diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..3dd7d1e --- /dev/null +++ b/AUTHORS @@ -0,0 +1,2 @@ +Open Source Maintainer: Constanza Heath +Author: Rafael Misoczki \ No newline at end of file diff --git a/Makefile b/Makefile index 8c7a8ee..2a86c57 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,9 @@ include config.mk all: $(MAKE) -C lib +ifeq ($(ENABLE_TESTS),true) $(MAKE) -C tests +endif clean: $(MAKE) -C lib clean diff --git a/VERSION b/VERSION index 3a4036f..53a75d6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.2.5 +0.2.6 diff --git a/config.mk b/config.mk index bea3800..9642066 100644 --- a/config.mk +++ b/config.mk @@ -9,6 +9,7 @@ CC:=gcc CFLAGS:=-Os -std=c99 -Wall -Wextra -D_ISOC99_SOURCE -MMD -I../lib/include/ -I../lib/source/ -I../tests/include/ vpath %.c ../lib/source/ +ENABLE_TESTS=true # override MinGW built-in recipe %.o: %.c @@ -18,4 +19,11 @@ ifeq ($(OS),Windows_NT) DOTEXE:=.exe endif +# DO NOT EDIT THIS: +ifeq ($(ENABLE_TESTS), true) +CFLAGS += -DENABLE_TESTS +else +CFLAGS += -DDISABLE_TESTS +endif + ################################################################################ diff --git a/documentation/tinycrypt.rst b/documentation/tinycrypt.rst index 426e0f4..2f55d73 100644 --- a/documentation/tinycrypt.rst +++ b/documentation/tinycrypt.rst @@ -132,6 +132,10 @@ Specific Remarks memory comparison function (such as compare_constant_time function provided in lib/utils.c). + * The tc_hmac_final function, responsible for computing the message tag, + cleans the state context before exiting. Thus, applications do not need to + clean the TCHmacState_t ctx after calling tc_hmac_final. + * HMAC-PRNG: * Before using HMAC-PRNG, you *must* find an entropy source to produce a seed. diff --git a/lib/include/tinycrypt/constants.h b/lib/include/tinycrypt/constants.h index 25f0361..1a7c9df 100644 --- a/lib/include/tinycrypt/constants.h +++ b/lib/include/tinycrypt/constants.h @@ -47,10 +47,6 @@ extern "C" { #define NULL ((void *)0) #endif -#ifndef bool -enum {false, true} bool; -#endif - #define TC_CRYPTO_SUCCESS 1 #define TC_CRYPTO_FAIL 0 diff --git a/lib/include/tinycrypt/ecc.h b/lib/include/tinycrypt/ecc.h index 7119475..74324f9 100644 --- a/lib/include/tinycrypt/ecc.h +++ b/lib/include/tinycrypt/ecc.h @@ -79,10 +79,12 @@ extern "C" { #endif +/* Word size (4 bytes considering 32-bits architectures) */ +#define WORD_SIZE 4 /* Number of words of 32 bits to represent an element of the the curve p-256: */ #define NUM_ECC_DIGITS 8 /* Number of bytes to represent an element of the the curve p-256: */ -#define NUM_ECC_BYTES (4*NUM_ECC_DIGITS) +#define NUM_ECC_BYTES (WORD_SIZE*NUM_ECC_DIGITS) /* struct to represent a point of the curve (uses X and Y coordinates): */ typedef struct EccPoint { @@ -218,6 +220,8 @@ void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left); * @param p_right IN -- buffer p_right in (p_left * p_right) % p_mod. * @param p_mod IN -- module. * @param p_barrett IN -- used for Barrett reduction. + * @note Side-channel countermeasure: algorithm strengthened against timing + * attack. */ void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, uint32_t *p_mod, uint32_t *p_barrett); @@ -229,10 +233,27 @@ void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right, * @param p_input IN -- buffer p_input in (1/p_intput) % p_mod. * @param p_mod IN -- module. * @param p_barrett IN -- used for Barrett reduction. + * @note Side-channel countermeasure: algorithm strengthened against timing + * attack. */ void vli_modInv(uint32_t *p_result, uint32_t *p_input, uint32_t *p_mod, uint32_t *p_barrett); +/* + * @brief modular reduction based on Barrett's method + * @param p_result OUT -- p_product % p_mod. + * @param p_product IN -- buffer p_product in (p_product % p_mod). + * @param p_mod IN -- buffer p_mod in (p_product % p_mod). + * @param p_barrett -- used for Barrett reduction. + * @note Side-channel countermeasure: algorithm strengthened against timing + * attack. + */ +void vli_mmod_barrett( + uint32_t *p_result, + uint32_t *p_product, + uint32_t *p_mod, + uint32_t *p_barrett); + /* * @brief Check if a point is zero. * @return Returns 1 if p_point is the point at infinity, 0 otherwise. @@ -271,10 +292,26 @@ void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2); * @param p_result OUT -- Product of p_point by p_scalar. * @param p_point IN -- Elliptic curve point * @param p_scalar IN -- Scalar integer + * @note Side-channel countermeasure: algorithm strengthened against timing + * attack. */ -void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, +void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar); +/* + * @brief Fast elliptic curve scalar multiplication with result in Jacobi + * coordinates + * @note non constant time + * @param p_result OUT -- Product of p_point by p_scalar. + * @param p_point IN -- Elliptic curve point + * @param p_scalar IN -- Scalar integer + * @note algorithm NOT strengthened against timing attack. + */ +void EccPoint_mult_unsafe( + EccPointJacobi *p_result, + EccPoint *p_point, + uint32_t *p_scalar); + /* * @brief Convert an integer in standard octet representation to native format. * @return returns TC_CRYPTO_SUCCESS (1) diff --git a/lib/include/tinycrypt/ecc_dh.h b/lib/include/tinycrypt/ecc_dh.h index b31477b..778fee2 100644 --- a/lib/include/tinycrypt/ecc_dh.h +++ b/lib/include/tinycrypt/ecc_dh.h @@ -80,7 +80,7 @@ extern "C" { /** * @brief Create a public/private key pair. - * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully + * @return returns TC_CRYPTO_SUCCESS (1) if key pair was generated successfully * returns TC_CRYPTO_FAIL (0) if: * the private key is 0 * @@ -90,13 +90,15 @@ extern "C" { * * @note You must use a new non-predictable random number to generate each * new key pair. + * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate + * bias in keys. * * @note side-channel countermeasure: algorithm strengthened against timing * attack. */ int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS], - uint32_t p_random[NUM_ECC_DIGITS]); + uint32_t p_random[2 * NUM_ECC_DIGITS]); /** * @brief Determine whether or not a given point is on the chosen elliptic curve @@ -106,7 +108,8 @@ int32_t ecc_make_key(EccPoint *p_publicKey, * returns -2 if: curve_p - p_publicKey->x != 1 or * curve_p - p_publicKey->y != 1 * returns -3 if: y^2 != x^3 + ax + b - + * returns -4 if: public key is the group generator + * * @param p_publicKey IN -- The point to be checked. */ int32_t ecc_valid_public_key(EccPoint *p_publicKey); @@ -114,7 +117,7 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey); /** * @brief Compute a shared secret given your secret key and someone else's * public key. - * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully + * @return returns TC_CRYPTO_SUCCESS (1) if the secret was computed successfully * returns TC_CRYPTO_FAIL (0) otherwise * * @param p_secret OUT -- The shared secret value. @@ -125,12 +128,9 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey); * attacks. The random multiplier should probably be different for each * invocation of ecdh_shared_secret(). * - * @note It is recommended that you hash the result of ecdh_shared_secret before - * using it for symmetric encryption or HMAC. If you do not hash the shared - * secret, you must call ecc_valid_public_key() to verify that the remote side's - * public key is valid. If this is not done, an attacker could create a public - * key that would cause your use of the shared secret to leak information about - * the private key. + * @warning It is recommended to use the output of ecdh_shared_secret() as the + * input of a recommended Key Derivation Function (see NIST SP 800-108) in + * order to produce a symmetric key. */ int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS]); diff --git a/lib/include/tinycrypt/hmac.h b/lib/include/tinycrypt/hmac.h index 41e712a..26f6cfe 100644 --- a/lib/include/tinycrypt/hmac.h +++ b/lib/include/tinycrypt/hmac.h @@ -125,6 +125,7 @@ int32_t tc_hmac_update(TCHmacState_t ctx, * ctx == NULL or * key == NULL or * taglen != TC_SHA256_DIGEST_SIZE + * @note 'ctx' is erased before exiting (this must never be changed/removed). * @note Assumes the tag bufer is at least sizeof(hmac_tag_size(state)) bytes * state has been initialized by tc_hmac_init * @param tag IN/OUT -- buffer to receive computed HMAC tag diff --git a/lib/source/ecc.c b/lib/source/ecc.c index 357139b..bfe6c5f 100644 --- a/lib/source/ecc.c +++ b/lib/source/ecc.c @@ -97,7 +97,9 @@ static void vli_clear(uint32_t *p_vli) } } -/* Returns nonzero if bit p_bit of p_vli is set. */ +/* Returns nonzero if bit p_bit of p_vli is set. + * It is assumed that the value provided in 'bit' is within + * the boundaries of the word-array 'p_vli'.*/ static uint32_t vli_testBit(uint32_t *p_vli, uint32_t p_bit) { return (p_vli[p_bit / 32] & (1 << (p_bit % 32))); @@ -235,7 +237,7 @@ static void vli_square(uint32_t *p_result, uint32_t *p_left) } /* Computes p_result = p_product % curve_p using Barrett reduction. */ -static void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product, +void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product, uint32_t *p_mod, uint32_t *p_barrett) { uint32_t i; @@ -547,7 +549,7 @@ void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2) * * p_result = p_scalar * p_point. */ -void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar) +void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar) { int32_t i; @@ -568,6 +570,25 @@ void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scal } } +/* Ellptic curve scalar multiplication with result in Jacobi coordinates */ +/* p_result = p_scalar * p_point */ +void EccPoint_mult_unsafe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar) +{ + int i; + EccPointJacobi p_point_jacobi; + EccPoint_fromAffine(p_result, p_point); + EccPoint_fromAffine(&p_point_jacobi, p_point); + + for(i = vli_numBits(p_scalar) - 2; i >= 0; i--) + { + EccPoint_double(p_result); + if (vli_testBit(p_scalar, i)) + { + EccPoint_add(p_result, &p_point_jacobi); + } + } +} + /* -------- Conversions between big endian and little endian: -------- */ void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS], diff --git a/lib/source/ecc_dh.c b/lib/source/ecc_dh.c index 965394b..c2ab414 100644 --- a/lib/source/ecc_dh.c +++ b/lib/source/ecc_dh.c @@ -35,31 +35,36 @@ extern uint32_t curve_p[NUM_ECC_DIGITS]; extern uint32_t curve_b[NUM_ECC_DIGITS]; extern uint32_t curve_n[NUM_ECC_DIGITS]; +extern uint32_t curve_pb[NUM_ECC_DIGITS + 1]; extern EccPoint curve_G; int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS], - uint32_t p_random[NUM_ECC_DIGITS]) + uint32_t p_random[NUM_ECC_DIGITS * 2]) { + // computing modular reduction of p_random (see FIPS 186.4 B.4.1): + vli_mmod_barrett(p_privateKey, p_random, curve_p, curve_pb); /* Make sure the private key is in the range [1, n-1]. * For the supported curve, n is always large enough * that we only need to subtract once at most. */ uint32_t p_tmp[NUM_ECC_DIGITS]; - - vli_set(p_privateKey, p_random); vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS); vli_cond_set(p_privateKey, p_privateKey, p_tmp, vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1); + /* erasing temporary buffer used to store secret: */ + for (uint32_t i = 0; i < NUM_ECC_DIGITS; i++) + p_tmp[i] = 0; + if (vli_isZero(p_privateKey)) { return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */ } EccPointJacobi P; - EccPoint_mult(&P, &curve_G, p_privateKey); + EccPoint_mult_safe(&P, &curve_G, p_privateKey); EccPoint_toAffine(p_publicKey, &P); return TC_CRYPTO_SUCCESS; @@ -102,6 +107,10 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey) return -3; } + if (vli_cmp(p_publicKey->x, curve_G.x, NUM_ECC_DIGITS) == 0 && + vli_cmp(p_publicKey->y, curve_G.y, NUM_ECC_DIGITS) == 0 ) + return -4; + return 0; } @@ -112,7 +121,7 @@ int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint p_point; EccPointJacobi P; - EccPoint_mult(&P, p_publicKey, p_privateKey); + EccPoint_mult_safe(&P, p_publicKey, p_privateKey); if (EccPointJacobi_isZero(&P)) { return TC_CRYPTO_FAIL; } diff --git a/lib/source/ecc_dsa.c b/lib/source/ecc_dsa.c index 8636fa1..dd84a18 100644 --- a/lib/source/ecc_dsa.c +++ b/lib/source/ecc_dsa.c @@ -56,7 +56,7 @@ int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS], vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1); /* tmp = k * G */ - EccPoint_mult(&P, &curve_G, k); + EccPoint_mult_safe(&P, &curve_G, k); EccPoint_toAffine(&p_point, &P); /* r = x1 (mod n) */ @@ -101,17 +101,15 @@ int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS], vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */ /* calculate P = u1*G + u2*Q */ - EccPoint_mult(&P, &curve_G, u1); - EccPoint_mult(&R, p_publicKey, u2); + EccPoint_mult_unsafe(&P, &curve_G, u1); + EccPoint_mult_unsafe(&R, p_publicKey, u2); EccPoint_add(&P, &R); EccPoint_toAffine(&p_point, &P); /* Accept only if P.x == r. */ - vli_cond_set( - p_point.x, - p_point.x, - z, - vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS)); + if (!vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS)) { + vli_set(p_point.x, z); + } return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0); } diff --git a/lib/source/utils.c b/lib/source/utils.c index 3338e0c..147d8d4 100644 --- a/lib/source/utils.c +++ b/lib/source/utils.c @@ -55,14 +55,11 @@ void _set(void *to, uint8_t val, uint32_t len) } /* - * Doubles the value of a byte for values up to 127. Original 'return - * ((a<<1) ^ ((a>>7) * 0x1b))' re-written to avoid extra multiplication which - * the compiler won't be able to optimize + * Doubles the value of a byte for values up to 127. */ uint8_t _double_byte(uint8_t a) { - return (a & MASK_MOST_SIG_BIT) ? - ((a << 1) ^ MASK_TWENTY_SEVEN) : (a << 1); + return ((a<<1) ^ ((a>>7) * MASK_TWENTY_SEVEN)); } int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size) diff --git a/tests/test_aes.c b/tests/test_aes.c index 827d2c7..40c89fa 100644 --- a/tests/test_aes.c +++ b/tests/test_aes.c @@ -54,12 +54,13 @@ #include #include +#define NUM_OF_NIST_KEYS 16 #define NUM_OF_FIXED_KEYS 128 struct kat_table { - uint8_t in[TC_AES_BLOCK_SIZE]; - uint8_t out[TC_AES_BLOCK_SIZE]; + uint8_t in[NUM_OF_NIST_KEYS]; + uint8_t out[NUM_OF_NIST_KEYS]; }; /* @@ -68,7 +69,7 @@ struct kat_table { int test_1(void) { int result = TC_PASS; - const uint8_t nist_key[TC_AES_KEY_SIZE] = { + const uint8_t nist_key[NUM_OF_NIST_KEYS] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; @@ -111,20 +112,20 @@ int test_1(void) int test_2(void) { int result = TC_PASS; - const uint8_t nist_key[TC_AES_KEY_SIZE] = { + const uint8_t nist_key[NUM_OF_NIST_KEYS] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c }; - const uint8_t nist_input[TC_AES_BLOCK_SIZE] = { + const uint8_t nist_input[NUM_OF_NIST_KEYS] = { 0x32, 0x43, 0xf6, 0xa8, 0x88, 0x5a, 0x30, 0x8d, 0x31, 0x31, 0x98, 0xa2, 0xe0, 0x37, 0x07, 0x34 }; - const uint8_t expected[TC_AES_BLOCK_SIZE] = { + const uint8_t expected[NUM_OF_NIST_KEYS] = { 0x39, 0x25, 0x84, 0x1d, 0x02, 0xdc, 0x09, 0xfb, 0xdc, 0x11, 0x85, 0x97, 0x19, 0x6a, 0x0b, 0x32 }; struct tc_aes_key_sched_struct s; - uint8_t ciphertext[TC_AES_BLOCK_SIZE]; + uint8_t ciphertext[NUM_OF_NIST_KEYS]; TC_PRINT("AES128 %s (NIST encryption test):\n", __func__); @@ -148,19 +149,19 @@ int test_2(void) int var_text_test(uint32_t r, const uint8_t *in, const uint8_t *out, TCAesKeySched_t s) { - uint8_t ciphertext[TC_AES_BLOCK_SIZE]; - uint8_t decrypted[TC_AES_BLOCK_SIZE]; + uint8_t ciphertext[NUM_OF_NIST_KEYS]; + uint8_t decrypted[NUM_OF_NIST_KEYS]; int result = TC_PASS; (void)tc_aes_encrypt(ciphertext, in, s); - result = check_result(r, out, TC_AES_BLOCK_SIZE, + result = check_result(r, out, NUM_OF_NIST_KEYS, ciphertext, sizeof(ciphertext)); if (result != TC_FAIL) { if (tc_aes_decrypt(decrypted, ciphertext, s) == 0) { TC_ERROR("aes_decrypt failed\n"); result = TC_FAIL; } else { - result = check_result(r, in, TC_AES_BLOCK_SIZE, + result = check_result(r, in, NUM_OF_NIST_KEYS, decrypted, sizeof(decrypted)); } } @@ -1099,17 +1100,17 @@ int var_key_test(uint32_t r, const uint8_t *in, const uint8_t *out) { int result = TC_PASS; - const uint8_t plaintext[TC_AES_BLOCK_SIZE] = { + const uint8_t plaintext[NUM_OF_NIST_KEYS] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - uint8_t ciphertext[TC_AES_BLOCK_SIZE]; + uint8_t ciphertext[NUM_OF_NIST_KEYS]; struct tc_aes_key_sched_struct s; (void)tc_aes128_set_encrypt_key(&s, in); (void)tc_aes_encrypt(ciphertext, plaintext, &s); - result = check_result(r, out, TC_AES_BLOCK_SIZE, + result = check_result(r, out, NUM_OF_NIST_KEYS, ciphertext, sizeof(ciphertext)); return result; diff --git a/tests/test_ecc_dh.c b/tests/test_ecc_dh.c index 540aa7a..545f771 100644 --- a/tests/test_ecc_dh.c +++ b/tests/test_ecc_dh.c @@ -347,6 +347,8 @@ int randfd; void montecarlo_ecdh(uint32_t num, bool verbose) { EccPoint l_Q1, l_Q2; /* public keys */ + uint32_t l_random1[2 * NUM_ECC_DIGITS]; + uint32_t l_random2[2 * NUM_ECC_DIGITS]; uint32_t l_secret1[NUM_ECC_DIGITS]; uint32_t l_secret2[NUM_ECC_DIGITS]; @@ -367,11 +369,11 @@ void montecarlo_ecdh(uint32_t num, bool verbose) { fflush(stdout); printf("."); } - getRandomBytes((char *)l_secret1, NUM_ECC_DIGITS * sizeof(uint32_t)); - getRandomBytes((char *)l_secret2, NUM_ECC_DIGITS * sizeof(uint32_t)); + getRandomBytes((char *)l_random1, 2 * NUM_ECC_DIGITS * sizeof(uint32_t)); + getRandomBytes((char *)l_random2, 2 * NUM_ECC_DIGITS * sizeof(uint32_t)); - ecc_make_key(&l_Q1, l_secret1, l_secret1); - ecc_make_key(&l_Q2, l_secret2, l_secret2); + ecc_make_key(&l_Q1, l_secret1, l_random1); + ecc_make_key(&l_Q2, l_secret2, l_random2); if(!ecdh_shared_secret(l_shared1, &l_Q1, l_secret2)) { printf("shared_secret() failed (1)\n"); diff --git a/tests/test_ecc_dsa.c b/tests/test_ecc_dsa.c index 4049888..9f7a8cd 100644 --- a/tests/test_ecc_dsa.c +++ b/tests/test_ecc_dsa.c @@ -555,7 +555,7 @@ void montecarlo_signverify(uint32_t num, bool verbose) { uint32_t l_private[NUM_ECC_DIGITS]; uint32_t l_hash[NUM_ECC_DIGITS]; - uint32_t l_random[NUM_ECC_DIGITS]; + uint32_t l_random[2 * NUM_ECC_DIGITS]; uint32_t r[NUM_ECC_DIGITS]; uint32_t s[NUM_ECC_DIGITS]; diff --git a/tests/test_ecc_utils.c b/tests/test_ecc_utils.c index bce3b08..a635ebe 100644 --- a/tests/test_ecc_utils.c +++ b/tests/test_ecc_utils.c @@ -199,7 +199,7 @@ EccPoint keygen_vectors(char **d_vec, bool verbose) { EccPoint pub; - uint32_t seed[2*NUM_ECC_DIGITS]; + uint32_t seed[NUM_ECC_DIGITS * 2]; uint32_t prv[NUM_ECC_DIGITS]; /* expected outputs (converted input vectors) */ @@ -216,7 +216,7 @@ EccPoint keygen_vectors(char **d_vec, * Feed prvkey vector as padded random seed into ecc_make_key. * Internal mod-reduction will be zero-op and generate correct prv/pub */ - memset(seed, 0, 2*NUM_ECC_BYTES); + memset(seed, 0, NUM_ECC_BYTES * 2); string2scalar(seed, NUM_ECC_DIGITS, d_vec[i]); ecc_make_key(&pub, prv, seed);