out      The destination (to be stored in an octet array format)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param outlen   The length of the output buffer and the resulting size
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                      (zero padded to the size of the modulus)
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param which    PK_PUBLIC for public RSA and PK_PRIVATE for private RSA
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @param key      The RSA key to use
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project      @return CRYPT_OK on success
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project   int (*rsa_me)(const unsigned char *in,   unsigned long inlen,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       unsigned char *out,  unsigned long *outlen, int which,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project                       rsa_key *key);
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} ltc_math_descriptor;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{small}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectMost of the functions are fairly straightforward and do not need documentation.  We'll cover the basic conventions of the API and then explain the accelerated functions.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{Conventions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll \textit{bignums} are accessed through an opaque \textit{void *} data type.  You must internally cast the pointer if you need to access members of your bignum structure.  During
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe init calls a \textit{void **} will be passed where you allocate your structure and set the pointer then initialize the number to zero.  During the deinit calls you must
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfree the bignum as well as the structure you allocated to place it in.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll functions except the Montgomery reductions work from left to right with the arguments.  For example, mul(a, b, c) computes $c \leftarrow ab$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll functions (except where noted otherwise) return \textbf{CRYPT\_OK} to signify a successful operation.  All error codes must be valid LibTomCrypt error codes.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe digit routines (including functions with the \textit{i} suffix) use a \textit{unsigned long} to represent the digit.  If your internal digit is larger than this you must
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthen partition your digits.  Normally this does not matter as \textit{unsigned long} will be the same size as your register size.  Note that if your digit is smaller
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthan an \textit{unsigned long} that is also acceptable as the \textit{bits\_per\_digit} parameter will specify this.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{ECC Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe ECC system in LibTomCrypt is based off of the NIST recommended curves over $GF(p)$ and is used to implement EC-DSA and EC-DH.   The ECC functions work with
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectthe \textbf{ecc\_point} structure and assume the points are stored in Jacobian projective format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/** A point on a ECC curve, stored in Jacobian format such
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    that (x,y,z) => (x/z^2, y/z^3, 1) when interpreted as affine */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The x co-ordinate */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *x;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The y co-ordinate */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *y;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The z co-ordinate */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *z;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} ecc_point;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectAll ECC functions must use this mapping system.  The only exception is when you remap all ECC callbacks which will allow you to have more control
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectover how the ECC math will be implemented.  Out of the box you only have three parameters per point to use $(x, y, z)$ however, these are just void pointers.  They
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectcould point to anything you want.  The only further exception is the export functions which expects the values to be in affine format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Point Multiply}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will multiply the point $G$ by the scalar $k$ and store the result in the point $R$.  The value should be mapped to affine only if $map$ is set to one.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Point Addition}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will add the point $P$ to the point $Q$ and store it in the point $R$.  The $mp$ parameter is the \textit{b} value from the montgomery\_setup() call.  The input points
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectmay be in either affine (with $z = 1$) or projective format and the output point is always projective.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Point Mapping}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThis will map the point $P$ back from projective to affine.  The output point $P$ must be of the form $(x, y, 1)$.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsubsection{Shamir's Trick}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{Shamir's Trick}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\index{ltc\_ecc\_mul2add()}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectTo accelerate EC--DSA verification the library provides a built--in function called ltc\_ecc\_mul2add().  This performs two point multiplications and an addition in
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectroughly the time of one point multiplication.  It is called from ecc\_verify\_hash() if an accelerator is not present.  The acclerator function must allow the points to
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectoverlap (e.g., $A \leftarrow k_1A + k_2B$) and must return the final point in affine format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\subsection{RSA Functions}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe RSA Modular Exponentiation (ME) function is used by the RSA API to perform exponentiations for private and public key operations.  In particular for
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectprivate key operations it uses the CRT approach to lower the time required.  It is passed an RSA key with the following format.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\begin{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project/** RSA PKCS style key */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projecttypedef struct Rsa_key {
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** Type of key, PK_PRIVATE or PK_PUBLIC */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    int type;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The public exponent */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *e;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The private exponent */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *d;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The modulus */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *N;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The p factor of N */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *p;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The q factor of N */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *q;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The 1/q mod p CRT param */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *qP;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The d mod (p - 1) CRT param */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *dP;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    /** The d mod (q - 1) CRT param */
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project    void *dQ;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project} rsa_key;
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{verbatim}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectThe call reads the \textit{in} buffer as an unsigned char array in big endian format.  Then it performs the exponentiation and stores the output in big endian format
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectto the \textit{out} buffer.  The output must be zero padded (leading bytes) so that the length of the output matches the length of the modulus (in bytes).  For example,
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Projectfor RSA--1024 the output is always 128 bytes regardless of how small the numerical value of the exponentiation is.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source ProjectSince the function is given the entire RSA key (for private keys only) CRT is possible as prescribed in the PKCS \#1 v2.1 specification.
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\newpage
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\markboth{Index}{Index}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\input{crypt.ind}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project\end{document}
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project% $Source: /cvs/libtom/libtomcrypt/crypt.tex,v $
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project% $Revision: 1.123 $
f7fc46c63fdc8f39234fea409b8dbe116d73ebf8The Android Open Source Project% $Date: 2006/12/16 19:08:17 $