How to reflash st-link

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>

.gitignore

@@ -1,14 +1,20 @@
 *.lst
 *.o
 *.pyc
+regnual/regnual-no-vidpid.elf
 src/.dep
-src/Makefile
+src/config.mk
 src/config.h
 src/gnuk.ld
+src/stdaln-sys.ld
 src/board.h
 src/build/*
 src/*.inc
+src/put-vid-pid-ver.sh
 regnual/regnual.bin
 regnual/regnual.hex
 regnual/regnual.elf
 doc/_build
+tests/.cache
+tests/__pycache__
+tests/.pytest_cache

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "chopstx"]
 	path = chopstx
-	url = git@gitorious.org:chopstx/chopstx.git
+	url = ../chopstx.git

AUTHORS

@@ -1,75 +0,0 @@
-Kaz Kojima:
-    Added STM32 Primer2 support:
-	boards/STM32_PRIMER2/board.c
-	boards/STM32_PRIMER2/board.h
-	boards/STM32_PRIMER2/mcuconf.h
-
-NIIBE Yutaka:
-    Founder of the project.
-    Added FST_01 support:
-	boards/FST_01/board.c
-	boards/FST_01/board.h
-	boards/FST_01/mcuconf.h
-    Added FST_01_00 support:
-	boards/FST_01_00/board.c
-	boards/FST_01_00/board.h
-	boards/FST_01_00/mcuconf.h
-    Added STBee support:
-	boards/STBEE/board.c
-	boards/STBEE/board.h
-	boards/STBEE/mcuconf.h
-    Added STM8S Discovery Kit support:
-	boards/STM8S_DISCOVERY/board.c
-	boards/STM8S_DISCOVERY/board.h
-	boards/STM8S_DISCOVERY/mcuconf.h
-    Added STBee Mini support:
-	boards/STBEE_MINI/board.c
-	boards/STBEE_MINI/board.h
-	boards/STBEE_MINI/mcuconf.h
-    Added CQ STARM support:
-	boards/CQ_STARM/board.c
-	boards/CQ_STARM/board.h
-	boards/CQ_STARM/mcuconf.h
-    Wrote tools for DfuSe:
-	tool/dfuse.py
-	tool/dump_mem.py
-	tool/intel_hex.py
-    Wrote a tool for Gnuk:
-	tool/gnuk_put_binary.py
-	tool/gnuk_put_binary_libusb.py
-	tool/gnuk_remove_keys.py
-	tool/gnuk_upgrade.py
-    Wrote a tool for USB Hub:
-	tool/hub_ctrl.py
-    Wrote a tool for testing card reader with pinpad:
-	tool/pinpadtest.py
-    Wrote reGNUal implementation:
-	regnual/regnual.c
-	regnual/sys.c
-    Wrote Gnuk implementation:
-	gnuk.svg
-	src/configure
-	src/ac.c
-	src/call-rsa.c
-	src/debug.c
-	src/flash.c
-	src/gnuk.h
-	src/main.c
-	src/neug.c
-	src/openpgp-do.c
-	src/openpgp.c
-	src/openpgp.h
-	src/pin-cir.c
-	src/pin-dial.c
-	src/pin-dnd.c
-	src/random.c
-	src/sys.c
-	src/usb-icc.c
-	src/usb-msc.c
-	src/usb-msc.h
-	src/usb_ctrl.c
-	src/usb_desc.c
-	src/usb_lld.c
-	src/usb_lld.h
-	*
-	and others.

GNUK_USB_DEVICE_ID

@@ -1,3 +1,7 @@
-# VID:PID	bcdDev	Product_STRING	Vender_STRING
+# VID:PID	bcdDev	Product_STRING	Vendor_STRING
+0000:0000	0200	Gnuk Token	Free Software Initiative of Japan
 234b:0000	0200	Gnuk Token	Free Software Initiative of Japan
+20a0:4211	0200	Nitrokey Start	Nitrokey
+1209:2440	0200	Gnuk Token	GnuPG e.V.
+1337:0010	0200	Gnuk Token	Deon Spengler
 ##########<TAB>	##<TAB>	##########<TAB>	#################

NEWS

@@ -1,5 +1,456 @@
 Gnuk NEWS - User visible changes
 
+
+* Major changes in Gnuk 1.2.20
+
+  Released 2022-04-22, by NIIBE Yutaka
+
+** Minor fixes for newer compiler
+
+For build with newer compiler, Gnuk and regnual are fixed for address
+calculation and access to object on memory, as well as declarations of
+function and type in standard C library.
+
+** Upgrade of Chopstx
+
+We use Chopstx 1.21.  This includes fix to silence compiler warnings.
+
+
+* Major changes in Gnuk 1.2.19
+
+  Released 2021-10-12, by NIIBE Yutaka
+
+** KDF Data Object configuration
+KDF Data Object should be highly recommended for all configurations.
+Nevertheless, for backward compatibillity, in Gnuk 1.2, it is optional
+by default; It is up to user to configure KDF Data Object before
+importing private keys.  In this situation, it is not good to
+introduce new build-time option like --enable-always-require-kdf-do,
+because it might wrongly encourage use of Gnuk with no KDF Data Object
+setting, by confusion.  If needed, please run configure:
+
+  kdf_do=required ./configure --enable-factory-reset --target...
+
+or
+
+  kdf_do=optional ./configure --enable-factory-reset --target...
+
+Please note that such a use of variable by shell command line is not
+well supported by the configure script (for other variables), but
+override of kdf_do is needed in some situations.
+
+** Upgrade of Chopstx
+We use Chopstx 1.20.  This enables use with PC/SC for GNU/Linux
+emulation.
+
+
+* Major changes in Gnuk 1.2.18
+
+  Released 2021-04-02, by NIIBE Yutaka
+
+** GNU/Linux emulation bug fix
+This time, for GNU/Linux emulation, KDF Data Object is required before
+keygen and key import, really.
+
+** tool/upgrade_by_passwd.py
+Now, it checks if the target of binary being written and the
+configured target of running device are same.  This check can be
+skipped by -s option.  Please note that FST-01 and FST-01SZ are
+different target, as it's MHz is different.
+
+
+* Major changes in Gnuk 1.2.17
+
+  Released 2021-02-25, by NIIBE Yutaka
+
+** GNU/Linux: KDF Data Object is required before keygen and key import
+For GNU/Linux emulation, KDF Data Object is required before keygen and
+key import.
+
+** GNU/Linux emulation
+Since 1.2.10, it was not build-able because of MHZ definition.  It is
+build-able again, and its USB product string is now "Gnuk Token".  It
+has ACK button support using terminal.  It now has start-up message,
+and its driver show useful information to setup USBIP.  When no file
+for the .gnuk-flash-image file, it is automatically created.
+
+** Removal of tool/gnuk-emulation-setup
+Because it is automatically created, the tool is not needed any more.
+
+** Upgrade of Chopstx
+We use Chopstx 1.19.
+
+
+* Major changes in Gnuk 1.2.16
+
+  Released 2020-09-10, by NIIBE Yutaka
+
+** New Data Object (Algorithm Information) of OpenPGP card v3.4
+The tag is 0x00FA.  This is useful for user interaction to show which
+algorithms are supported by the device.
+
+** Ed25519 signing allowing longer message
+For OpenPGP, it does hashing on host side before requesting signing to
+the device.  Thus, the length of message to be signed is limited and
+determined by the hash algorithm.  That's good feature of OpenPGP.  On
+the other hand, there is a use case, like OpenSSH certificate signing,
+where the length of message is a kind of arbitrary.  Even though Gnuk
+(or OpenPGP card protocol itself) has limitation, we removed the
+length check against EDDSA_HASH_LEN_MAX at cmd_pso.
+
+
+* Major changes in Gnuk 1.2.15
+
+  Released 2020-01-24, by NIIBE Yutaka
+
+** Switch to Python3
+Scripts under tool/ are switched to Python3.
+Thanks to Bertrand Jacquin.
+
+** Upgrade of Chopstx
+We use Chopstx 1.18.
+
+** Tests also support OpenPGPcard
+Now, a test suite under "tests" may be used to OpenPGPcard.
+
+
+* Major changes in Gnuk 1.2.14
+
+  Released 2019-03-05, by NIIBE Yutaka
+
+** Timeout for ACK button support
+When a user doesn't acknowledge (> 15 seconds), the operation
+timeouts, and authentication state is cleared.
+
+** Upgrade of Chopstx
+We use Chopstx 1.14.
+
+
+* Major changes in Gnuk 1.2.13
+
+  Released 2018-12-26, by NIIBE Yutaka
+
+** DFU support and its firmware upgrade fix
+DFU support was not well maintained, and firmware upgrade was not
+possible for boards with DFU.  Now, at least for Maple Mini, it is
+tested.  Note that using Gnuk with DFU on a board is only for an
+experiment, because DFU can access the content of flash ROM.  DFU
+should be killed by upgrading to normal Gnuk, so that you can have
+your private keys.
+
+** Fix for UIF Data Object
+When flash ROM is full and coping to new page, UIF DO was not properly
+copied.  This bug resulted losing the flag for user interaction.  Now,
+it's properly copied, keeping the setting of the feature.
+
+** Upgrade of Chopstx
+We use Chopstx 1.13.
+
+
+* Major changes in Gnuk 1.2.12
+
+  Released 2018-11-25, by NIIBE Yutaka
+
+** FST-01SZ fixes
+Fixes for Ack button support and serial number.
+
+
+* Major changes in Gnuk 1.2.11
+
+  Released 2018-11-12, by NIIBE Yutaka
+
+** Experimental ACK button support with FST-01SZ
+While OpenPGP card specification verison 3 has description for the
+"user interaction" button and data objects, there were no
+implementation.  To evaluate the feature, experimental support is
+added.
+
+** Upgrade of Chopstx
+We use Chopstx 1.12, which comes with ACK button driver and supports
+FST-01SZ.
+
+
+* Major changes in Gnuk 1.2.10
+
+  Released 2018-05-10, by NIIBE Yutaka
+
+** No inclusion of VID:PID in gnuk-no-vidpid.elf
+Now, we have new file named gnuk-no-vidpid.elf with no VID:PID.  The
+file gnuk.elf has the VID:PID, like version 1.2.7 or older.
+
+** Upgrade of Chopstx
+We use Chopstx 1.9, which supports GD32F103.
+
+
+* Major changes in Gnuk 1.2.9
+
+  Released 2018-04-05, by NIIBE Yutaka
+
+** A test suite fix: Clear PW3
+Until 1.2.8, after running the test suite under "tests", PW3 keystring
+remained, which affects use of admin-less mode.  New test case is
+added to clear PW3.
+
+** tool/upgrade_by_passwd.py supports KDF-DO auth
+With KDF-DO, firmware upgrade didn't work.  Now, it's supported.
+
+** Add "single-salt" support for KDF-DO
+With KDF-DO, "admin-less" mode didn't work well.  With new feature of
+"single-salt" support, we can use "admin-less" mode with KDF-DO.
+
+** factory-reset deletes all upgrade public keys
+By card-edit/factory-reset by GnuPG, it deletes all upgrade public
+keys, now.
+
+
+* Major changes in Gnuk 1.2.8
+
+  Released 2018-01-23, by NIIBE Yutaka
+
+** No inclusion of VID:PID in gnuk.elf
+
+Distribution of binary image with VID:PID would violate vendor ID
+agreement to USB Forum.  Now, we have new file named gnuk-vidpid.elf
+for flashing.  The file gnuk.elf can be used to generate
+gnuk-vidpid.elf and we can check if it is reproducible or not.
+
+** Passphrase length check
+
+Now, Gnuk checks length of passphrase if it's too short when
+changing passphrase.
+
+** Remove unused DEK with BY_ADMIN
+
+For admin-less mode, DEK by OPENPGP_CARD_INITIAL_PW3 remained on flash
+ROM.  This could be considered a backdoor, if some other person had or
+kept access to the flash ROM, cheating a user.  Now, the DEK is
+cleared by zero when the token is set to admin-less mode.
+
+** Upgrade of Chopstx
+We use Chopstx 1.8.
+
+
+* Major changes in Gnuk 1.2.7
+
+  Released 2017-11-26, by NIIBE Yutaka
+
+** reGNUal
+reGNUal enables CRC module by itself.
+
+** Flash update change
+CRC module is disabled when Gnuk stops.  It's reGNUal which needs to
+enable CRC module.
+
+** Support of USB suspend
+USB suspend and wakeup event are now handled.
+
+** KDF-DO support and KDF by host
+KDF-DO is now available.  Host can use this feature.
+
+** Upgrade of Chopstx
+We use Chopstx 1.6.
+
+
+* Major changes in Gnuk 1.2.6
+
+  Released 2017-10-11, by NIIBE Yutaka
+
+** Port to GNU/Linux emulation
+We can "run" Gnuk Token on GNU/Linux by emulation through USBIP.
+
+** Upgrade of Chopstx
+We use Chopstx 1.5.
+
+
+* Major changes in Gnuk 1.2.5
+
+  Released 2017-08-11, by NIIBE Yutaka
+
+** "factory-reset" fix
+Gnuk's behavior was implemented by referring the gpg implementation.
+It found that gpg implementation was not good from the viewpoint of
+the OpenPGP card specification.  GnuPG was fixed to match the OpenPGP
+card specification already.  Thus, Gnuk is now fixed.
+
+** Upgrade of Chopstx
+We use Chopstx 1.4.
+
+
+* Major changes in Gnuk 1.2.4
+
+  Released 2017-05-12, by NIIBE Yutaka
+
+** Flash ROM security fix
+The partial content of flash ROM might be exposed when scanning of
+data object had a problem.  Added boundary check and changed layout of
+flash ROM.
+
+
+* Major changes in Gnuk 1.2.3
+
+  Released 2017-02-02, by NIIBE Yutaka
+
+** ECC key generation on the device
+Bug fixed.
+
+** Upgrade of Chopstx
+We use Chopstx 1.3.
+
+
+* Major changes in Gnuk 1.2.2
+
+  Released 2016-10-15, by NIIBE Yutaka
+
+** Change of SELECT FILE behavior 
+Gnuk used to reply AID upon SELECT FILE command.  Now, to be compatible
+to original OpenPGP card, it returns nothing but status code of 9000.
+
+** Added feature of Factory Reset as compile time option
+Original OpenPGP card has the feature, and Gnuk is now configurable to
+support the feature.
+
+** Upgrade of Chopstx
+We use Chopstx 1.2.
+
+
+* Major changes in Gnuk 1.2.1
+
+  Released 2016-07-11, by NIIBE Yutaka
+
+** Upgrade of Chopstx
+We use Chopstx 1.1.
+
+
+* Major changes in Gnuk 1.2.0
+
+  Released 2016-05-20, by NIIBE Yutaka
+
+** Upgrade of Chopstx
+We use Chopstx 0.11.
+
+** Support authentication status reset by VERIFY command.
+This feature is described in the OpenPGPcard specification V2.2 and
+V3.1, which allow user to reset authentication status.
+
+** S2K algorithm tweak to defeat "copycat" service of MCU.
+Even if the existence of some services copying MCU, your private key
+will not be controled by others, in some cases.
+
+** Bug fix for secp256k1 and NIST P-256.
+Bugs in basic computation were fixed.
+
+** Bug fix for bignum routines.
+Bignum routine update from upstream (failure doesn't occur for our RSA
+computation, though).  Another fix for mpi_exp_mod.
+
+
+* Major changes in Gnuk 1.1.9
+
+  Released 2015-09-18, by NIIBE Yutaka
+
+** Bug fix for Ed25519 and Curve25519
+When registering key, wrong operations were not detected correctly.
+This is fixed.
+
+
+* Major changes in Gnuk 1.1.8
+
+  Released 2015-09-17, by NIIBE Yutaka
+
+** Upgrade of Chopstx
+We use Chopstx 0.10, which supports Nitrokey-Start.
+
+** Card serial number
+The way to determine a serial number of Gnuk Token for card has been
+changed.  It uses the 96-bit unique bits of MCU, but the portion for
+use is changed.
+
+** USB Reset handling
+USB reset lets Gnuk Token restart.  It would not be perfect, when it's
+during computation of some function, but most parts are protected by
+Chopstx's feature of cancellation.
+
+
+* Major changes in Gnuk 1.1.7
+
+  Released 2015-08-05, by NIIBE Yutaka
+
+** Upgrade of Chopstx
+We use Chopstx 0.08, which supports STM32 Nucleo and ST Dongle.
+
+
+* Major changes in Gnuk 1.1.6
+
+  Released 2015-07-21, by NIIBE Yutaka
+
+** USB SerialNumber String
+The way to determine a serial number of Gnuk Token has been changed.
+It uses the 96-bit unique bits of MCU, but the portion for use is
+changed.
+
+** Upgrade of Chopstx
+We use Chopstx 0.07, which supports STM32 Primer2 and CQ STARM, too.
+
+** Experimental Curve25519 support.
+
+Gnuk can support Curve25519 (for decryption).  Note that this is
+pretty much experimental, and subjects to change.  The low level code
+is somehow stable, but there are no consensus in higer level.
+Especially, OID in the key attribute would be changed in future.
+
+** No --enable-keygen option
+It is now standard feature included always.  Note that it doesn't mean
+this feature is stable now.  It is becoming stable, hopefully.
+
+
+* Major changes in Gnuk 1.1.5
+
+  Released 2015-06-03, by NIIBE Yutaka
+
+** upgrade_by_passwd.py is not so noisy any more.
+Since it's getting stable, no debug output any more.
+
+** Maple mini support.
+Although its random number generation is not tested, Maple mini
+support is added.
+
+** Windows interoperability fix.
+1.1.x (0 to 4) didn't work with Windows because of INTERRUPT transfer.
+It's fixed and it works now.
+
+** OpenPGPcard specification v3.0 compatibility.
+OpenPGPcard specification v3.0 now include NIST curves (and other
+curves) and ECDSA and ECDH operations are defined.  Gnuk follows
+this specification.
+
+
+* Major changes in Gnuk 1.1.4
+
+  Released 2014-12-15, by NIIBE Yutaka
+
+** Experimental RSA-4096 support.
+Although it takes too long (more than 8.7 second), RSA-4096
+is now implemented.
+
+** ECDH support.
+ECDH is now supported.  You need development branch (master)
+of GnuPG to use this feature.
+
+** ECDSA and EdDSA is not that experimental.
+You don't need to edit DEFS variable in src/Makefile.
+
+** STM8S_DISCOVERY is not supported any more.
+It's flash ROM size (64KiB) is a bit small to have all features of
+Gnuk now.  If you manually edit code to limit the size of executable,
+it still could run Gnuk, though.
+
+** configure's default target is now FST-01.
+Receiving reports from those who complain default target, I
+reconsidered.  Those who has Olimex STM32 H103 usually has JTAG
+debugger, while FST-01 users don't.  So, to be safe, the default
+target is now FST-01, instead of Olimex STM32 H103.
+
+
 * Major changes in Gnuk 1.1.3
 
   Released 2014-04-16, by NIIBE Yutaka
@@ -582,6 +1033,7 @@ Gnuk Token could run with GPG4WIN on MS Windows.  GPG4WIN runs with
 
 ** This is initial release.  Only it supports digital signing.
 
-Local Variables:
-mode: outline
-End:
+
+# Local Variables:
+# mode: outline
+# End:

README

@@ -1,628 +0,0 @@
-Gnuk - An Implementation of USB Cryptographic Token for GnuPG
-
-							  Version 1.1.3
-							     2014-04-16
-							   Niibe Yutaka
-				      Free Software Initiative of Japan
-
-Warning
-=======
-
-This is another experimental release of Gnuk, version 1.1.3, which has
-incompatible changes to Gnuk 1.0.x.  Specifically, it now supports
-overriding key import, but importing keys (or generating keys) results
-password reset.  Please update your documentation for Gnuk Token, so
-that the instruction of importing keys won't cause any confusion.  It
-has supports of ECDSA (with NIST P256 and secp256k1) and EdDSA with
-EdDSA, but this feature is pretty much experimental, and it requires
-development version of GnuPG with newest version of libgcrypt.  You
-will not able to keep using EdDSA keys, as the key format is subject
-to change.
-
-
-What's Gnuk?
-============
-
-Gnuk is an implementation of USB cryptographic token for GNU Privacy
-Guard.  Gnuk supports OpenPGP card protocol version 2, and it runs on
-STM32F103 processor.
-
-I wish that Gnuk will be a developer's soother who uses GnuPG.  I have
-been nervous of storing secret key(s) on usual secondary storage.
-There is a solution with OpenPGP card, but it is not the choice for
-me, as card reader is not common device.  With Gnuk, this issue will
-be solved by a USB token.
-
-Please look at the graphics of "gnuk.svg" for the software name.  My
-son used to be with his NUK(R), always, everywhere.  Now, I am with a
-USB Cryptographic Token by "Gnuk", always, everywhere.
-
-
-FAQ
-===
-
-Q0: How Gnuk USB Token is superior than other solutions (OpenPGP
-    card 2.0, GPF Crypto Stick, etc.) ?
-    http://www.g10code.de/p-card.html
-    http://www.privacyfoundation.de/crypto_stick/
-A0: Good points of Gnuk are:
-    * If you have skill of electronics and like DIY, you can build
-      Gnuk Token cheaper (see Q8-A8).
-    * You can study Gnuk to modify and to enhance.  For example, you
-      can implement your own authentication method with some sensor
-      such as an acceleration sensor.
-    * It is "of Free Software"; Gnuk is distributed under GPLv3+,
-	    "by Free Software"; Gnuk development requires only Free Software
-				(GNU Toolchain, Python, etc.), 
-	    "for Free Software"; Gnuk supports GnuPG.
-
-Q1: What kind of key algorithm is supported?
-A1: Gnuk version 1.0 only supports 2048-bit RSA.
-    Development version of Gnuk (1.1.x) supports 256-bit ECDSA and EdDSA.
-
-Q2: How long does it take for digital signing?
-A2: It takes a second and a half or so. 
-
-Q3: What's your recommendation for target board?
-A3: Orthodox choice is Olimex STM32-H103.
-    If you have skill of electronics and like DIY, STM32 part of STM8S
-    Discovery Kit might be the best choice.
-    FST-01 (Flying Stone Tiny 01) is available for sale, and it is a
-    kind of the best choice, hopefully.
-
-Q4: What's version of GnuPG are you using?
-A4: In Debian GNU/Linux system, I use gnupg 1.4.12-7 and gnupg-agent
-    2.0.20-1.
-
-Q5: What's version of pcscd and libccid are you using?
-A5: I don't use them, pcscd and libccid are optional, you can use Gnuk
-    without them.
-    I tested pcscd 1.5.5-4 and libccid 1.3.11-2 which were in Debian
-    squeeze.
-
-Q6: What kinds of hardware is required for development?
-A6: You need a target board plus a JTAG/SWD debugger.  If you just
-    want to test Gnuk for target boards with DfuSe, JTAG debugger is
-    not the requirement.  Note that for real use, you need JTAG/SWD
-    debugger to enable flash ROM protection.
-
-Q7: How much does it cost?
-A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
-
-Q8: How much does it cost for DIY version?
-A8: STM8S Discovery Kit costs 750 JPY (< $10 USD) only.  You can build
-    your own JTAG debugger using FTDI2232 module (1450 JPY), see:
-    http://www.fsij.org/gnuk/jtag_dongle_ftdi2232
-
-Q9: I got an error like "gpg: selecting openpgp failed: ec=6.108", what's up?
-
-A9: GnuPG's SCDaemon has problems for handling insertion/removal of
-    card/reader.  When your newly inserted token is not found by
-    GnuPG, try killing scdaemon and let it to be invoked again.  I do:
-
-	 $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
-
-    and confirm scdaemon doesn't exist, then,
-
-	 $ gpg-connect-agent learn /bye
-
-Qa: With GNOME 2, I can't use Gnuk Token for SSH.  How can we use it for SSH?
-Aa: You need to deactivate seahorse-agent and gnome-keyring, but use
-    gpg-agant for the role of ssh-agent.  For gnome-keyring please do:
-
-      $ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
-
-Qb: With GNOME 3, I can't use Gnuk Token at all.  Why?
-Ab: That's because gnome-keyring-daemon interferes GnuPG.  Type:
-
-      $ gnome-session-properties
-
-    and at the tab of "Startup Programs", disable check buttons for
-    "GPG Password Agent" and "SSH Key Agent".
-
-Qc: Do you know a good SWD debugger to connect FST-01 or something?
-Ac: ST-Link/V2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
-    writer program.
-
-
-Release notes
-=============
-
-This is third experimental release in version 1.1 series of Gnuk.
-
-While it is daily use by its developer, some newly introduced features
-(including ECDSA/EdDSA, key generation and firmware upgrade) should be
-considered experimental.  ECDSA/EdDSA is really experimental.  The
-feature even requires manual edit of Makefile after 'configure'.
-More, EdDSA is much experimental.  You won't be able to keep using
-the EdDSA key, as it is subject to change.
-
-Tested features are:
-
-	* Personalization of the card
-	  * Changing Login name, URL, Name, Sex, Language, etc.
-	* Password handling (PW1, RC, PW3)
-	* Key import for three types:
-	  * key for digital signing
-	  * key for decryption
-	  * key for authentication
-	* PSO: Digital Signature
-	* PSO: Decipher
-	* INTERNAL AUTHENTICATE
-	* Changing value of password status bytes (0x00C4): forcesig
-	* Verify with pin pad
-	* Modify with pin pad
-	* Card holder certificate (read)
-	* Removal of keys
-	* Key generation on device side
-	* Overriding key import
-
-Original features of Gnuk, tested lightly:
-
-	* OpenPGP card serial number setup
-	* Card holder certificate (write by UPDATE BINARY)
-	* Upgrading with "EXTERNAL AUTHENTICATE" by reGNUal
-
-It is known not-working well:
-
-        * It is known that the combination of libccid 1.4.1 (or newer)
-	  with libusb 1.0.8 (or older) has a minor problem.  It is
-	  rare but it is possible for USB communication to be failed,
-	  because of a bug in libusb implementation.  Use libusbx
-	  1.0.9 or newer, or don't use PC/SC, but use internal CCID
-	  driver of GnuPG.
-
-
-Targets
-=======
-
-We use Olimex STM32-H103 board and Flying Stone Tiny 01 (FST-01).  We
-also use STM32 part of STM8S Discovery Kit.
-
-With DfuSe support, STBee is also our targets.  But this target with
-DfuSe is for experiment only, because it is impossible for DfuSe to
-disable read from flash.  For real use, please consider killing DfuSe
-and enabling read protection using JTAG debugger.
-
-For PIN-pad support, I connect a consumer IR receive module to FST-01
-and STM8S Discovery Kit, and use controller for TV.  PIN verification
-is supported by this configuration.  Yes, it is not secure at all,
-since it is very easy to monitor IR output of the controllers.  It is
-just an experiment.  Note that hardware needed for this experiment is
-only a consumer IR receive module which is as cheap as 50 JPY.
-
-Note that you need pinpad support for GnuPG to use PIN-pad enabled
-Gnuk.  The pinpad support for GnuPG is only available in version 2.
-
-
-Souce code
-==========
-
-Gnuk source code is under src/ directory.
-
-Note that SHA-2 hash function implementation, src/sha256.c, is based
-on the original implementation by Dr. Brian Gladman.  See:
-
-  http://gladman.plushost.co.uk/oldsite/cryptography_technology/sha/index.php
-
-
-License
-=======
-
-It is distributed under GNU General Public Licence version 3 or later
-(GPLv3+).  Please see src/COPYING.
-
-Please note that it is distributed with external source code too.
-Please read relevant licenses for external source code as well.
-
-The author(s) of Gnuk expect users of Gnuk will be able to access the
-source code of Gnuk, so that users can study the code and can modify
-if needed.  This doesn't mean person who has a Gnuk Token should be
-able to access everything on the Token, regardless of its protections.
-Private keys, and other information should be protected properly.
-
-
-External source code
-====================
-
-Gnuk is distributed with external source code.
-
-* chopstx/  -- Chopstx 0.03 (+ STBee support)
-
-  We use Chopstx as the kernel for Gnuk.
-
-  Chopstx is distributed under GPLv3+ (with a special exception).
-
-
-* polarssl/  -- PolarSSL 1.2.10
-
-  Souce code taken from: http://polarssl.org/
-
-  We use PolarSSL for RSA computation, and AES encryption/decryption.
-
-  PolarSSL is distributed under GPLv2+.  We use PolarSSL under GPLv3
-  as our options.
-
-  The file include/polarssl/bn_mul.h is heavily modified for ARM
-  Cortex-M3.
-
-  The function rsa_private in polarssl/library/rsa.c is modified so
-  that it doesn't check T against N.  The function rsa_pkcs1_sign is
-  modified to avoid warnings in case of !POLARSSL_PKCS1_V21.
-
-  The functions rsa_pkcs1_verify and rsa_rsassa_pkcs1_v15_verify in
-  include/polarssl/rsa.h and polarssl/library/rsa.c are modified
-  (fixed) for last argument SIG, as the memory at SIG aren't modified
-  by those routines.
-
-  The constant POLARSSL_MPI_MAX_SIZE in include/polarssl/bignum.h is
-  modified for 2048-bit keys only Gnuk.
-
-  The function mpi_mul_hlp in library/bignum.c is modified for more
-  optimization for ARM Cortex-M3.  Functions mpi_montred, mpi_sub_hlp,
-  mpi_sub_abs, mpi_mul_mpi, mpi_montmul, and mpi_exp_mod are modified
-  to avoid side channel attacks.  Note that we don't use RSA-blinding
-  technique for Gnuk.  Function mpi_gen_prime and mpi_is_prime are
-  modified to use Fouque-Tibouchi method.  Function mpi_exp_mod is
-  modified to use new function mpi_montsqr for speed up.
-
-  The file library/aes.c is modified so that some constants can
-  go to .sys section.
-
-  The file include/polarssl/config.h are modified not to define
-  POLARSSL_HAVE_LONGLONG to avoid linking libgcc, to define
-  POLARSSL_AES_ROM_TABLES to have AES tables, not to define
-  POLARSSL_CIPHER_MODE_CTR, POLARSSL_FS_IO, POLARSSL_PKCS1_V21,
-  POLARSSL_SELF_TEST, and POLARSSL_PADLOCK_C, and only define
-  POLARSSL_GENPRIME when defined KEYGEN_SUPPORT.
-
-
-USB vendor ID and product ID (USB device ID)
-============================================
-
-When you have a vender ID and assign a product ID for Gnuk, edit the
-file GNUK_USB_DEVICE_ID and add an entry for yours.  In this case,
-please contact Niibe, so that it is listed to the file in the official
-release of the source code.
-
-When you are modifing Gnuk and installing the binary to device, you
-should replace the vendor string and serial number to yours (in the
-file GNUK_USB_DEVICE_ID and SERIALNO of the script of src/configure),
-so that users can see it's not by original vendor, and it is modified
-version.
-
-FSIJ allows you to use USB device ID of FSIJ (234b:0000) for devices
-with Gnuk under one of following conditions:
-
-  * For everyone for experimental purpose:
-
-    - You must not distribute a binary with FSIJ's USB device ID, but
-      must use the binary by yourself only for your experiment.  Note
-      that "Distributing binary" includes distributing a device which
-      holds the binary.
-
-  * For general individuals:
-
-    - You must use your Gnuk device with a card serial number which is
-      *not* by FSIJ.  Easy one would be a card serial number generated
-      by chip unique ID.
-
-  * For individuals with explicit permission from FSIJ.
-
-    - You should have an assigned card serial number by FSIJ,
-      please use that number for your device.
-      (There a file 'GNUK_SERIAL_NUMBER' in the official release.)
-
-FSIJ could give companies or business entities "second source
-manufacturer" license to use USB device ID of FSIJ for devices with
-unmodified version of Gnuk, provided they support Free Software and
-respect users' freedom for computing.  Please ask FSIJ for the
-license.
-
-Otherwise, companies which want to distribute Gnuk devices, please use
-your own USB vendor ID and product ID.  Please replace vendor string
-and possibly product string to yours, when you modify Gnuk.
-
-
-Host Requirements
-=================
-
-For GNU/Linux, PC/SC service is an option, you can use GnuPG's
-internal CCID driver instead.  If you chose using PC/SC service,
-libccid version >= 1.3.11 is recommended for GNU/Linux.
-
-
-How to compile
-==============
-
-You need GNU toolchain and newlib for 'arm-none-eabi' target.
-
-There is "gcc-arm-embedded" project.  See:
-
-    https://launchpad.net/gcc-arm-embedded/
-
-
-Change directory to `src':
-
-  $ cd gnuk-VERSION/src
-
-Then, run `configure':
-
-  $ ./configure --vidpid=<VID:PID>
-
-Here, you need to specify USB vendor ID and product ID.  For FSIJ's,
-it's: --vidpid=234b:0000 .  Please read section 'USB vendor ID and
-product ID' above.
-
-Type:
-
-  $ make
-
-Then, we will have "gnuk.elf" under src/build directory.
-
-
-How to install
-==============
-
-Olimex STM32-H103 board
------------------------
-
-If you are using Olimex JTAG-Tiny, type following to invoke OpenOCD:
-
-  $ openocd -f interface/olimex-jtag-tiny.cfg -f board/olimex_stm32_h103.cfg
-
-Then, with another terminal, type following to write "gnuk.elf" to Flash ROM:
-
-  $ telnet localhost 4444
-  > reset halt
-  > flash write_image erase gnuk.elf
-  > reset
-  > exit
-  $ 
-
-
-Flying Stone Tiny 01
---------------------
-
-If you are using Flying Stone Tiny 01, you need a SWD writer.  I am
-using revision 946 of Simon Qian's Versaloon.
-
-    svn checkout -r 946 http://vsprog.googlecode.com/svn/trunk/
-
-For OpenOCD, we need unofficial patch.
-
-See the article of Versaloon Forum:
-
-    http://www.versaloon.com/bbs/viewtopic.php?p=16179
-
-
-Type following to invoke OpenOCD:
-
-  $ openocd -f interface/vsllink.cfg -c "transport select swd" -c "swd_mode 2" -f target/stm32f1x.cfg
-
-Then, with another terminal, type following to write "gnuk.elf" to Flash ROM:
-
-  $ telnet localhost 4444
-  > reset halt
-  > flash write_image erase gnuk.elf
-  > reset
-  > exit
-  $ 
-
-OpenOCD 0.6.1 now supports ST-Link/V2.  We can use it:
-
-  $ openocd -f interface/stlink-v2.cfg -f target/stm32f1x_stlink.cfg
-
-But it doesn't support option bytes handling (protection) yet.
-
-
-STM8S Discovery Kit
--------------------
-
-If you are using FTDI-2232D module and the connection is standard, type:
-
-  $ openocd -f interface/openocd-usb.cfg -f target/stm32f1x.cfg
-
-Initially, the flash ROM of the chip is protected.  you need to do:
-
-  $ telnet localhost 4444
-  > reset halt
-  > stm32f1x unlock 0
-  > reset
-  > shutdown
-  $ 
-
-and re-connect the board.  Note that power-off / power-on sequence is
-required to reset flash ROM.
-
-Then, invoke OpenOCD again and telnet to connect OpenCD and write
-image as above example of Olimex STM32-H103.
-
-
-STBee
------
-
-Reset the board with "USER" switch pushed.  Type following to write
-to flash:
-
-  # cd ../tool
-  # ./dfuse.py ../src/build/gnuk.hex
-
-Then, reset the board.
-
-
-How to protect flash ROM
-========================
-
-Invoke your OpenOCD and type:
-
-  $ telnet localhost 4444
-  > reset halt
-  > stm32f1x lock 0
-  > reset
-  > shutdown
-
-After power-off / power-on sequence, the contents of flash ROM cannot
-be accessible from JTAG debugger.
-
-Note that it would be still possible for some implementation of DfuSe
-to access the contents.  If you want to protect, killing DfuSe and
-accessing by JTAG debugger is recommended.
-
-
-How to configure
-================
-
-You need python and pyscard (python-pyscard package in Debian) or
-PyUSB 0.4.3 (python-usb package in Debian).
-
-(1) [pyscard] Stop scdaemon
-    [PyUSB] Stop the pcsc daemon.
-
-If scdaemon is running, please kill it, or you will get "Smartcard
-Exception" by "Sharing violation".
-
-  $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
-
-In case of PyUSB tool, you need to stop pcscd.
-
-  # /etc/init.d/pcscd stop
-
-
-(2) [Optional] Write fixed serial number
-
-If you use fixed serial number in the file 'GNUK_SERIAL_NUMBER', you can do:
-
-  $ EMAIL=<YOUR-EMAIL-ADDRESS> ../tool/gnuk_put_binary.py -s ../GNUK_SERIAL_NUMBER
-  Writing serial number
-  ...
-
-(3) [Optional] Write card holder certificate
-
-If you have card holder certificate binary file, you can do:
-
-  $ ../tool/gnuk_put_binary.py ../../<YOUR-CERTIFICATE>.bin
-  ../../<YOUR-CERTIFICATE>.bin: <LENGTH-OF-YOUR-CERTIFICATE>
-  Updating card holder certificate
-  ...
-
-
-How to run
-==========
-
-Debug enabled
--------------
-
-If you compiled with --enable-debug option, Gnuk has two interfaces
-(one is CCID/ICCD device and another is virtual COM port).  Open
-virtual COM port by:
-
-  $ cu -l /dev/ttyACM0
-
-and you will see debug output of Gnuk.
-
-
-Testing Gnuk
-------------
-
-Type following command to see Gnuk runs:
-
-  $ gpg --card-status
-
-
-Besides, there is a functionality test under test/ directory.  See
-test/README.
-
-
-Personalize the Token, import keys, and change the password
------------------------------------------------------------
-
-You can personalize the token, putting your information like: Name,
-Login name, Sex, Languages, URL.  To do so, GnuPG command is:
-
-  $ gpg --card-edit
-
-Note that the factory setting of user password is "123456" and admin
-password is "12345678" as the specification.
-
-It is recommended to create your keys on your computer, and import
-them to Gnuk Token.  After you create your keys (they must be 2048-bit
-RSA), you can import them.
-
-Gnuk supports key generation, but this feature is young and should be
-considered experimental.
-
-For detail, please see documentation under doc/.  You can see the HTML
-version at: http://www.fsij.org/doc-gnuk/
-
-
-How to debug
-============
-
-We can use GDB.
-
-  $ arm-none-eabi-gdb gnuk.elf
-
-
-Inside GDB, we can connect OpenOCD by:
-
-  (gdb) target remote localhost:3333
-
-
-You can see the output of PCSCD:
-
-  # /etc/init.d/pcscd stop
-  # LIBCCID_ifdLogLevel=7 /usr/sbin/pcscd --debug --foreground
-
-
-You can observe the traffic of USB using "usbmon".  See the file:
-linux/Documentation/usb/usbmon.txt
-
-
-Firmware update
-===============
-
-See doc/note/firmware-update.
-
-
-Git Repositories
-================
-
-Please use: http://gitorious.org/gnuk
-
-You can get it by:
- 
-    $ git clone git://gitorious.org/gnuk/gnuk.git
-
-It's also available at: www.gniibe.org
-You can browse at: http://www.gniibe.org/gitweb?p=gnuk.git;a=summary
-
-I put Chopstx as a submodule of Git.  Please do this:
-
-  $ git submodule init
-  $ git submodule update
-
-We have migrated from ChibiOS/RT to Chopstx.  If you have old code of
-ChibiOS/RT, you need:
-
-    Edit .git/config to remove chibios reference
-    git rm --cached chibios
-
-
-Information on the Web
-======================
-
-Please visit: http://www.fsij.org/gnuk/
-
-
-Your Contributions
-==================
-
-FSIJ welcomes your contributions.  Please assign your copyright
-to FSIJ (if possible).
-
-
-Foot note
-==========
-* NUK(R) is a registered trademark owend by MAPA GmbH, Germany.
--- 

README.md

@@ -0,0 +1,138 @@
+***Note:*** *This fork of Gnuk fixes some compiling bugs and focuses on using the "ST-Link V2" clone hardware.*
+
+Here is the link to the original project: <http://git.gniibe.org/cgit/gnuk/gnuk.git/>
+
+What's Gnuk?
+============
+Gnuk is an implementation of a USB cryptographic security token that supports the OpenPGP card protocol version 2. It runs on a STM32F103 processor (and its compatible). In short it allows one to convert a cheap $2 "ST-Link V2" clone device into a hardware security token.
+
+It has supports of Ed25519 and X25519 (ECDH on Curve25519). It also has experimental support of ECDSA (on NIST P256 and secp256k1) and ECDH (on NIST P256 and secp256k1).
+
+Gnuk supports the Key Derived Function (KDF) functionality. To use this feature one will need to use GnuPG 2.2.6 or later.
+
+How to build the Gnuk firmware
+==============================
+You will need the GNU toolchain for arm-none-eabi and newlib.
+
+To clone the source code and compile, use the following commands.
+```
+git clone --recursive https://git.spengler.co.za/deon/gnuk.git gnuk
+cd gnuk/src
+./configure --vidpid=1337:0010
+make
+```
+
+Then, you will have "gnuk.bin" under src/build directory.
+
+***Please read section 'USB vendor ID and product ID' below.***
+
+How to flash the Gnuk firmware
+==============================
+In order to flash the firmware ensure that you have openocd installed.
+
+Execute openocd and connect with telnet
+```
+openocd -f ../misc/stm32f103.cfg
+telnet localhost 4444
+```
+
+Use the following commands to unlock, flash the firmware and lock the device again.
+```
+reset halt
+stm32f1x unlock 0
+reset halt
+flash write_bank 0 ./build/gnuk.bin 0
+stm32f1x lock 0
+reset halt
+```
+
+How to reflash the ST-LINK
+==========================
+To reflash the ST-LINK, connect the device to a programmer as before while keeping pins 7 and 8 shorted. While the LED is blinking, run openocd. Once it’s running (i.e. it doesn’t show any errors), you can unshort the pins.
+
+Then use the following to unlock and reflash.
+```
+reset halt
+stm32f1x unlock 0
+reset halt
+stm32f1x mass_erase 0
+flash write_bank 0 ./build/gnuk.bin 0
+stm32f1x lock 0
+reset halt
+```
+
+***Note: That reprograming will wipe the flash memory and you will lose all key's that was on the device.***
+
+Testing Gnuk
+============
+Type following command to see if GnuPG detects the Gnuk token.
+```
+gpg --card-status
+```
+
+***See tests/README for functionality tests.***
+
+Personalize the Token, import keys, and change the password
+===========================================================
+You can personalize your token by putting in your information like: Name, Login and Language.
+
+The KDF setting needs to be enabled before any keys are imported into the Gnuk token. Once a key has been imported the KDF setting can't be changed until the token has been reset.
+
+***Note:*** That the factory user password is "123456" and admin password is "12345678". It is recommended to create your keys on your computer, and import them into the token. Gnuk supports key generation, but this feature is young and should be considered experimental.
+
+To configure your Gnuk token use the following command.
+```
+gpg --card-edit
+```
+
+For further details, please see documentation under doc.
+
+Firmware update
+===============
+See doc/note/firmware-update.
+
+How to debug
+============
+Ensure that you have arm-none-eabi-gdb installed and then you must configure and compile the Gnuk firmware with --enable-debug option. After flashing Gnuk debug firmware one will see two interfaces, one is CCID/ICCD device and the another is a virtual COM port.
+
+Open the virtual COM with the following command:
+```
+picocom /dev/ttyACM0
+```
+and you will see debug output of Gnuk firmware.
+
+You can now use GDB with the following command.
+```
+arm-none-eabi-gdb src/build/gnuk.elf
+```
+
+Inside GDB, we can connect OpenOCD by:
+```
+(gdb) target remote localhost:3333
+```
+
+You can see the output of PCSCD with the following command:
+```
+/usr/bin/pcscd --debug --foreground
+```
+
+You can also observe the traffic of the USB interface using "usbmon".
+
+USB vendor ID and product ID (USB device ID)
+============================================
+When you have a vendor ID and assign a product ID for Gnuk, edit the file GNUK_USB_DEVICE_ID and add an entry for yours. In this case, please contact Niibe, so that it is listed to the file in the official release of the source code.
+
+When you are modifing Gnuk and installing the binary to device, you should replace the vendor string and serial number to yours (in the file GNUK_USB_DEVICE_ID and SERIALNO of the script of src/configure), so that users can see it's not by original vendor, and it is modified version.
+
+FSIJ allows you to use USB device ID of FSIJ (234b:0000) for devices with Gnuk under one of following conditions:
+  * For everyone for experimental purpose:
+    - You must not distribute a binary with FSIJ's USB device ID, but must use the binary by yourself only for your experiment. Note that "Distributing binary" includes distributing a device which holds the binary.
+  * For general individuals:
+    - You must use your Gnuk device with a card serial number which is *not* by FSIJ. Easy one would be a card serial number generated by chip unique ID.
+  * For individuals with explicit permission from FSIJ.
+    - You should have an assigned card serial number by FSIJ, please use that number for your device.
+      (There a file 'GNUK_SERIAL_NUMBER' in the official release.)
+
+FSIJ could give companies or business entities "second source manufacturer" license to use USB device ID of FSIJ for devices with unmodified version of Gnuk, provided they support Free Software and respect users' freedom for computing. Please ask FSIJ for the license.
+
+Otherwise, companies which want to distribute Gnuk devices, please use your own USB vendor ID and product ID.  Please replace vendor string and possibly product string to yours, when you modify Gnuk.

THANKS

@@ -1,23 +0,0 @@
-							-*- coding: utf-8 -*-
-
-We would like to express our gratitudes to Werner Koch for GnuPG, and
-Giovanni Di Sirio for ChibiOS/RT.
-
-Gnuk was originally written by NIIBE Yutaka.  People contributed by
-encouraging the development, testing the implementation, suggesting
-improvements, or fixing bugs.  Here is a list of those people.
-
-Achim Pietig		achim@pietig.com
-Andre Zepezauer		andre.zepezauer@student.uni-halle.de
-Hironobu SUZUKI		hironobu@h2np.net
-Jan Suhr		jan@suhr.info
-Kaz Kojima		kkojima@rr.iij4u.or.jp
-Ludovic Rousseau	ludovic.rousseau@free.fr
-Luis Felipe R. Murillo	luisfelipe@ucla.edu
-MATSUU Takuto		matsuu@gentoo.org
-NAGAMI Takeshi		nagami-takeshi@aist.go.jp
-Nguyễn Hồng Quân	quannguyen@mbm.vn
-Paul Bakker		polarssl_maintainer@polarssl.org
-Shane Coughlan		scoughlan@openinventionnetwork.com
-Vasily Evseenko
-Werner Koch		wk@gnupg.org

VERSION

@@ -1 +1 @@
-release/1.1.3
+release/1.2.20

boards/CQ_STARM/board.c

@@ -1,10 +0,0 @@
-#include "config.h"
-#include "ch.h"
-#include "hal.h"
-
-/*
- * Board-specific initialization code.
- */
-void boardInit(void)
-{
-}

boards/CQ_STARM/board.h

@@ -1,163 +0,0 @@
-/*
-    ChibiOS/RT - Copyright (C) 2006,2007,2008,2009,2010 Giovanni Di Sirio.
-
-    This file is part of ChibiOS/RT.
-
-    ChibiOS/RT is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 3 of the License, or
-    (at your option) any later version.
-
-    ChibiOS/RT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-                                      ---
-
-    A special exception to the GPL can be applied should you wish to distribute
-    a combined work that includes ChibiOS/RT, without being obliged to provide
-    the source code for any proprietary components. See the file exception.txt
-    for full details of how and when the exception can be applied.
-*/
-
-#ifndef _BOARD_H_
-#define _BOARD_H_
-
-/*
- * Setup for the CQ STARM board.
- */
-#undef	SET_USB_CONDITION		/* No functionality to disconnect USB */
-#define	SET_LED_CONDITION(on) on	/* To emit light, call palSetPad */
-#define GPIO_LED	GPIOC_LED
-#define IOPORT_LED	GPIOC
-
-/*
- * Board identifier.
- */
-#define BOARD_CQ_STARM
-#define BOARD_NAME "CQ STARM"
-
-/*
- * Board frequencies.
- */
-#define STM32_LSECLK            32768
-#define STM32_HSECLK            8000000
-
-/*
- * MCU type, this macro is used by both the ST library and the ChibiOS/RT
- * native STM32 HAL.
- */
-#define STM32F10X_MD
-
-/*
- * IO pins assignments.
- */
-#define GPIOC_LED               6
-
-#if 0
-#define GPIOA_BUTTON            0
-#define GPIOA_SPI1NSS           4
-
-#define GPIOB_SPI2NSS           12
-#define GPIOC_MMCWP             6
-#define GPIOC_MMCCP             7
-#define GPIOC_CANCNTL           10
-#define GPIOC_DISC              11
-#endif
-
-/*
- * I/O ports initial setup, this configuration is established soon after reset
- * in the initialization code.
- *
- * The digits have the following meaning:
- *   0 - Analog input.
- *   1 - Push Pull output 10MHz.
- *   2 - Push Pull output 2MHz.
- *   3 - Push Pull output 50MHz.
- *   4 - Digital input.
- *   5 - Open Drain output 10MHz.
- *   6 - Open Drain output 2MHz.
- *   7 - Open Drain output 50MHz.
- *   8 - Digital input with PullUp or PullDown resistor depending on ODR.
- *   9 - Alternate Push Pull output 10MHz.
- *   A - Alternate Push Pull output 2MHz.
- *   B - Alternate Push Pull output 50MHz.
- *   C - Reserved.
- *   D - Alternate Open Drain output 10MHz.
- *   E - Alternate Open Drain output 2MHz.
- *   F - Alternate Open Drain output 50MHz.
- * Please refer to the STM32 Reference Manual for details.
- */
-
-/*
- * Port A setup.
- * Everything input with pull-up except:
- * PA4  - Normal input      (ADC_IN4 : VoutX of LIS344ALH).
- * PA5  - Alternate output  (MMC SPI1 SCK).
- * PA6  - Normal input      (MMC SPI1 MISO).
- * PA7  - Alternate output  (MMC SPI1 MOSI).
- * PA11 - (USBDM)
- * PA12 - (USBDP)
- */
-#define VAL_GPIOACRL            0xB4B48888      /*  PA7...PA0 */
-#define VAL_GPIOACRH            0x88888888      /* PA15...PA8 */
-#define VAL_GPIOAODR            0xFFFFFFFF
-
-/*
- * Port B setup.
- * Everything input with pull-up except:
- * PB13 - Alternate output  (MMC SPI2 SCK).
- * PB14 - Normal input      (MMC SPI2 MISO).
- * PB15 - Alternate output  (MMC SPI2 MOSI).
- */
-#define VAL_GPIOBCRL            0x88888888      /*  PB7...PB0 */
-#define VAL_GPIOBCRH            0xB4B88888      /* PB15...PB8 */
-#define VAL_GPIOBODR            0xFFFFFFFF
-
-/*
- * Port C setup.
- * Everything input with pull-up except:
- * PC4  - Normal input      (ADC_IN14 : VoutY of LIS344ALH).
- * PC5  - Normal input      (ADC_IN15 : VoutZ of LIS344ALH).
- * PC6  - Push Pull output (LED).
- * (PC9  - SDCard CD)
- * (PC12 - SDCard CS)
- * PC14 - Normal input (XTAL).
- * PC15 - Normal input (XTAL).
- */
-#define VAL_GPIOCCRL            0x83448888      /*  PC7...PC0 */
-#define VAL_GPIOCCRH            0x44888888      /* PC15...PC8 */
-#define VAL_GPIOCODR            0xFFFFFFFF
-
-/*
- * Port D setup.
- * Everything input with pull-up except:
- * (PD9 - USB_DC)
- */
-#define VAL_GPIODCRL            0x88888888      /*  PD7...PD0 */
-#define VAL_GPIODCRH            0x88888888      /* PD15...PD8 */
-#define VAL_GPIODODR            0xFFFFFFFF
-
-/*
- * Port E setup.
- * Everything input with pull-up except:
- */
-#define VAL_GPIOECRL            0x88888888      /*  PE7...PE0 */
-#define VAL_GPIOECRH            0x88888888      /* PE15...PE8 */
-#define VAL_GPIOEODR            0xFFFFFFFF
-
-#if !defined(_FROM_ASM_)
-#ifdef __cplusplus
-extern "C" {
-#endif
-  void boardInit(void);
-#ifdef __cplusplus
-}
-#endif
-#endif /* _FROM_ASM_ */
-
-#endif /* _BOARD_H_ */

boards/CQ_STARM/mcuconf.h

@@ -1,14 +0,0 @@
-/*
- * HAL driver system settings.
- */
-#define STM32_SW                    STM32_SW_PLL
-#define STM32_PLLSRC                STM32_PLLSRC_HSE
-#define STM32_PLLXTPRE              STM32_PLLXTPRE_DIV1
-#define STM32_PLLMUL_VALUE          9
-#define STM32_HPRE                  STM32_HPRE_DIV1
-#define STM32_PPRE1                 STM32_PPRE1_DIV2
-#define STM32_PPRE2                 STM32_PPRE2_DIV1
-#define STM32_ADCPRE                STM32_ADCPRE_DIV6
-#define STM32_RTCSEL                STM32_RTCSEL_NOCLOCK
-
-#include "mcuconf-common.h"

boards/STBEE_MINI/board.c

@@ -1,151 +0,0 @@
-#include "config.h"
-#include "ch.h"
-#include "hal.h"
-
-/*
- * Board-specific initialization code.
- */
-void boardInit(void)
-{
-#if !defined(DFU_SUPPORT)
-  if (palReadPad (IOPORT3, GPIOC_BUTTON) == 0)
-    /*
-     * Since LEDs are connected to JTMS/SWDIO and JTDI pin,
-     * we can't use LED to let know users in this state.
-     */
-    for (;;);		       /* Wait for JTAG debugger connection */
-#endif
-
-#if defined(PINPAD_SUPPORT) && !defined(DFU_SUPPORT)
-  palWritePort(IOPORT2, 0x7fff); /* Only clear GPIOB_7SEG_DP */
-  while (palReadPad (IOPORT2, GPIOB_BUTTON) != 0)
-    ;				/* Wait for JTAG debugger connection */
-  palWritePort(IOPORT2, 0xffff); /* All set */
-#endif
-
-#if defined(PINPAD_CIR_SUPPORT)
-  /* EXTI0 <= PB0 */
-  AFIO->EXTICR[0] = AFIO_EXTICR1_EXTI0_PB;
-  EXTI->IMR = 0;
-  EXTI->FTSR = EXTI_FTSR_TR0;
-  NVICEnableVector(EXTI0_IRQn,
-		   CORTEX_PRIORITY_MASK(CORTEX_MINIMUM_PRIORITY));
-
-  /* TIM3 */
-  RCC->APB1ENR |= RCC_APB1ENR_TIM3EN;
-  RCC->APB1RSTR = RCC_APB1RSTR_TIM3RST;
-  RCC->APB1RSTR = 0;
-  NVICEnableVector(TIM3_IRQn,
-		   CORTEX_PRIORITY_MASK(CORTEX_MINIMUM_PRIORITY));
-  TIM3->CR1 = TIM_CR1_URS | TIM_CR1_ARPE; /* Don't enable TIM3 for now */
-  TIM3->CR2 = TIM_CR2_TI1S;
-  TIM3->SMCR = TIM_SMCR_TS_0 | TIM_SMCR_TS_2 | TIM_SMCR_SMS_2;
-  TIM3->DIER = 0;		/* Disable interrupt for now */
-  TIM3->CCMR1 = TIM_CCMR1_CC1S_0 | TIM_CCMR1_IC1F_0 | TIM_CCMR1_IC1F_3
-    | TIM_CCMR1_CC2S_1 | TIM_CCMR1_IC2F_0 | TIM_CCMR1_IC2F_3;
-  TIM3->CCMR2 = 0;
-  TIM3->CCER =  TIM_CCER_CC1E | TIM_CCER_CC2E | TIM_CCER_CC2P;
-  TIM3->PSC = 72 - 1;		/* 1 MHz */
-  TIM3->ARR = 18000;		/* 18 ms */
-  /* Generate UEV to upload PSC and ARR */
-  TIM3->EGR = TIM_EGR_UG;	
-#elif defined(PINPAD_DIAL_SUPPORT)
-  /* EXTI2 <= PB2 */
-  AFIO->EXTICR[0] = AFIO_EXTICR1_EXTI2_PB;
-  EXTI->IMR = 0;
-  EXTI->FTSR = EXTI_FTSR_TR2;
-  NVICEnableVector(EXTI2_IRQn,
-		   CORTEX_PRIORITY_MASK(CORTEX_MINIMUM_PRIORITY));
-
-  /* TIM4 */
-  RCC->APB1ENR |= RCC_APB1ENR_TIM4EN;
-  RCC->APB1RSTR = RCC_APB1RSTR_TIM4RST;
-  RCC->APB1RSTR = 0;
-
-  TIM4->CR1 = TIM_CR1_URS |  TIM_CR1_ARPE | TIM_CR1_CKD_1;
-  TIM4->CR2 = 0;
-  TIM4->SMCR = TIM_SMCR_SMS_0;
-  TIM4->DIER = 0;		/* no interrupt */
-  TIM4->CCMR1 = TIM_CCMR1_CC1S_0 | TIM_CCMR1_CC2S_0
-    | TIM_CCMR1_IC1F_0 | TIM_CCMR1_IC1F_1 | TIM_CCMR1_IC1F_2 | TIM_CCMR1_IC1F_3
-    | TIM_CCMR1_IC2F_0 | TIM_CCMR1_IC2F_1 | TIM_CCMR1_IC2F_2 | TIM_CCMR1_IC2F_3;
-  TIM4->CCMR2 = 0;
-  TIM4->CCER = 0;
-  TIM4->PSC = 0;
-  TIM4->ARR = 31;
-  /* Generate UEV to upload PSC and ARR	 */
-  TIM4->EGR = TIM_EGR_UG;
-#endif
-  /*
-   * Disable JTAG and SWD, done after hwinit1_common as HAL resets AFIO
-   */
-  AFIO->MAPR |= AFIO_MAPR_SWJ_CFG_DISABLE;
-  /* We use LED2 as optional "error" indicator */
-  palSetPad (IOPORT1, GPIOA_LED2);
-}
-
-#if defined(PINPAD_CIR_SUPPORT)
-void
-cir_ext_disable (void)
-{
-  EXTI->PR = EXTI_PR_PR0;
-  EXTI->IMR &= ~EXTI_IMR_MR0;
-}
-
-void
-cir_ext_enable (void)
-{
-  EXTI->IMR |= EXTI_IMR_MR0;
-}
-
-extern void cir_ext_interrupt (void);
-extern void cir_timer_interrupt (void);
-
-CH_IRQ_HANDLER (EXTI0_IRQHandler)
-{
-  CH_IRQ_PROLOGUE ();
-  chSysLockFromIsr ();
-
-  cir_ext_interrupt ();
-
-  chSysUnlockFromIsr ();
-  CH_IRQ_EPILOGUE ();
-}
-
-CH_IRQ_HANDLER (TIM3_IRQHandler)
-{
-  CH_IRQ_PROLOGUE();
-  chSysLockFromIsr();
-
-  cir_timer_interrupt ();
-
-  chSysUnlockFromIsr();
-  CH_IRQ_EPILOGUE();
-}
-#elif defined(PINPAD_DIAL_SUPPORT)
-void
-dial_sw_disable (void)
-{
-  EXTI->PR = EXTI_PR_PR2;
-  EXTI->IMR &= ~EXTI_IMR_MR2;
-}
-
-void
-dial_sw_enable (void)
-{
-  EXTI->IMR |= EXTI_IMR_MR2;
-}
-
-extern void dial_sw_interrupt (void);
-
-CH_IRQ_HANDLER (EXTI2_IRQHandler)
-{
-  CH_IRQ_PROLOGUE ();
-  chSysLockFromIsr ();
-
-  dial_sw_interrupt ();
-
-  chSysUnlockFromIsr ();
-  CH_IRQ_EPILOGUE ();
-}
-#endif

boards/STBEE_MINI/board.h

@@ -1,205 +0,0 @@
-/*
-    ChibiOS/RT - Copyright (C) 2006,2007,2008,2009,2010 Giovanni Di Sirio.
-
-    This file is part of ChibiOS/RT.
-
-    ChibiOS/RT is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 3 of the License, or
-    (at your option) any later version.
-
-    ChibiOS/RT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-                                      ---
-
-    A special exception to the GPL can be applied should you wish to distribute
-    a combined work that includes ChibiOS/RT, without being obliged to provide
-    the source code for any proprietary components. See the file exception.txt
-    for full details of how and when the exception can be applied.
-*/
-
-#ifndef _BOARD_H_
-#define _BOARD_H_
-
-#include "config.h"
-/*
- * Setup for the STBee Mini board.
- */
-#define	SET_USB_CONDITION(en) (en)	/* To connect USB, call palSetPad */
-#define	SET_LED_CONDITION(on) (!on)	/* To emit light, call palClearPad */
-#define GPIO_USB	GPIOA_USB_ENABLE
-#define IOPORT_USB	GPIOA
-#define GPIO_LED	GPIOA_LED1
-#define IOPORT_LED	GPIOA
-
-#define NEUG_ADC_SETTING2_SMPR1 0
-#define NEUG_ADC_SETTING2_SMPR2 ADC_SMPR2_SMP_AN1(ADC_SAMPLE_1P5)    \
-                              | ADC_SMPR2_SMP_AN2(ADC_SAMPLE_1P5)
-#define NEUG_ADC_SETTING2_SQR3  ADC_SQR3_SQ1_N(ADC_CHANNEL_IN1)      \
-                              | ADC_SQR3_SQ2_N(ADC_CHANNEL_IN2)
-#define NEUG_ADC_SETTING2_NUM_CHANNELS 2
-
-/*
- * Board identifier.
- */
-#define BOARD_STBEE_MINI
-#define BOARD_NAME "STBee Mini"
-
-#if defined(PINPAD_CIR_SUPPORT) || defined(PINPAD_DIAL_SUPPORT)
-#define HAVE_7SEGLED	1
-/*
- * Timer assignment for CIR
- */
-#define TIMx	TIM3
-#endif
-
-/*
- * Board frequencies.
- */
-#define STM32_LSECLK            32768
-#define STM32_HSECLK            12000000
-
-/*
- * MCU type, this macro is used by both the ST library and the ChibiOS/RT
- * native STM32 HAL.
- */
-#define STM32F10X_MD
-
-/*
- * IO pins assignments.
- */
-#define GPIOA_LED1              13
-#define GPIOA_USB_ENABLE        14
-#define GPIOA_LED2              15
-
-#define GPIOC_BUTTON            13
-
-/*
- * I/O ports initial setup, this configuration is established soon after reset
- * in the initialization code.
- *
- * The digits have the following meaning:
- *   0 - Analog input.
- *   1 - Push Pull output 10MHz.
- *   2 - Push Pull output 2MHz.
- *   3 - Push Pull output 50MHz.
- *   4 - Digital input.
- *   5 - Open Drain output 10MHz.
- *   6 - Open Drain output 2MHz.
- *   7 - Open Drain output 50MHz.
- *   8 - Digital input with PullUp or PullDown resistor depending on ODR.
- *   9 - Alternate Push Pull output 10MHz.
- *   A - Alternate Push Pull output 2MHz.
- *   B - Alternate Push Pull output 50MHz.
- *   C - Reserved.
- *   D - Alternate Open Drain output 10MHz.
- *   E - Alternate Open Drain output 2MHz.
- *   F - Alternate Open Drain output 50MHz.
- * Please refer to the STM32 Reference Manual for details.
- */
-
-#if defined(PINPAD_CIR_SUPPORT) || defined(PINPAD_DIAL_SUPPORT)
-/*
- * Port A setup.
- * PA1  - Digital input with PullUp.  AN1 for NeuG
- * PA2  - Digital input with PullUp.  AN2 for NeuG
- * PA6  - (TIM3_CH1) input with pull-up
- * PA7  - (TIM3_CH2) input with pull-down
- * PA11 - input with pull-up (USBDM)
- * PA12 - input with pull-up (USBDP)
- * Everything input with pull-up except:
- * PA13 - Open Drain output (LED1 0:ON 1:OFF)
- * PA14 - Push pull output  (USB ENABLE 0:DISABLE 1:ENABLE)
- * PA15 - Open Drain output (LED2 0:ON 1:OFF)
- */
-#define VAL_GPIOACRL            0x88888888      /*  PA7...PA0 */
-#define VAL_GPIOACRH            0x63688888      /* PA15...PA8 */
-#define VAL_GPIOAODR            0xFFFFFF7F
-
-/* Port B setup. */
-#define GPIOB_CIR		0
-#define GPIOB_BUTTON            2
-#define GPIOB_ROT_A             6
-#define GPIOB_ROT_B             7
-
-#define GPIOB_7SEG_DP           15
-#define GPIOB_7SEG_A            14
-#define GPIOB_7SEG_B            13
-#define GPIOB_7SEG_C            12
-#define GPIOB_7SEG_D            11
-#define GPIOB_7SEG_E            10
-#define GPIOB_7SEG_F            9
-#define GPIOB_7SEG_G            8
-
-#define VAL_GPIOBCRL            0x88888888      /*  PB7...PB0 */
-#define VAL_GPIOBCRH            0x66666666      /* PB15...PB8 */
-#define VAL_GPIOBODR            0xFFFFFFFF
-#else
-/*
- * Port A setup.
- * PA1  - Digital input with PullUp.  AN1 for NeuG
- * PA2  - Digital input with PullUp.  AN2 for NeuG
- * PA11 - input with pull-up (USBDM)
- * PA12 - input with pull-up (USBDP)
- * Everything input with pull-up except:
- * PA13 - Open Drain output (LED1 0:ON 1:OFF)
- * PA14 - Push pull output  (USB ENABLE 0:DISABLE 1:ENABLE)
- * PA15 - Open Drain output (LED2 0:ON 1:OFF)
- */
-#define VAL_GPIOACRL            0x88888888      /*  PA7...PA0 */
-#define VAL_GPIOACRH            0x63688888      /* PA15...PA8 */
-#define VAL_GPIOAODR            0xFFFFFFFF
-
-/* Port B setup. */
-/* Everything input with pull-up */
-#define VAL_GPIOBCRL            0x88888888      /*  PB7...PB0 */
-#define VAL_GPIOBCRH            0x88888888      /* PB15...PB8 */
-#define VAL_GPIOBODR            0xFFFFFFFF
-#endif
-
-/*
- * Port C setup.
- * Everything input with pull-up except:
- * PC13 - Normal input.
- * PC14 - Normal input.
- * PC15 - Normal input.
- */
-#define VAL_GPIOCCRL            0x88888888      /*  PC7...PC0 */
-#define VAL_GPIOCCRH            0x44488888      /* PC15...PC8 */
-#define VAL_GPIOCODR            0xFFFFFFFF
-
-/*
- * Port D setup.
- * Everything input with pull-up except:
- * PD0  - Normal input (XTAL).
- * PD1  - Normal input (XTAL).
- */
-#define VAL_GPIODCRL            0x88888844      /*  PD7...PD0 */
-#define VAL_GPIODCRH            0x88888888      /* PD15...PD8 */
-#define VAL_GPIODODR            0xFFFFFFFF
-
-/*
- * Port E setup.
- * Everything input with pull-up except:
- */
-#define VAL_GPIOECRL            0x88888888      /*  PE7...PE0 */
-#define VAL_GPIOECRH            0x88888888      /* PE15...PE8 */
-#define VAL_GPIOEODR            0xFFFFFFFF
-
-#if !defined(_FROM_ASM_)
-#ifdef __cplusplus
-extern "C" {
-#endif
-  void boardInit(void);
-#ifdef __cplusplus
-}
-#endif
-#endif /* _FROM_ASM_ */
-
-#endif /* _BOARD_H_ */

boards/STBEE_MINI/mcuconf.h

@@ -1,14 +0,0 @@
-/*
- * HAL driver system settings.
- */
-#define STM32_SW                    STM32_SW_PLL
-#define STM32_PLLSRC                STM32_PLLSRC_HSE
-#define STM32_PLLXTPRE              STM32_PLLXTPRE_DIV1
-#define STM32_PLLMUL_VALUE          6
-#define STM32_HPRE                  STM32_HPRE_DIV1
-#define STM32_PPRE1                 STM32_PPRE1_DIV2
-#define STM32_PPRE2                 STM32_PPRE2_DIV1
-#define STM32_ADCPRE                STM32_ADCPRE_DIV6
-#define STM32_RTCSEL                STM32_RTCSEL_NOCLOCK
-
-#include "mcuconf-common.h"

boards/STM32_PRIMER2/board.c

@@ -1,15 +0,0 @@
-#include "config.h"
-#include "ch.h"
-#include "hal.h"
-
-/*
- * Board-specific initialization code.
- */
-void boardInit(void)
-{
-  /*
-   * Clear LED and SHUTDOWN output.
-   */
-  palClearPad (IOPORT5, GPIOE_LED);
-  palClearPad (IOPORT3, GPIOC_SHUTDOWN);
-}

boards/STM32_PRIMER2/board.h

@@ -1,175 +0,0 @@
-/*
-    ChibiOS/RT - Copyright (C) 2006,2007,2008,2009,2010 Giovanni Di Sirio.
-
-    This file is part of ChibiOS/RT.
-
-    ChibiOS/RT is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 3 of the License, or
-    (at your option) any later version.
-
-    ChibiOS/RT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-                                      ---
-
-    A special exception to the GPL can be applied should you wish to distribute
-    a combined work that includes ChibiOS/RT, without being obliged to provide
-    the source code for any proprietary components. See the file exception.txt
-    for full details of how and when the exception can be applied.
-*/
-
-#ifndef _BOARD_H_
-#define _BOARD_H_
-
-/*
- * Setup for the STM32 Primer2.
- */
-#define	SET_USB_CONDITION(en) (!en)	/* To connect USB, call palClearPad */
-#define	SET_LED_CONDITION(on) (!on)	/* To emit light, call palClearPad */
-#define GPIO_USB	GPIOD_DISC
-#define IOPORT_USB	GPIOD
-#define GPIO_LED	GPIOE_LEDR
-#define IOPORT_LED	GPIOE
-
-/* NeuG settings for ADC2.  */
-
-/*
- * Board identifier.
- */
-#define BOARD_STM32_PRIMER2
-#define BOARD_NAME "STM32 Primer2"
-
-/*
- * Board frequencies.
- */
-#define STM32_LSECLK            32768
-#define STM32_HSECLK            12000000
-
-/*
- * MCU type, this macro is used by both the ST library and the ChibiOS/RT
- * native STM32 HAL.
- */
-#define STM32F10X_MD
-
-/*
- * IO pins assignments.
- */
-#define GPIOA_BUTTON            8
-#define GPIOC_SHUTDOWN		13
-#define GPIOD_DISC              3
-#define GPIOE_LED               0
-#define GPIOE_LEDR		1
-
-/*
- * I/O ports initial setup, this configuration is established soon after reset
- * in the initialization code.
- *
- * The digits have the following meaning:
- *   0 - Analog input.
- *   1 - Push Pull output 10MHz.
- *   2 - Push Pull output 2MHz.
- *   3 - Push Pull output 50MHz.
- *   4 - Digital input.
- *   5 - Open Drain output 10MHz.
- *   6 - Open Drain output 2MHz.
- *   7 - Open Drain output 50MHz.
- *   8 - Digital input with PullUp or PullDown resistor depending on ODR.
- *   9 - Alternate Push Pull output 10MHz.
- *   A - Alternate Push Pull output 2MHz.
- *   B - Alternate Push Pull output 50MHz.
- *   C - Reserved.
- *   D - Alternate Open Drain output 10MHz.
- *   E - Alternate Open Drain output 2MHz.
- *   F - Alternate Open Drain output 50MHz.
- * Please refer to the STM32 Reference Manual for details.
- */
-
-/*
- * Port A setup.
- * Everything input with pull-up except:
- * PA0  - Digital input with PullUp.  AN0
- * PA1  - Digital input with PullUp.  AN1
- * PA2  - Alternate output  (USART2 TX).
- * PA3  - Normal input      (USART2 RX).
- * PA8  - Input with pull-down (PBUTTON).
- */
-#define VAL_GPIOACRL            0x88884B88      /*  PA7...PA0 */
-#define VAL_GPIOACRH            0x88888888      /* PA15...PA8 */
-#define VAL_GPIOAODR            0xFFFFFEFF
-
-/*
- * Port B setup.
- * Everything input with pull-up except:
- * PB13 - Alternate output  (AUDIO SPI2 SCK).
- * PB14 - Normal input      (AUDIO SPI2 MISO).
- * PB15 - Alternate output  (AUDIO SPI2 MOSI).
- */
-#define VAL_GPIOBCRL            0x88888888      /*  PB7...PB0 */
-#define VAL_GPIOBCRH            0xB4B88888      /* PB15...PB8 */
-#define VAL_GPIOBODR            0xFFFFFFFF
-
-/*
- * Port C setup.
- * Everything input with pull-up except:
- * PC6  - Normal input because there is an external resistor.
- * PC7  - Normal input because there is an external resistor.
- * PC13 - Push Pull output (SHUTDOWN)
- */
-#define VAL_GPIOCCRL            0x44888888      /*  PC7...PC0 */
-#define VAL_GPIOCCRH            0x88388888      /* PC15...PC8 */
-#define VAL_GPIOCODR            0xFFFFFFFF
-
-/*
- * Port D setup.
- * Everything input with pull-up except:
- * PD3  - Push Pull output (USB_DISCONNECT)
- */
-#define VAL_GPIODCRL            0x88883888      /*  PD7...PD0 */
-#define VAL_GPIODCRH            0x88888888      /* PD15...PD8 */
-#define VAL_GPIODODR            0xFFFFFFFF
-
-/*
- * Port E setup.
- * Everything input with pull-up except:
- * PE0  - Push Pull output (LED0).
- * PD1  - Push Pull output (LED1).
- */
-#define VAL_GPIOECRL            0x88888833      /*  PE7...PE0 */
-#define VAL_GPIOECRH            0x88888888      /* PE15...PE8 */
-#define VAL_GPIOEODR            0xFFFFFFFF
-
-#if 0
-/*
- * Port F setup.
- * Everything input with pull-up except:
- */
-#define VAL_GPIOFCRL            0x88888888      /*  PF7...PF0 */
-#define VAL_GPIOFCRH            0x88888888      /* PF15...PF8 */
-#define VAL_GPIOFODR            0xFFFFFFFF
-
-/*
- * Port G setup.
- * Everything input with pull-up except:
- */
-#define VAL_GPIOGCRL            0x88888888      /*  PG7...PG0 */
-#define VAL_GPIOGCRH            0x88888888      /* PG15...PG8 */
-#define VAL_GPIOGODR            0xFFFFFFFF
-#endif
-
-#if !defined(_FROM_ASM_)
-#ifdef __cplusplus
-extern "C" {
-#endif
-  void boardInit(void);
-#ifdef __cplusplus
-}
-#endif
-#endif /* _FROM_ASM_ */
-
-#endif /* _BOARD_H_ */

boards/STM32_PRIMER2/mcuconf.h

@@ -1,14 +0,0 @@
-/*
- * HAL driver system settings.
- */
-#define STM32_SW                    STM32_SW_PLL
-#define STM32_PLLSRC                STM32_PLLSRC_HSE
-#define STM32_PLLXTPRE              STM32_PLLXTPRE_DIV2
-#define STM32_PLLMUL_VALUE          12
-#define STM32_HPRE                  STM32_HPRE_DIV1
-#define STM32_PPRE1                 STM32_PPRE1_DIV2
-#define STM32_PPRE2                 STM32_PPRE2_DIV1
-#define STM32_ADCPRE                STM32_ADCPRE_DIV6
-#define STM32_RTCSEL                STM32_RTCSEL_NOCLOCK
-
-#include "mcuconf-common.h"

boards/common/board-common.c

@@ -1,69 +0,0 @@
-/*
-    ChibiOS/RT - Copyright (C) 2006,2007,2008,2009,2010 Giovanni Di Sirio.
-
-    This file is part of ChibiOS/RT.
-
-    ChibiOS/RT is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 3 of the License, or
-    (at your option) any later version.
-
-    ChibiOS/RT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-                                      ---
-
-    A special exception to the GPL can be applied should you wish to distribute
-    a combined work that includes ChibiOS/RT, without being obliged to provide
-    the source code for any proprietary components. See the file exception.txt
-    for full details of how and when the exception can be applied.
-*/
-
-#include "ch.h"
-#include "hal.h"
-#include "config.h"
-
-/**
- * @brief   PAL setup.
- * @details Digital I/O ports static configuration as defined in @p board.h.
- *          This variable is used by the HAL when initializing the PAL driver.
- */
-#if HAL_USE_PAL || defined(__DOXYGEN__)
-const PALConfig pal_default_config =
-{
-  {VAL_GPIOAODR, VAL_GPIOACRL, VAL_GPIOACRH},
-  {VAL_GPIOBODR, VAL_GPIOBCRL, VAL_GPIOBCRH},
-  {VAL_GPIOCODR, VAL_GPIOCCRL, VAL_GPIOCCRH},
-  {VAL_GPIODODR, VAL_GPIODCRL, VAL_GPIODCRH},
-  {VAL_GPIOEODR, VAL_GPIOECRL, VAL_GPIOECRH},
-#if defined(STM32F10X_HD)
-  {VAL_GPIOFODR, VAL_GPIOFCRL, VAL_GPIOFCRH},
-  {VAL_GPIOGODR, VAL_GPIOGCRL, VAL_GPIOGCRH},
-#endif
-};
-#endif
-
-/*
- * Early initialization code.
- * This initialization must be performed just after stack setup and before
- * any other initialization.
- */
-void
-__early_init(void)
-{
-  stm32_clock_init();
-}
-
-const uint8_t *
-unique_device_id (void)
-{
-  /* STM32F103 has 96-bit unique device identifier */
-  const uint8_t *addr = (const uint8_t *)0x1ffff7e8;
-
-  return addr;
-}

boards/common/mcuconf-common.h

@@ -1,116 +0,0 @@
-/*
-    ChibiOS/RT - Copyright (C) 2006,2007,2008,2009,2010 Giovanni Di Sirio.
-
-    This file is part of ChibiOS/RT.
-
-    ChibiOS/RT is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 3 of the License, or
-    (at your option) any later version.
-
-    ChibiOS/RT is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-                                      ---
-
-    A special exception to the GPL can be applied should you wish to distribute
-    a combined work that includes ChibiOS/RT, without being obliged to provide
-    the source code for any proprietary components. See the file exception.txt
-    for full details of how and when the exception can be applied.
-*/
-
-/*
- * STM32 drivers configuration.
- * The following settings override the default settings present in
- * the various device driver implementation headers.
- * Note that the settings for each driver only have effect if the driver
- * is enabled in halconf.h.
- *
- * IRQ priorities:
- * 15...0       Lowest...Highest.
- *
- * DMA priorities:
- * 0...3        Lowest...Highest.
- */
-
-/*
- * HAL driver system settings.
- */
-#define STM32_NO_INIT                       FALSE
-#define STM32_HSI_ENABLED                   TRUE
-#define STM32_LSI_ENABLED                   FALSE
-#define STM32_HSE_ENABLED                   TRUE
-#define STM32_LSE_ENABLED                   FALSE
-#define STM32_USB_CLOCK_REQUIRED            TRUE
-#define STM32_USBPRE                        STM32_USBPRE_DIV1P5
-#define STM32_MCOSEL                        STM32_MCOSEL_NOCLOCK
-#define STM32_PVD_ENABLE                    FALSE
-#define STM32_PLS                           STM32_PLS_LEV0
-
-/*
- * ADC driver system settings.
- */
-#define USE_STM32_ADC1              TRUE
-#define STM32_ADC1_DMA_PRIORITY     3
-#define STM32_ADC1_IRQ_PRIORITY     5
-#define STM32_ADC1_DMA_ERROR_HOOK() chSysHalt()
-
-/*
- * CAN driver system settings.
- */
-#define USE_STM32_CAN1              FALSE
-#define STM32_CAN1_IRQ_PRIORITY     11
-
-/*
- * PWM driver system settings.
- */
-#define USE_STM32_PWM1              FALSE
-#define USE_STM32_PWM2              FALSE
-#define USE_STM32_PWM3              FALSE
-#define USE_STM32_PWM4              FALSE
-#define STM32_PWM1_IRQ_PRIORITY     7
-#define STM32_PWM2_IRQ_PRIORITY     7
-#define STM32_PWM3_IRQ_PRIORITY     7
-#define STM32_PWM4_IRQ_PRIORITY     7
-
-/*
- * SERIAL driver system settings.
- */
-#define USE_STM32_USART1            FALSE
-#define USE_STM32_USART2            FALSE
-#define USE_STM32_USART3            FALSE
-#if defined(STM32F10X_HD) || defined(STM32F10X_CL)
-#define USE_STM32_UART4             FALSE
-#define USE_STM32_UART5             FALSE
-#endif
-#define STM32_USART1_PRIORITY       12
-#define STM32_USART2_PRIORITY       12
-#define STM32_USART3_PRIORITY       12
-#if defined(STM32F10X_HD) || defined(STM32F10X_CL)
-#define STM32_UART4_PRIORITY        12
-#define STM32_UART5_PRIORITY        12
-#endif
-
-/*
- * SPI driver system settings.
- */
-#define USE_STM32_SPI1              FALSE
-#define USE_STM32_SPI2              FALSE
-#define STM32_SPI1_DMA_PRIORITY     2
-#define STM32_SPI2_DMA_PRIORITY     2
-#define STM32_SPI1_IRQ_PRIORITY     10
-#define STM32_SPI2_IRQ_PRIORITY     10
-#define STM32_SPI1_DMA_ERROR_HOOK() chSysHalt()
-
-/*
- * USB driver system settings.
- */
-#define STM32_USB_USE_USB1                  TRUE
-#define STM32_USB_LOW_POWER_ON_SUSPEND      FALSE
-#define STM32_USB_USB1_HP_IRQ_PRIORITY      6
-#define STM32_USB_USB1_LP_IRQ_PRIORITY      14

doc/conf.py

@@ -25,7 +25,7 @@ import sys, os
 
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.pngmath', 'sphinx.ext.mathjax', 'sphinx.ext.viewcode']
+extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.viewcode']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']

doc/development.rst

@@ -22,34 +22,29 @@ tool/stlinkv2.py.
 OpenOCD
 -------
 
-For JTAG/SWD debugger, we can use OpenOCD somehow.
-
-Note that ST-Link/V2 was *not* supported by OpenOCD 0.5.0.
-
-It is supported by version 0.6 or later somehow, but still, you can't
-enable protection of flash ROM with OpenOCD using ST-Link/V2.
+For JTAG/SWD debugger, we can use OpenOCD.
 
 
 GNU Toolchain
 -------------
 
 You need GNU toolchain and newlib for 'arm-none-eabi' target.
+In Debian, we can just apt-get packages of: gcc-arm-none-eabi, binutils-arm-none-eabi, gdb-arm-none-eabi and libnewlib-arm-none-eabi. 
 
-There is "gcc-arm-embedded" project.  See:
+For other distributiions, there is "gcc-arm-embedded" project.  See:
 https://launchpad.net/gcc-arm-embedded/
 
-It is based on GCC 4.8 (as of December, 2013).  We are using "-O3 -Os"
-for compiler option.
+We are using "-O3 -Os" for compiler option.
 
 
 Building Gnuk
 -------------
 
-Change directory to ``src``:
+Change directory to ``src``: ::
 
   $ cd gnuk-VERSION/src
 
-Then, run ``configure``:
+Then, run ``configure``: ::
 
   $ ./configure --vidpid=<VID:PID>
 
@@ -57,8 +52,14 @@ Here, you need to specify USB vendor ID and product ID.  For FSIJ's,
 it's: --vidpid=234b:0000 .  Please read the section 'USB vendor ID and
 product ID' in README.
 
-Type:
+Type: ::
 
   $ make
 
 Then, we will have "gnuk.elf" under src/build directory.
+
+If you are not the authorized vendor, please never distribute this
+file of "gnuk.elf", which includes VID:PID in the image.  If you would
+like to distribute the image (for example, to check if it's
+reproducible or not), the file "gnuk-no-vidpid.elf" is the one with no
+VID:PID.

doc/generating-2048-RSA-key.rst

@@ -1,313 +0,0 @@
-============================
-Generating 2048-bit RSA keys
-============================
-
-In this section, we describe how to generate 2048-bit RSA keys.
-
-
-Key length of RSA
-=================
-
-In 2005, NIST (National Institute of Standards and Technology, USA)
-has issued the first revision of NIST Special Publication 800-57, 
-"Recommendation for Key Management".
-
-In 800-57, NIST advises that 1024-bit RSA keys will no longer be
-viable after 2010 and advises moving to 2048-bit RSA keys.  NIST
-advises that 2048-bit keys should be viable until 2030.
-
-As of 2010, GnuPG's default for generating RSA key is 2048-bit.
-
-Some people have preference on RSA 4096-bit keys, considering
-"longer is better".
-
-However, "longer is better" is not always true.  When it's long, it
-requires more computational resource, memory and storage, and it
-consumes more power for nomal usages.  These days, many people has
-enough computational resource, that would be true, but less is better
-for power consumption.
-
-For security, the key length is just a single factor.  We had and will have
-algorithm issues, too.  It is true that it's difficult to update
-our public keys, but this problem wouldn't be solved by just have
-longer keys.
-
-We deliberately support only RSA 2048-bit keys for Gnuk, considering
-device computation power and host software constraints.
-
-Thus, the key size is 2048-bit in the examples below.
-
-
-Generating keys on host PC
-==========================
-
-Here is the example session to generate main key and a subkey for encryption.
-
-I invoke GnuPG with ``--gen-key`` option. ::
-
-  $ gpg --gen-key
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
-  This is free software: you are free to change and redistribute it.
-  There is NO WARRANTY, to the extent permitted by law.
-
-and GnuPG asks kind of key.  Select ``RSA and RSA``. ::
-
-  Please select what kind of key you want:
-     (1) RSA and RSA (default)
-     (2) DSA and Elgamal
-     (3) DSA (sign only)
-     (4) RSA (sign only)
-  Your selection? 1
-  RSA keys may be between 1024 and 4096 bits long.
-
-and select 2048-bit (as Gnuk Token only supports this). ::
-
-  What keysize do you want? (2048) 
-  Requested keysize is 2048 bits
-
-and select expiration of the key. ::
-
-  Please specify how long the key should be valid.
-           0 = key does not expire
-        <n>  = key expires in n days
-        <n>w = key expires in n weeks
-        <n>m = key expires in n months
-        <n>y = key expires in n years
-  Key is valid for? (0) 0
-  Key does not expire at all
-
-Confirm key types, bitsize and expiration. ::
-
-  Is this correct? (y/N) y
-
-Then enter user ID. ::
-
-  You need a user ID to identify your key; the software constructs the user ID
-  from the Real Name, Comment and Email Address in this form:
-      "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
-  
-  Real name: Niibe Yutaka
-  Email address: gniibe@fsij.org
-  Comment: 
-  You selected this USER-ID:
-      "Niibe Yutaka <gniibe@fsij.org>"
-  
-  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
-
-and enter passphrase for this **key on host PC**.
-Note that this is a passphrase for the key on host PC.
-It is different thing to the passphrase of Gnuk Token.
-
-We enter two same inputs two times
-(once for passphrase input, and another for confirmation). ::
-
-  You need a Passphrase to protect your secret key.
-  <PASSWORD-KEY-ON-PC>
-
-Then, GnuPG generate keys.  It takes some time.  ::
-
-  We need to generate a lot of random bytes. It is a good idea to perform
-  some other action (type on the keyboard, move the mouse, utilize the
-  disks) during the prime generation; this gives the random number
-  generator a better chance to gain enough entropy.
-  ...+++++
-  +++++
-  We need to generate a lot of random bytes. It is a good idea to perform
-  some other action (type on the keyboard, move the mouse, utilize the
-  disks) during the prime generation; this gives the random number
-  generator a better chance to gain enough entropy.
-  ..+++++
-  
-  Not enough random bytes available.  Please do some other work to give
-  the OS a chance to collect more entropy! (Need 15 more bytes)
-  ...+++++
-  gpg: key 4CA7BABE marked as ultimately trusted
-  public and secret key created and signed.
-  
-  gpg: checking the trustdb
-  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
-  pub   2048R/4CA7BABE 2010-10-15
-        Key fingerprint = 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
-  uid                  Niibe Yutaka <gniibe@fsij.org>
-  sub   2048R/084239CF 2010-10-15
-  $ 
-
-Done.
-
-Then, we create authentication subkey.
-Authentication subkey is not that common,
-but very useful (for SSH authentication).
-As it is not that common, we need ``--expert`` option for GnuPG. ::
-
-  $ gpg --expert --edit-key 4CA7BABE
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
-  This is free software: you are free to change and redistribute it.
-  There is NO WARRANTY, to the extent permitted by law.
-  
-  Secret key is available.
-  
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: ultimate
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
-  
-  gpg> 
-
-Here, it displays that there are main key and a subkey.
-It prompts sub-command with ``gpg>`` .
-
-Here, we enter ``addkey`` sub-command.
-Then, we enter the passphrase of **key on host PC**.
-It's the one we entered above as <PASSWORD-KEY-ON-PC>. ::
-
-  gpg> addkey
-  Key is protected.
-    
-  You need a passphrase to unlock the secret key for
-  user: "Niibe Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
-  <PASSWORD-KEY-ON-PC>
-  gpg: gpg-agent is not available in this session
-
-GnuPG asks kind of key.  We select ``RSA (set your own capabilities)``. ::
-
-  Please select what kind of key you want:
-     (3) DSA (sign only)
-     (4) RSA (sign only)
-     (5) Elgamal (encrypt only)
-     (6) RSA (encrypt only)
-     (7) DSA (set your own capabilities)
-     (8) RSA (set your own capabilities)
-  Your selection? 8
-
-And select ``Authenticate`` for the capabilities for this key.
-Initially, it's ``Sign`` and  ``Encrypt``.
-I need to deselect ``Sign`` and ``Encrypt``, and select ``Authenticate``.
-To do that, I enter ``s``, ``e``, and ``a``.  ::
-
-  Possible actions for a RSA key: Sign Encrypt Authenticate 
-  Current allowed actions: Sign Encrypt 
-  
-     (S) Toggle the sign capability
-     (E) Toggle the encrypt capability
-     (A) Toggle the authenticate capability
-     (Q) Finished
-  
-  Your selection? s
-  
-  Possible actions for a RSA key: Sign Encrypt Authenticate 
-  Current allowed actions: Encrypt 
-  
-     (S) Toggle the sign capability
-     (E) Toggle the encrypt capability
-     (A) Toggle the authenticate capability
-     (Q) Finished
-  
-  Your selection? e
-  
-  Possible actions for a RSA key: Sign Encrypt Authenticate 
-  Current allowed actions: 
-
-     (S) Toggle the sign capability
-     (E) Toggle the encrypt capability
-     (A) Toggle the authenticate capability
-     (Q) Finished
-  
-  Your selection? a
-  
-  Possible actions for a RSA key: Sign Encrypt Authenticate 
-  Current allowed actions: Authenticate 
-  
-     (S) Toggle the sign capability
-     (E) Toggle the encrypt capability
-     (A) Toggle the authenticate capability
-     (Q) Finished
-
-OK, we set the capability of ``Authenticate``.
-We enter ``q`` to finish setting capabilities. ::
-
-  Your selection? q
-
-GnuPG asks bitsize and expiration, we enter 2048 for bitsize and no expiration.
-Then, we confirm that we really create the key. ::
-
-  RSA keys may be between 1024 and 4096 bits long.
-  What keysize do you want? (2048) 
-  Requested keysize is 2048 bits
-  Please specify how long the key should be valid.
-           0 = key does not expire
-        <n>  = key expires in n days
-        <n>w = key expires in n weeks
-        <n>m = key expires in n months
-        <n>y = key expires in n years
-  Key is valid for? (0) 0
-  Key does not expire at all
-  Is this correct? (y/N) y
-  Really create? (y/N) y
-
-Then, GnuPG generate the key. ::
-
-  We need to generate a lot of random bytes. It is a good idea to perform
-  some other action (type on the keyboard, move the mouse, utilize the
-  disks) during the prime generation; this gives the random number
-  generator a better chance to gain enough entropy.
-  .......+++++
-  +++++
-
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: ultimate
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
-  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
-
-  gpg> 
-
-We save the key (to the storage of the host PC. ::
-
-  gpg> save
-  $ 
-
-Now, we have three keys (one primary key for signature and certification,
-subkey for encryption, and another subkey for authentication).
-
-
-Publishing public key
-=====================
-
-We make a file for the public key by ``--export`` option of GnuPG. ::
-
-  $ gpg --armor --output <YOUR-KEY>.asc --export <YOUR-KEY-ID>
-
-We can publish the file by web server.  Or we can publish the key
-to a keyserver, by invoking GnuPG with ``--send-keys`` option.  ::
-
-  $ gpg --keyserver pool.sks-keyservers.net --send-keys <YOUR-KEY-ID>
-
-Here, pool.sks-keyservers.net is a keyserver, which is widely used.
-
-
-Backup the private key
-======================
-
-There are some ways to back up private key, such that backup .gnupg
-directory entirely, or use of paperkey, etc.
-Here, we describe backup by ASCII file.
-ASCII file is good, because it has less risk on transfer.
-Binary file has a risk to be modified on transfer.
-
-Note that the key on host PC is protected by passphrase (which
-is <PASSWORD-KEY-ON-PC> in the example above).  Using the key
-from the backup needs this passphrase.  It is common that
-people will forget passphrase for backup.  Never forget it.
-You have been warned.
-
-To make ASCII backup for private key,
-invokde GnuPG with ``--armor`` option and ``--export-secret-keys``
-specifying the key identifier. ::
-
-  $ gpg --armor --output <YOUR-SECRET>.asc --export-secret-keys <YOUR-KEY-ID>
-
-From the backup,
-we can recover privet key by invoking GnuPG with ``--import`` option. ::
-
-  $ gpg --import <YOUR-SECRET>.asc

doc/generating-key.rst

@@ -0,0 +1,487 @@
+====================
+Generating key pairs
+====================
+
+In this section, we describe how to generate 2048-bit RSA keys.
+
+You would like to use newer ECC keys instead of RSA keys.  It is also described.
+
+
+Key length of RSA
+=================
+
+In 2005, NIST (National Institute of Standards and Technology, USA)
+issued the first revision of NIST Special Publication 800-57, 
+"Recommendation for Key Management".
+
+In 800-57, NIST advises that 1024-bit RSA keys will no longer be
+viable after 2010 and advises moving to 2048-bit RSA keys.  NIST
+advises that 2048-bit keys should be viable until 2030.
+
+As of 2016, GnuPG's default for generating RSA key is 2048-bit.
+
+Some people have preference on RSA 4096-bit keys, considering "longer is better".
+
+However, "longer is better" is not always true.  When it's long, it
+requires more computational resource, memory, and storage.  Further,
+it consumes more power for nomal usages.  These days, many people has
+enough computational resource, that would be true, but less is better
+for power consumption, isn't it?
+
+For security, the key length is just a single factor.  We had and will have
+algorithm issues, too.  It is true that it's difficult to update
+our public keys, but this problem wouldn't be solved by just having
+longer keys.
+
+We deliberately recommend use of RSA 2048-bit keys for Gnuk,
+considering device computation power and host software constraints.
+
+Thus, the key size is 2048-bit in the examples below.
+
+When/If your environment allows use of newer ECC keys, newer ECC keys are recommended.
+
+
+Generating RSA keys on host PC
+==============================
+
+Here is the example session to generate main key and a subkey for encryption.
+
+I invoke GnuPG with ``--quick-gen-key`` option. ::
+
+  $ gpg --quick-gen-key "Niibe Yutaka <gniibe@fsij.org>"
+  About to create a key for:
+      "Niibe Yutaka <gniibe@fsij.org>"
+
+  Continue? (Y/n) y
+
+It askes passphrase for this **key on host PC**.
+Note that this is a passphrase for the key on host PC.
+It is different thing to the passphrase of Gnuk Token.
+We enter two same inputs two times
+(once for passphrase input, and another for confirmation),
+<PASSWORD-KEY-ON-PC>.
+
+Then, GnuPG generate keys.  It takes some time.  ::
+  
+  We need to generate a lot of random bytes. It is a good idea to perform
+  some other action (type on the keyboard, move the mouse, utilize the
+  disks) during the prime generation; this gives the random number
+  generator a better chance to gain enough entropy.
+  gpg: key 76A9392B02CD15D1 marked as ultimately trusted
+  gpg: revocation certificate stored as '/home/gniibe.gnupg/openpgp-revocs.d/36CE0B8408CFE5CD07F94ACF76A9392B02CD15D1.rev'
+  public and secret key created and signed.
+
+  gpg: checking the trustdb
+  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+  gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
+  pub   rsa2048 2016-06-20 [S]
+        36CE0B8408CFE5CD07F94ACF76A9392B02CD15D1
+  uid           [ultimate] Niibe Yutaka <gniibe@fsij.org>
+  sub   rsa2048 2016-06-20 []
+
+Done.
+
+Then, we create authentication subkey.
+Authentication subkey is not that common,
+but very useful (for SSH authentication).
+As it is not that common, we need ``--expert`` option for GnuPG. ::
+
+  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+
+  Secret key is available.
+
+  sec  rsa2048/76A9392B02CD15D1
+       created: 2016-06-20  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  rsa2048/4BD1EB26F0E607E6
+       created: 2016-06-20  expires: never       usage: E   
+  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
+  
+  gpg> 
+
+Here, it displays that there are main key and a subkey.
+It prompts sub-command with ``gpg>`` .
+
+Here, we enter ``addkey`` sub-command.
+
+  gpg> addkey
+    
+GnuPG asks kind of key.  We select ``RSA (set your own capabilities)``. ::
+
+  Please select what kind of key you want:
+     (3) DSA (sign only)
+     (4) RSA (sign only)
+     (5) Elgamal (encrypt only)
+     (6) RSA (encrypt only)
+     (7) DSA (set your own capabilities)
+     (8) RSA (set your own capabilities)
+    (10) ECC (sign only)
+    (11) ECC (set your own capabilities)
+    (12) ECC (encrypt only)
+    (13) Existing key
+  Your selection? 8
+
+And select ``Authenticate`` for the capabilities for this key.
+Initially, it's ``Sign`` and  ``Encrypt``.
+I need to deselect ``Sign`` and ``Encrypt``, and select ``Authenticate``.
+To do that, I enter ``s``, ``e``, and ``a``.  ::
+
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Sign Encrypt 
+  
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? s
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Encrypt 
+  
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? e
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: 
+
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? a
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Authenticate 
+  
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+
+OK, we set the capability of ``Authenticate``.
+We enter ``q`` to finish setting capabilities. ::
+
+  Your selection? q
+
+GnuPG asks bitsize and expiration, we enter 2048 for bitsize and no expiration.
+Then, we confirm that we really create the key. ::
+
+  RSA keys may be between 1024 and 4096 bits long.
+  What keysize do you want? (2048) 
+  Requested keysize is 2048 bits
+  Please specify how long the key should be valid.
+           0 = key does not expire
+        <n>  = key expires in n days
+        <n>w = key expires in n weeks
+        <n>m = key expires in n months
+        <n>y = key expires in n years
+  Key is valid for? (0) 0
+  Key does not expire at all
+  Is this correct? (y/N) y
+  Really create? (y/N) y
+
+Then, it askes the passphrase, it is the passphrase of **key on host PC**.
+It's the one we entered above as <PASSWORD-KEY-ON-PC>.
+
+Then, GnuPG generate the key. ::
+
+  We need to generate a lot of random bytes. It is a good idea to perform
+  some other action (type on the keyboard, move the mouse, utilize the
+  disks) during the prime generation; this gives the random number
+  generator a better chance to gain enough entropy.
+
+  sec  rsa2048/76A9392B02CD15D1
+       created: 2016-06-20  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  rsa2048/4BD1EB26F0E607E6
+       created: 2016-06-20  expires: never       usage: E   
+  ssb  rsa2048/F3BA52C64012198D
+       created: 2016-06-20  expires: never       usage: A   
+  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
+
+  gpg> 
+
+We save the key (to the storage of the host PC). ::
+
+  gpg> save
+  $ 
+
+Now, we have three keys (one primary key for signature and certification,
+subkey for encryption, and another subkey for authentication).
+
+
+Publishing public key
+=====================
+
+We make a file for the public key by ``--export`` option of GnuPG. ::
+
+  $ gpg --armor --output <YOUR-KEY>.asc --export <YOUR-KEY-ID>
+
+We can publish the file by web server.  Or we can publish the key
+to a keyserver, by invoking GnuPG with ``--send-keys`` option.  ::
+
+  $ gpg --keyserver pool.sks-keyservers.net --send-keys <YOUR-KEY-ID>
+
+Here, pool.sks-keyservers.net is a keyserver, which is widely used.
+
+
+Backup the private key
+======================
+
+There are some ways to back up private key, such that backup .gnupg
+directory entirely, or use of paperkey, etc.
+Here, we describe backup by ASCII file.
+ASCII file is good, because it has less risk on transfer.
+Binary file has a risk to be modified on transfer.
+
+Note that the key on host PC is protected by passphrase (which
+is <PASSWORD-KEY-ON-PC> in the example above).  Using the key
+from the backup needs this passphrase.  It is common that
+people will forget passphrase for backup.  Never forget it.
+You have been warned.
+
+To make ASCII backup for private key,
+invokde GnuPG with ``--armor`` option and ``--export-secret-keys``
+specifying the key identifier. ::
+
+  $ gpg --armor --output <YOUR-SECRET>.asc --export-secret-keys <YOUR-KEY-ID>
+
+From the backup,
+we can recover privet key by invoking GnuPG with ``--import`` option. ::
+
+  $ gpg --import <YOUR-SECRET>.asc
+
+
+Generating ECC keys on host PC
+==============================
+
+Here is an example session log to create newer ECC keys.  You need
+libgcrypt 1.7 or newer and GnuPG 2.1.8 or newer.
+
+Next, we invoke gpg frontend with ``--expert`` and ``--full-gen-key`` option. ::
+
+    $ gpg --expert --full-gen-key
+    gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
+    This is free software: you are free to change and redistribute it.
+    There is NO WARRANTY, to the extent permitted by law.
+
+Then, we input ``9`` to select ECC primary key and ECC encryption subkey. ::
+    
+    Please select what kind of key you want:
+       (1) RSA and RSA (default)
+       (2) DSA and Elgamal
+       (3) DSA (sign only)
+       (4) RSA (sign only)
+       (7) DSA (set your own capabilities)
+       (8) RSA (set your own capabilities)
+       (9) ECC and ECC
+      (10) ECC (sign only)
+      (11) ECC (set your own capabilities)
+    Your selection? 9
+
+Next is the important selection.  We input ``1`` to select "Curve25519". ::
+
+    Please select which elliptic curve you want:
+       (1) Curve 25519
+       (2) NIST P-256
+       (3) NIST P-384
+       (4) NIST P-521
+       (5) Brainpool P-256
+       (6) Brainpool P-384
+       (7) Brainpool P-512
+       (8) secp256k1
+    Your selection? 1
+
+You may see WARNING (it depends on version of GnuPG) and may been asked.  Since it is what you want, please answer with 'y'. ::
+
+    gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
+    Use this curve anyway? (y/N) y
+
+It asks about expiration of key. ::
+
+    Please specify how long the key should be valid.
+             0 = key does not expire
+          <n>  = key expires in n days
+          <n>w = key expires in n weeks
+          <n>m = key expires in n months
+          <n>y = key expires in n years
+    Key is valid for? (0) 
+    Key does not expire at all
+    Is this correct? (y/N) y
+
+Then, it asks about a user ID. ::
+
+    GnuPG needs to construct a user ID to identify your key.
+    
+    Real name: Kunisada Chuji
+    Email address: chuji@gniibe.org
+    Comment: 
+    You selected this USER-ID:
+        "Kunisada Chuji <chuji@gniibe.org>"
+
+Lastly, it asks confirmation. ::
+
+    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+
+Then, it goes like this. ::
+
+    We need to generate a lot of random bytes. It is a good idea to perform
+    some other action (type on the keyboard, move the mouse, utilize the
+    disks) during the prime generation; this gives the random number
+    generator a better chance to gain enough entropy.
+    We need to generate a lot of random bytes. It is a good idea to perform
+    some other action (type on the keyboard, move the mouse, utilize the
+    disks) during the prime generation; this gives the random number
+    generator a better chance to gain enough entropy.
+
+It asks the passphrase for keys by pop-up window, and then, finishes. ::
+    
+    gpg: key 17174C1A7C406DB5 marked as ultimately trusted
+    gpg: revocation certificate stored as '/home/gniibe.gnupg/openpgp-revocs.d/1719874a4fe5a1d8c465277d5a1bb27e3000f4ff.rev'
+    public and secret key created and signed.
+    
+    gpg: checking the trustdb
+    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+    gpg: depth: 0  valid:   6  signed:  67  trust: 0-, 0q, 0n, 0m, 0f, 6u
+    gpg: depth: 1  valid:  67  signed:  40  trust: 67-, 0q, 0n, 0m, 0f, 0u
+    gpg: next trustdb check due at 2016-10-05
+    pub   ed25519 2016-07-08
+          F478770235B60A230BE78005006A236C292C31D7
+    uid         [ultimate] Kunisada Chuji <chuji@gniibe.org>
+    sub   cv25519 2016-07-08
+    
+    $
+
+We have the primary key with ed25519, and encryption subkey with cv25519.
+
+
+Next, we add authentication subkey which can be used with OpenSSH.
+We invoke gpg frontend with ``--edit-key`` and the key ID. ::
+
+    $ gpg2 --expert --edit-key 17174C1A7C406DB5
+    gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
+    This is free software: you are free to change and redistribute it.
+    There is NO WARRANTY, to the extent permitted by law.
+    
+    Secret key is available.
+    
+    sec  ed25519/17174C1A7C406DB5
+         created: 2016-07-08  expires: never       usage: SC  
+         trust: ultimate      validity: ultimate
+    ssb  cv25519/37A03183DF7B31B1
+         created: 2016-07-08  expires: never       usage: E   
+    [ultimate] (1). Kunisada Chuji <chuji@gniibe.org>
+
+We invoke ``addkey`` subcommand. ::
+
+    gpg> addkey
+
+It asks a kind of key, we input ``11`` to select ECC for authentication. ::
+
+    Please select what kind of key you want:
+       (3) DSA (sign only)
+       (4) RSA (sign only)
+       (5) Elgamal (encrypt only)
+       (6) RSA (encrypt only)
+       (7) DSA (set your own capabilities)
+       (8) RSA (set your own capabilities)
+      (10) ECC (sign only)
+      (11) ECC (set your own capabilities)
+      (12) ECC (encrypt only)
+      (13) Existing key
+    Your selection? 11
+
+and then, we specify "Authenticate" capability. ::
+
+    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
+    Current allowed actions: Sign 
+    
+       (S) Toggle the sign capability
+       (A) Toggle the authenticate capability
+       (Q) Finished
+    
+    Your selection? a
+    
+    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
+    Current allowed actions: Sign Authenticate 
+    
+       (S) Toggle the sign capability
+       (A) Toggle the authenticate capability
+       (Q) Finished
+    
+    Your selection? s
+    
+    Possible actions for a ECDSA/EdDSA key: Sign Authenticate 
+    Current allowed actions: Authenticate 
+    
+       (S) Toggle the sign capability
+       (A) Toggle the authenticate capability
+       (Q) Finished
+    
+    Your selection? q
+
+Then, it asks which curve.  We input ``1`` for "Curve25519". ::
+
+    Please select which elliptic curve you want:
+       (1) Curve 25519
+       (2) NIST P-256
+       (3) NIST P-384
+       (4) NIST P-521
+       (5) Brainpool P-256
+       (6) Brainpool P-384
+       (7) Brainpool P-512
+       (8) secp256k1
+    Your selection? 1
+
+It may ask confirmation with WARNING (depends on version).  We say ``y``. ::
+
+    gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
+    Use this curve anyway? (y/N) y
+
+It asks expiration of the key. ::
+
+    Please specify how long the key should be valid.
+             0 = key does not expire
+          <n>  = key expires in n days
+          <n>w = key expires in n weeks
+          <n>m = key expires in n months
+          <n>y = key expires in n years
+    Key is valid for? (0) 
+    Key does not expire at all
+    Is this correct? (y/N) y
+
+And the confirmation. ::
+
+    Really create? (y/N) y
+
+It goes. ::
+
+    We need to generate a lot of random bytes. It is a good idea to perform
+    some other action (type on the keyboard, move the mouse, utilize the
+    disks) during the prime generation; this gives the random number
+    generator a better chance to gain enough entropy.
+
+It asks the passphrase.  And done. ::
+    
+    sec  ed25519/17174C1A7C406DB5
+         created: 2016-09-08  expires: never       usage: SC  
+         trust: ultimate      validity: ultimate
+    ssb  cv25519/37A03183DF7B31B1
+         created: 2016-09-08  expires: never       usage: E   
+    ssb  ed25519/4AD7D2428679DF5F
+         created: 2016-09-08  expires: never       usage: A   
+    [ultimate] (1). Kunisada Chuji <chuji@gniibe.org>
+
+We type ``save`` to exit form gpg. ::
+
+    gpg> save
+    $ 
+  

doc/gnome3-gpg-settings.rst

@@ -1,38 +0,0 @@
-==========================
-GnuPG settings for GNOME 3
-==========================
-
-In the article `GnuPG settings`_, I wrote how I disable GNOME-keyrings for SSH.
-
-It was for GNOME 2.  The old days was good, we just disabled GNOME-keyrings
-interference to SSH and customizing our desktop was easy for GNU and UNIX users.
-
-.. _GnuPG settings: gpg-settings
-
-
-GNOME keyrings in GNOME 3
-=========================
-
-It seems that it is more integrated into the desktop.
-It is difficult to kill it.  It would be possible to kill it simply,
-but then, I can't use, say, wi-fi access (which needs to access "secrets")
-any more.
-
-We can't use GNOME configuration tool to disable interference by
-GNOME keyrings any more.  It seems that desktop should not have
-customization these days.
-
-
-GNOME-SESSION-PROPERTIES
-========================
-
-After struggling some hours, I figured out it is GNOME-SESSION-PROPERTIES
-to disable the interference.  Invoking::
-
- $ gnome-session-properties
-
-and at the tab of "Startup Programs", I removed radio check buttons
-for "GPG Password Agent" and "SSH Key Agent".
-
-
-Now, I use gpg-agent for GnuPG Agent and SSH agent with Gnuk Token.

doc/gnuk-keytocard-noremoval.rst

@@ -5,174 +5,14 @@ Key import from PC to Gnuk Token (no removal)
 This document describes how I put my **keys on PC** to the Token
 without removing keys from PC.
 
-The difference is just not-to-save changes after key imports.
+The difference is only the last step.
+I don't save changes on PC after keytocard.
 
-After personalization, I put my keys into the Token.
+For the steps before the last step, please see `keytocard with removing keys on PC`_.
 
-Here is the log.
+.. _keytocard with removing keys on PC: gnuk-keytocard
 
-I invoke GnuPG with my key (4ca7babe) and with ``--homedir`` option
-to specify the directory which contains my secret keys.  ::
-
-  $ gpg --homedir=/home/gniibe/tmp/gnuk-testing-dir --edit-key 4ca7babe 
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
-  This is free software: you are free to change and redistribute it.
-  There is NO WARRANTY, to the extent permitted by law.
-  
-  Secret key is available.
-  
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: ultimate
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
-  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
-
-
-Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
-To enable ``keytocard`` command, I type ``toggle`` command.  ::
-
-  gpg> toggle
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-Firstly, I import my primary key into Gnuk Token.
-I type ``keytocard`` command, answer ``y`` to confirm keyimport,
-and type ``1`` to say it's signature key. ::
-
-  gpg> keytocard
-  Really move the primary key? (y/N) y
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
-  Please select where to store the key:
-     (1) Signature key
-     (3) Authentication key
-  Your selection? 1
-
-Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC**
-and another is the password of **Gnuk Token**.  Note that the password of
-the token and the password of the keys on PC are different things,
-although they can be same.
-
-Here, I assume that Gnuk Token's admin password of factory setting (12345678).
-
-I enter these passwords. ::
-
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
-  gpg: 3 Admin PIN attempts remaining before card is permanently locked
-  
-  Please enter the Admin PIN
-  Enter Admin PIN: 12345678
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-The primary key is now on the Token and GnuPG says its card-no (F517 00000001),
-where F517 is the vendor ID of FSIJ.
-
-Secondly, I import my subkey of encryption.  I select key number '1'. ::
-
-  gpg> key 1
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-You can see that the subkey is marked by '*'.
-I type ``keytocard`` command to import this subkey to Gnuk Token.
-I select ``2`` as it's encryption key. ::
-
-  gpg> keytocard
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
-  Please select where to store the key:
-     (2) Encryption key
-  Your selection? 2
-
-Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
-
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 084239CF, created 2010-10-15
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-The sub key is now on the Token and GnuPG says its card-no for it.
-  
-I type ``key 1`` to deselect key number '1'. ::
-
-  gpg> key 1
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-Thirdly, I select sub key of authentication which has key number '2'. ::
-
-  gpg> key 2
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-You can see that the subkey number '2' is marked by '*'.
-I type ``keytocard`` command to import this subkey to Gnuk Token.
-I select ``3`` as it's authentication key. ::
-
-  gpg> keytocard
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
-  Please select where to store the key:
-     (3) Authentication key
-  Your selection? 3
-
-Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
-
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
-                       card-no: F517 00000001
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-The sub key is now on the Token and GnuPG says its card-no for it.
+Here is the session log of the last step.
 
 Lastly, I quit GnuPG.  Note that I **don't** save changes. ::
 
@@ -182,4 +22,4 @@ Lastly, I quit GnuPG.  Note that I **don't** save changes. ::
   $ 
 
 All keys are imported to Gnuk Token now.
-Still, secret keys are available on PC.
+Still, secret keys are available on PC, too.

doc/gnuk-keytocard.rst

@@ -22,33 +22,31 @@ See `another document`_ to import keys to the Token from copied directory.
 
 After personalization, I put my keys into the Token.
 
-Here is the log.
+Here is the session log.
 
-I invoke GnuPG with my key (4ca7babe).  ::
+I invoke GnuPG with my key (249CB3771750745D5CDD323CE267B052364F028D).  ::
 
-  $ gpg --edit-key 4ca7babe 
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  $ gpg --edit-key 249CB3771750745D5CDD323CE267B052364F028D
+  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
-  
+
   Secret key is available.
-  
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: ultimate
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
-  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@debian.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@fsij.org>
+
+  gpg> 
 
 
 Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
-To enable ``keytocard`` command, I type ``toggle`` command.  ::
-
-  gpg> toggle
-  
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
 
 Firstly, I import my primary key into Gnuk Token.
 I type ``keytocard`` command, answer ``y`` to confirm keyimport,
@@ -56,135 +54,129 @@ and type ``1`` to say it's signature key. ::
 
   gpg> keytocard
   Really move the primary key? (y/N) y
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
   Please select where to store the key:
      (1) Signature key
      (3) Authentication key
   Your selection? 1
 
-Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC**
-and another is the password of **Gnuk Token**.  Note that the password of
-the token and the password of the keys on PC are different things,
+Then, GnuPG asks two kinds of passphrases.  One is the passphrase of **keys on PC**
+and another is the passphrase of **Gnuk Token**.  Note that the passphrase of
+the token and the passphrase of the keys on PC are different things,
 although they can be same.
 
-Here, I assume that Gnuk Token's admin password of factory setting (12345678).
+Here, I assume that Gnuk Token's admin passphrase of factory setting (12345678).
 
-I enter these passwords. ::
+I enter these passphrases. ::
 
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
-  gpg: 3 Admin PIN attempts remaining before card is permanently locked
+  Please enter your passphrase, so that the secret key can be unlocked for this session
+  <PASSWORD-KEY-ON-PC>
   
   Please enter the Admin PIN
   Enter Admin PIN: 12345678
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
-
-The primary key is now on the Token and GnuPG says its card-no (F517 00000001),
-where F517 is the vendor ID of FSIJ.
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
 
 Secondly, I import my subkey of encryption.  I select key number '1'. ::
 
   gpg> key 1
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb* cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
 
 You can see that the subkey is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.
 I select ``2`` as it's encryption key. ::
 
   gpg> keytocard
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
   Please select where to store the key:
      (2) Encryption key
   Your selection? 2
 
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
 
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 084239CF, created 2010-10-15
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
+  Please enter your passphrase, so that the secret key can be unlocked for this session
+  <PASSWORD-KEY-ON-PC>
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb* cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
+
+The sub key is now on the Token.
 
-The sub key is now on the Token and GnuPG says its card-no for it.
-  
 I type ``key 1`` to deselect key number '1'. ::
 
   gpg> key 1
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
 
 Thirdly, I select sub key of authentication which has key number '2'. ::
 
   gpg> key 2
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb* ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
 
 You can see that the subkey number '2' is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.
 I select ``3`` as it's authentication key. ::
 
   gpg> keytocard
-  Signature key ....: [none]
-  Encryption key....: [none]
-  Authentication key: [none]
-  
   Please select where to store the key:
      (3) Authentication key
   Your selection? 3
 
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
 
-  You need a passphrase to unlock the secret key for
-  user: "NIIBE Yutaka <gniibe@fsij.org>"
-  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
-  <PASSWORD-KEY-4CA7BABE>
-  gpg: writing new key
+  Please enter your passphrase, so that the secret key can be unlocked for this session
+  <PASSWORD-KEY-ON-PC>
   
-  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
-                       card-no: F517 00000001
-  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
-                       card-no: F517 00000001
-  (1)  NIIBE Yutaka <gniibe@fsij.org>
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+  ssb* ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
 
-The sub key is now on the Token and GnuPG says its card-no for it.
+The sub key is now on the Token.
 
 Lastly, I save changes of **keys on PC** and quit GnuPG. ::
 

doc/gnuk-passphrase-setting.rst

@@ -22,41 +22,40 @@ Besides, some people sometimes prefer the word "passphrase" to
 same thing and it just refer user-password or admin-password.
 
 
-Set up PW1, PW3 and reset code
-==============================
+Set up PW1 and PW3
+==================
 
 Invoke GnuPG with the option ``--card-edit``.  ::
 
-  $ gpg --card-edit
-  Application ID ...: D276000124010200F517000000010000
+  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
+  Application ID ...: D276000124010200FFFE871930590000
   Version ..........: 2.0
-  Manufacturer .....: FSIJ
-  Serial number ....: 00000001
+  Manufacturer .....: unmanaged S/N range
+  Serial number ....: 87193059
   Name of cardholder: Yutaka Niibe
   Language prefs ...: ja
   Sex ..............: male
-  URL of public key : http://www.gniibe.org/gniibe.asc
+  URL of public key : http://www.gniibe.org/gniibe-20150813.asc
   Login data .......: gniibe
   Signature PIN ....: not forced
-  Key attributes ...: 2048R 2048R 2048R
+  Key attributes ...: ed25519 cv25519 ed25519
   Max. PIN lengths .: 127 127 127
   PIN retry counter : 3 3 3
   Signature counter : 0
-  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
-        created ....: 2010-10-15 06:46:33
-  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
-        created ....: 2010-10-15 06:46:33
-  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
-        created ....: 2010-10-22 06:06:36
-  General key info..: 
-  pub  2048R/4CA7BABE 2010-10-15 NIIBE Yutaka <gniibe@fsij.org>
-  sec>  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                        card-no: F517 00000001
-  ssb>  2048R/084239CF  created: 2010-10-15  expires: never     
-                        card-no: F517 00000001
-  ssb>  2048R/5BB065DC  created: 2010-10-22  expires: never     
-                        card-no: F517 00000001
-
+  Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
+        created ....: 2015-08-12 07:10:48
+  Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
+        created ....: 2015-08-12 07:10:48
+  Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
+        created ....: 2015-08-12 07:16:14
+  General key info..: pub  ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka <gniibe@fsij.org>
+  sec>  ed25519/E267B052364F028D  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+  ssb>  cv25519/850AF040D619F240  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+  ssb>  ed25519/5F910521FAA805B1  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+  
   gpg/card> 
 
 It shows the status of the card (as same as the output of ``gpg --card-status``).
@@ -71,7 +70,7 @@ Note that *the length of PIN should be more than (or equals to) 8* for
 "admin less mode".  ::
 
   gpg/card> passwd
-  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
+  gpg: OpenPGP card no. D276000124010200FFFE871930590000 detected
   
   Please enter the PIN
   Enter PIN: 123456
@@ -94,15 +93,24 @@ please change admin-password at first.
 Then, the token works as same as OpenPGPcard specification
 with regards to PW1 and PW3.)
 
-Lastly, I setup reset code, entering admin mode.
-Having reset code, you can unblock PIN when the token will be blocked
-(by wrong attempt to entering PIN).  This is optional step. ::
+
+Set up of reset code (optional)
+===============================
+
+Lastly, we can setup reset code, entering admin mode.
+
+Having reset code, we can unblock the token when the token will be blocked
+(by wrong attempts to entering passphrase).  Note that this is optional step.
+
+When reset code is known to someone, that person can try to guess your passphrase of PW1 more times by unblocking the token.  So, I don't use this feature by myself.
+
+If we do, here is the interaction. ::
 
   gpg/card> admin
   Admin commands are allowed
   
   gpg/card> passwd
-  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
+  gpg: OpenPGP card no. D276000124010200FFFE871930590000 detected
   
   1 - change PIN
   2 - unblock PIN
@@ -135,4 +143,4 @@ Then, I quit. ::
 
   gpg/card> quit
 
-That's all.
+That's all in this step.

doc/gnuk-personalization.rst

@@ -9,17 +9,19 @@ Personalize your Gnuk Token
 Invoke GnuPG with the option ``--card-edit``.  ::
 
   $ gpg --card-edit
-  Application ID ...: D276000124010200FFFE330069060000
+
+  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
+  Application ID ...: D276000124010200FFFE871930590000
   Version ..........: 2.0
   Manufacturer .....: unmanaged S/N range
-  Serial number ....: 33006906
+  Serial number ....: 87193059
   Name of cardholder: [not set]
   Language prefs ...: [not set]
   Sex ..............: unspecified
   URL of public key : [not set]
   Login data .......: [not set]
   Signature PIN ....: forced
-  Key attributes ...: 2048R 2048R 2048R
+  Key attributes ...: rsa2048 rsa2048 rsa2048
   Max. PIN lengths .: 127 127 127
   PIN retry counter : 3 3 3
   Signature counter : 0
@@ -58,7 +60,7 @@ login, and URL.  URL specifies the place where I put my public keys. ::
   Sex ((M)ale, (F)emale or space): m
   
   gpg/card> url
-  URL to retrieve public key: http://www.gniibe.org/gniibe.asc
+  URL to retrieve public key: http://www.gniibe.org/gniibe-20150813.asc
   
   gpg/card> login
   Login data (account name): gniibe
@@ -72,4 +74,4 @@ Then, I quit. ::
   
   gpg/card> quit
 
-That's all.
+That's all in this step.

doc/gnuk-token-initial-configuration.rst

@@ -27,19 +27,15 @@ Make sure there is no ``scdaemon`` for configuring Gnuk Token.  You can  kill ``
 Serial Number (optional)
 ========================
 
+Note that this is completely optional step.  I don't know anyone other than me, do this.  Even for me, I only do that for a single device among multiple devices I use.  I do that to test the feature.
+
 In the file ``GNUK_SERIAL_NUMBER``, each line has email and 6-byte serial number.  The first two bytes are organization number (F5:17 is for FSIJ).  Last four bytes are number for tokens.
 
 The tool ``../tool/gnuk_put_binary_libusb.py`` examines  environment variable of ``EMAIL``, and writes corresponding serial number to Gnuk Token. ::
 
   $ ../tool/gnuk_put_binary_libusb.py -s ../GNUK_SERIAL_NUMBER 
   Writing serial number
-  Device:  006
+  Device:  
   Configuration:  1
   Interface:  0
   d2 76 00 01 24 01 02 00 f5 17 00 00 00 01 00 00
-
-
-The example above is the case of libusb version.
-
-Use the tool ``../tool/gnuk_put_binary.py`` instead , for PC/SC Lite.
-You need PyScard for this.

doc/gpg-settings.rst

@@ -12,35 +12,38 @@ Here is my GnuPG settings.
 I create ``.gnupg/gpg.conf`` file with the following content. ::
 
   use-agent
-  personal-digest-preferences SHA256
-  cert-digest-algo SHA256
-  default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+  default-key 0xE267B052364F028D
 
-  default-key 0x4ca7babe
-
-In addition to the ``use-agent`` option, set preferences on algorithms, and specify my default key.
+In addition to the ``use-agent`` option, I specify my default key.
 
 The ``use-agent`` option is for GnuPG 1.4.x and it means using gpg-agent if available.
 If no option, GnuPG 1.4.x directly connects to Gnuk Token by itself, instead of through scdaemon.  When GnuPG 1.4.x tries to access Gnuk Token and scdaemon is running, there are conflicts.
 
 We recommend to specify the ``use-agent`` option for GnuPG 1.4.x to access Gnuk Token through gpg-agent and scdaemon.
 
-For GnuPG 2.0.x, gpg-agent is always used, so there is no need to specify the ``use-agent`` option, but having this option is no harm, anyway.
+For GnuPG 2.0 and 2.1, gpg-agent is always used, so, there is no need to specify the ``use-agent`` option, but having this option is no harm, anyway.
 
 
 Let gpg-agent manage SSH key
 ============================
 
-I deactivate seahose-agent.  Also, for GNOME 2, I deactivate gnome-keyring managing SSH key. ::
-
-  $ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
-
-I edit the file /etc/X11/Xsession.options and comment out use-ssh-agent line.
-
-Then, I create ``.gnupg/gpg-agent.conf`` file with the following content. ::
+I create ``.gnupg/gpg-agent.conf`` file with the following content. ::
 
   enable-ssh-support
 
+I edit the file /etc/X11/Xsession.options and comment out use-ssh-agent line,
+so that Xsession doesn't invoke original ssh-agent.  We use gpg-agent as ssh-agent.
+
+In the files /etc/xdg/autostart/gnome-keyring-ssh.desktop,
+I have a line something like: ::
+
+    OnlyShowIn=GNOME;Unity;MATE;
+
+I edit this line to: ::
+
+    OnlyShowIn=
+
+So that no desktop environment enables gnome-keyring for ssh.
 
 References
 ==========

doc/index.rst

@@ -2,8 +2,8 @@
    sphinx-quickstart on Wed Jul  4 15:29:05 2012.
    You can adapt this file completely to your liking, but it should at least
    contain the root `toctree` directive.
-   Copyright (C) 2012, 2013  NIIBE Yutaka
-   Copyright (C) 2012, 2013  Free Software Initiative of Japan
+   Copyright (C) 2012, 2013, 2016  NIIBE Yutaka
+   Copyright (C) 2012, 2013, 2016  Free Software Initiative of Japan
    This document is licensed under a CC-BY-SA 3.0 Unported License
 
 Gnuk Documentation
@@ -20,12 +20,11 @@ Contents:
    udev-rules.rst
    gnuk-token-initial-configuration.rst
    gnuk-personalization.rst
-   generating-2048-RSA-key.rst
+   generating-key.rst
    gnuk-keytocard.rst
    gnuk-keytocard-noremoval.rst
    gnuk-passphrase-setting.rst
    using-gnuk-token-with-another-computer.rst
-   gnome3-gpg-settings.rst
    development.rst
 
 

doc/intro.rst

@@ -9,6 +9,8 @@ Gnuk is an implementation of USB cryptographic token for GNU Privacy
 Guard.  Gnuk supports OpenPGP card protocol version 2, and it runs on
 STM32F103 processor.
 
+This document explains about Gnuk 1.2, which comes with ECC algorithm.
+
 
 Cryptographic token and feature of Gnuk
 ---------------------------------------
@@ -31,15 +33,15 @@ Target boards for running Gnuk
 ------------------------------
 
 Hardware requirement for Gnuk is the micro controller STM32F103.
-In version 1.1.x, Gnuk supports following boards.
+In version 1.2, Gnuk supports following boards.
 
 * FST-01 (Flying Stone Tiny ZERO-ONE)
 
 * Olimex STM32-H103
 
-* STM32 part of STM8S Discovery Kit
+* ST Nucleo F103
 
-* STBee
+* Nitrokey Start
 
 
 Host prerequisites for using Gnuk Token
@@ -49,11 +51,9 @@ Host prerequisites for using Gnuk Token
 
 * libusb
 
-* [Optional] PC/SC lite (pcscd, libccid)
-
 * [Optional] SSH: openssh
 
-* [optional] Web: scute, firefox
+* [experimental] Web: scute, firefox
 
 
 Usages
@@ -62,4 +62,4 @@ Usages
 * Sign with GnuPG
 * Decrypt with GnuPG
 * Use with OpenSSH through gpg-agent (as ssh-agent)
-* Use with Firefox through Scute for X.509 client certificate authentication
+* [experimental] Use with Firefox through Scute for X.509 client certificate authentication

doc/note/firmware-update

@@ -16,7 +16,7 @@ In addition to settings of Gnuk, I create a file
 
    # For updating firmware, permission settings are needed.
    
-   SUBSYSTEMS=="usb", ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000", \
+   SUBSYSTEMS=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", \
        ENV{ID_USB_INTERFACES}=="*:ff0000:*", GROUP="pcscd"
 
 
@@ -48,41 +48,11 @@ I have three keys in my token.
 With the script below, I extract public key of the keygrip
 5D6C89682D07CCFC034AF508420BF2276D8018ED into the file: 5D6C8968.bin::
 
-   $ ./get_public_key.py 5D6C89682D07CCFC034AF508420BF2276D8018ED
+   $ ./get_raw_public_key.py 5D6C89682D07CCFC034AF508420BF2276D8018ED
 
-Here is the script, get_public_key.py::
-
-   #! /usr/bin/python
-   
-   import sys, binascii
-   from subprocess import check_output
-   
-   def get_gpg_public_key(keygrip):
-       result = check_output(["gpg-connect-agent", "READKEY %s" % keygrip, "/bye"])
-       key = ""
-       while True:
-           i = result.find('%')
-           if i < 0:
-               key += result
-               break
-           hex_str = result[i+1:i+3]
-           key += result[0:i]
-           key += chr(int(hex_str,16))
-           result = result[i+3:]
-
-       pos = key.index("D (10:public-key(3:rsa(1:n257:") + 31 # skip NUL too
-       key = key[pos:-17]           # )(1:e3:XYZ)))\nOK\n
-       if len(key) != 256:
-           raise ValueError, binascii.hexlify(key)
-       return key
-
-   if __name__ == '__main__':
-       keygrip = sys.argv[1]
-       k = get_gpg_public_key(keygrip)
-       shorthand = keygrip[0:8] + ".bin"
-       f = open(shorthand,"w")
-       f.write(k)
-       f.close()
+(The script is available in the directory gnuk/tool.  Please note that
+it was written in the early stage of the development.  The quality of
+the code is somewhat questionable.)
 
 
 Then, we can put the data of public key into token by::

doc/note/firmware-update-2

@@ -0,0 +1,136 @@
+Please refer:
+
+    How can I reflash FST-01 with SWD port?:
+    http://www.gniibe.org/FST-01/q_and_a/swd-debugger.html
+
+
+Installing newer version of Gnuk onto FST-01 with Gnuk 1.0.1
+============================================================
+
+Please note that the feature of firmware upgrade is somewhat
+experimental.  I haven't got any success reports yet, but it's only
+used by me, so far.  When you will get some failure during your
+firmware installation, you will need SWD debugger.  YOU HAVE BEEN
+WARNED.  It is best to try firmware upgrade after you get a SWD
+debugger.
+
+
+The firmare upgrade feature of Gnuk
+------------------------------------
+
+Gnuk supports firmware upgrade by reGNUal.  It works in the following
+steps.
+
+1. User registers RSA public key to Gnuk Token for firmware upgrade
+
+2. When User wants firmware upgrade, user sends
+   the GET_CHALLENGE command then the EXTERNAL_AUTHENTICATE command
+   to Gnuk Token from host PC to authenticate.
+   The EXTERNAL_AUTHENTICATE command message consists of
+   signature (of challenge) by corresponding RSA private key.
+
+3. When Gnuk Token receives the EXTERNAL_AUTHENTICATE command message
+   and validates signature successfully, Gnuk finishes its normal
+   operation and goes to enter mode of loading special program onto RAM.
+
+4. Host PC sends reflashing program (reGNUal) to Gnuk Token.
+
+5. Gnuk clears up all content of flash ROM (but first 4KiB of system)
+   at the end of receiving special program and transfers its control
+   to reGNUal.
+
+6. reGNUal on Gnuk Token receives new firmware image from host PC and writes
+   to each page.
+
+7. Done.
+
+
+Host PC setting for Gnuk
+------------------------
+
+You need proper configuration for permission of Gnuk Token (udev
+setting).  It should have lines something like: ::
+
+  # Gnuk Token by FSIJ
+
+  SUBSYSTEMS=="usb", ACTION=="add", \
+    ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", \
+    ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+
+I have those lines in /etc/udev/rules.d/69-gnuk.rules.
+
+
+Building another version (newer) of Gnuk
+----------------------------------------
+
+Please see README of Gnuk for detail, but it's like configure
+and make:  ::
+
+  $ pwd
+  /home/user/src/gnuk
+  $ cd src
+  $ ./configure --vidpid=234b:0000
+  $ make
+
+Please take care of configure options.  The default target in 1.0.x
+series is Olimex STM32 H103 (not FST-01).  The default target in 1.2.x
+is FST-01.
+
+Then you get build/gnuk.elf.
+
+If you are not the authorized vendor, please never distribute this
+file of "gnuk.elf", which includes VID:PID in the image.  If you would
+like to distribute the image (for example, to check if it's
+reproducible or not), the file "gnuk-no-vidpid.elf" is the one with no
+VID:PID.
+
+Invoking configure with FSIJ's USB ID (234b:0000) and generating
+gnuk.elf means that you are using FSIJ's USB ID (for reGNUal in this
+case).  Please note that FSIJ only allows use of its USB ID for
+specific situations.  Please read README of Gnuk about that.
+
+
+Bulding reGNUal
+---------------
+
+You need to compile reGNUal. ::
+
+  $ cd ../regnual
+  $ make
+
+Then, you should have regnual.bin.  Note that 'configure' of Gnuk
+itself is needed before compiling reGNUal.
+
+
+upgrade_by_passwd.py
+--------------------
+
+In the source code distribution of 1.0.4 (or current development
+version) of Gnuk, there is a tool named 'upgrade_by_passwd.py'.
+
+This is an easy tool to hide lengthy steps from user and to allow user
+firmware upgrade only by password of Gnuk Token.
+
+Before running the script, you need to kill scdaemon: ::
+
+  $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
+
+The command line invokation above assumes that you properly configure
+your environment for Gnuk Token.
+
+
+How to run the script: ::
+
+  $ cd tool
+  $ ./upgrade_by_passwd.py
+
+Then, the script on your host PC invoke the steps described above, and
+you will get new version of Gnuk installed.
+
+You can also specify -f option to skip entering your password (it
+assumes the factory setting).
+
+If you already have configured another upgrade key installed, you can
+specify different slot by -k ``<slot_no>`` option.  SLOT_NO can be 0
+to 3.
+-- 

doc/stop-scdaemon.rst

@@ -28,10 +28,16 @@ To stop SCDAEMON and let it exit, type::
 Then, you can confirm that there is no SCDAEMON any more by ``ps``
 command.
 
+Or, you can use ``gpgconf`` command.  Type::
+
+	$ gpgconf --reload scdaemon
+
+will do the same thing.
+
 
 Let GPG-AGENT/SCDAEMON learn
 ============================
 
-To let gpg-agent/scdaemon learn from Gnuk Token, type::
+To let gpg-agent/scdaemon "learn" from Gnuk Token, type::
 
 	$ gpg-connect-agent learn /bye

doc/udev-rules.rst

@@ -10,10 +10,13 @@ PC/SC Lite, as it has its own device configuration.
 udev rules for Gnuk Token
 =========================
 
-In case of Debian, there is a file /lib/udev/rules.d/60-gnupg.rules,
-when you install "gnupg" package.  This is the place we need to
-change, if your installation is older (than jessie).  Newer "gnupg"
-package (1.4.15-1 or later) has already supported Gnuk Token.
+In case of Debian, there is a file /lib/udev/rules.d/60-gnupg.rules
+(or /lib/udev/rules.d/60-scdamon.rules for newer version),
+when you install "gnupg" package (or "scdaemon" package).
+This is the place we need to
+change, if your installation is older than jessie.  Newer "gnupg"
+package (1.4.15-1 or later) or "scdaemon" package has already
+supported Gnuk Token.
 
 If needed, please add lines for Gnuk Token to give a desktop user the
 permission to use the device.  We specify USB ID of Gnuk Token (by
@@ -30,11 +33,11 @@ FSIJ)::
     +
      LABEL="gnupg_rules_end"
 
-When we install "gnupg2" package only (with no "gnupg" package),
+When we only install "gnupg2" package for 2.0 (with no "gnupg" package),
 there will be no udev rules (there is a bug report #543217 for this issue).
 In this case, we need something like this in /etc/udev/rules.d/60-gnuk.rules::
 
-    SUBSYSTEMS=="usb", ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000",   \
+    SUBSYSTEMS=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000",   \
     ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
 
 Usually, udev daemon automatically handles for the changes of configuration

doc/using-gnuk-token-with-another-computer.rst

@@ -12,90 +12,90 @@ while ``.gnupg`` directory contains keyrings and trustdb, too.
 Fetch the public key and connect it to the Token
 ================================================
 
-Using the Token, we need to put the public key and the secret
-key reference (to the token) in ``.gnupg``.
+In order to use the Token, we need to put the public key and the secret
+key references (to the token) under ``.gnupg`` directory.
 
 To do that, invoke GnuPG with ``--card-edit`` option. ::
 
-  $ gpg --card-edit
-  Application ID ...: D276000124010200F517000000010000
+  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
+  Application ID ...: D276000124010200FFFE871930590000
   Version ..........: 2.0
-  Manufacturer .....: FSIJ
-  Serial number ....: 00000001
+  Manufacturer .....: unmanaged S/N range
+  Serial number ....: 87193059
   Name of cardholder: Yutaka Niibe
   Language prefs ...: ja
   Sex ..............: male
-  URL of public key : http://www.gniibe.org/gniibe.asc
+  URL of public key : http://www.gniibe.org/gniibe-20150813.asc
   Login data .......: gniibe
   Signature PIN ....: not forced
-  Key attributes ...: 2048R 2048R 2048R
+  Key attributes ...: ed25519 cv25519 ed25519
   Max. PIN lengths .: 127 127 127
   PIN retry counter : 3 3 3
-  Signature counter : 6
-  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
-        created ....: 2010-10-15 06:46:33
-  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
-        created ....: 2010-10-15 06:46:33
-  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
-        created ....: 2010-10-22 06:06:36
+  Signature counter : 0
+  Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
+        created ....: 2015-08-12 07:10:48
+  Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
+        created ....: 2015-08-12 07:10:48
+  Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
+        created ....: 2015-08-12 07:16:14
   General key info..: [none]
   
   gpg/card> 
 
-It says, there is no key info related to this token on your PC (``[none]``).
+Here, the secret key references (to the token) are created under ``.gnupg/private-keys-v1.d`` directory.  It can be also created when I do ``--card-status`` by GnuPG.
 
-Fetch the public key from URL specified in the Token. ::
+Still, it says that there is no key info related to this token on my PC (``[none]`` for General key info), because I don't have the public key on this PC yet.
+
+So, I fetch the public key from URL specified in the Token. ::
 
   gpg/card> fetch
-  gpg: requesting key 4CA7BABE from http server www.gniibe.org
-  gpg: key 4CA7BABE: public key "NIIBE Yutaka <gniibe@fsij.org>" imported
-  gpg: no ultimately trusted keys found
+  gpg: requesting key E267B052364F028D from http server www.gniibe.org
+  gpg: key E267B052364F028D: public key "NIIBE Yutaka <gniibe@fsij.org>" imported
   gpg: Total number processed: 1
-  gpg:               imported: 1  (RSA: 1)
+  gpg:               imported: 1
+  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+  gpg: depth: 0  valid:   6  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 6u
   
   gpg/card> 
 
-Good.  The public key is now in ``.gnupg``.  We can examine by ``gpg --list-keys``.
+Good.  The public key is now under ``.gnupg`` directory.  We can examine by ``gpg --list-keys``.
 
-However, the secret key reference (to the token) is not in ``.gnupg`` yet.
+When I type return at the ``gpg/card>`` prompt, now, I can see: ::
 
-It will be generated when I do ``--card-status`` by GnuPG with
-correspoinding public key in ``.gnupg``, or just type return
-at the ``gpg/card>`` prompt. ::
-
-  gpg/card> 
-  
-  Application ID ...: D276000124010200F517000000010000
+  Reader ...........: 234B:0000:FSIJ-1.2.0-87193059:0
+  Application ID ...: D276000124010200FFFE871930590000
   Version ..........: 2.0
-  Manufacturer .....: FSIJ
-  Serial number ....: 00000001
+  Manufacturer .....: unmanaged S/N range
+  Serial number ....: 87193059
   Name of cardholder: Yutaka Niibe
   Language prefs ...: ja
   Sex ..............: male
-  URL of public key : http://www.gniibe.org/gniibe.asc
+  URL of public key : http://www.gniibe.org/gniibe-20150813.asc
   Login data .......: gniibe
   Signature PIN ....: not forced
-  Key attributes ...: 2048R 2048R 2048R
+  Key attributes ...: ed25519 cv25519 ed25519
   Max. PIN lengths .: 127 127 127
   PIN retry counter : 3 3 3
-  Signature counter : 6
-  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
-        created ....: 2010-10-15 06:46:33
-  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
-        created ....: 2010-10-15 06:46:33
-  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
-        created ....: 2010-10-22 06:06:36
-  General key info..: 
-  pub  2048R/4CA7BABE 2010-10-15 NIIBE Yutaka <gniibe@fsij.org>
-  sec>  2048R/4CA7BABE  created: 2010-10-15  expires: never     
-                        card-no: F517 00000001
-  ssb>  2048R/084239CF  created: 2010-10-15  expires: never     
-                        card-no: F517 00000001
-  ssb>  2048R/5BB065DC  created: 2010-10-22  expires: never     
-                        card-no: F517 00000001
-  
+  Signature counter : 0
+  Signature key ....: 249C B377 1750 745D 5CDD  323C E267 B052 364F 028D
+        created ....: 2015-08-12 07:10:48
+  Encryption key....: E228 AB42 0F73 3B1D 712D  E50C 850A F040 D619 F240
+        created ....: 2015-08-12 07:10:48
+  Authentication key: E63F 31E6 F203 20B5 D796  D266 5F91 0521 FAA8 05B1
+        created ....: 2015-08-12 07:16:14
+  General key info..: pub  ed25519/E267B052364F028D 2015-08-12 NIIBE Yutaka <gniibe@fsij.org>
+  sec>  ed25519/E267B052364F028D  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+  ssb>  cv25519/850AF040D619F240  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+  ssb>  ed25519/5F910521FAA805B1  created: 2015-08-12  expires: never     
+                                  card-no: FFFE 87193059
+
+    
   gpg/card> 
 
+Note that, it displays the information about "General key info".
+
 OK, now I can use the Token on this computer.
 
 
@@ -103,33 +103,43 @@ Update trustdb for the key on Gnuk Token
 ========================================
 
 Yes, I can use the Token by the public key and the secret
-key reference to the card.  More, I need to update the trustdb.
+key references to the card.  More, I need to update the trustdb.
 
-To do that I do: ::
+To do that, I do: ::
 
-  $ gpg --edit-key 4ca7babe
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  $ ./gpg --edit-key E267B052364F028D
+  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
-  
+
   Secret key is available.
   
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: unknown       validity: unknown
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       card-no: FFFE 87193059
+       trust: unknown       validity: unknown
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+       card-no: FFFE 87193059
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+       card-no: FFFE 87193059
   [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
   [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
-  
-  gpg> 
 
-See, the key is ``unknown`` state.  Add trust for that. ::
+See, the key is ``unknown`` state.  Add trust for that, because it's the key under my control. ::
 
   gpg> trust
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: unknown       validity: unknown
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       card-no: FFFE 87193059
+       trust: unknown       validity: unknown
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+       card-no: FFFE 87193059
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+       card-no: FFFE 87193059
   [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
   [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
   
@@ -146,32 +156,49 @@ See, the key is ``unknown`` state.  Add trust for that. ::
   Your decision? 5
   Do you really want to set this key to ultimate trust? (y/N) y
   
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: unknown
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       card-no: FFFE 87193059
+       trust: ultimate      validity: unknown
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+       card-no: FFFE 87193059
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+       card-no: FFFE 87193059
   [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
   [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
   Please note that the shown key validity is not necessarily correct
   unless you restart the program.
   
-  $ 
+  gpg> 
 
-Next time I invoke GnuPG, it will be ``ultimate`` key.  Let's see: ::
+And I quit from gpg.  Then, when I invoke GnuPG, it will be ``ultimate`` key.  Let's see: ::
 
-  $ gpg --edit-key 4ca7babe
-  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  $ ./gpg --edit-key E267B052364F028D
+  gpg (GnuPG) 2.1.13; Copyright (C) 2016 Free Software Foundation, Inc.
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.
-  
+
   Secret key is available.
-  
-  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
-                       trust: ultimate      validity: ultimate
-  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
-  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+
+  gpg: checking the trustdb
+  gpg: marginals needed: 3  completes needed: 1  trust model: pgp
+  gpg: depth: 0  valid:   7  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 7u
+  sec  ed25519/E267B052364F028D
+       created: 2015-08-12  expires: never       usage: SC  
+       card-no: FFFE 87193059
+       trust: ultimate      validity: ultimate
+  ssb  cv25519/850AF040D619F240
+       created: 2015-08-12  expires: never       usage: E   
+       card-no: FFFE 87193059
+  ssb  ed25519/5F910521FAA805B1
+       created: 2015-08-12  expires: never       usage: A   
+       card-no: FFFE 87193059
   [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
   [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
-  
+
   gpg> quit
-  $ 
+  $
+
+OK, all set.  I'm ready to use my Gnuk Token on this PC.

gnuk-stickers.svg

@@ -1,553 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:xlink="http://www.w3.org/1999/xlink"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="210mm"
-   height="297mm"
-   id="svg3961"
-   version="1.1"
-   inkscape:version="0.47 r22583"
-   sodipodi:docname="gnuk-sticers.svg">
-  <defs
-     id="defs3">
-    <inkscape:perspective
-       sodipodi:type="inkscape:persp3d"
-       inkscape:vp_x="0 : 526.18109 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_z="744.09448 : 526.18109 : 1"
-       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
-       id="perspective3967" />
-    <linearGradient
-       gradientUnits="userSpaceOnUse"
-       y2="1031.615"
-       x2="240.89818"
-       y1="1031.615"
-       x1="85.996228"
-       id="linearGradient4296"
-       xlink:href="#linearGradient4290"
-       inkscape:collect="always" />
-    <inkscape:perspective
-       sodipodi:type="inkscape:persp3d"
-       inkscape:vp_x="0 : 0.5 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_z="1 : 0.5 : 1"
-       inkscape:persp3d-origin="0.5 : 0.33333333 : 1"
-       id="perspective3903" />
-    <filter
-       id="filter3875"
-       inkscape:collect="always">
-      <feBlend
-         id="feBlend3877"
-         in2="BackgroundImage"
-         mode="screen"
-         inkscape:collect="always" />
-    </filter>
-    <inkscape:perspective
-       sodipodi:type="inkscape:persp3d"
-       inkscape:vp_x="0 : 0.5 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_z="1 : 0.5 : 1"
-       inkscape:persp3d-origin="0.5 : 0.33333333 : 1"
-       id="perspective3830" />
-    <inkscape:perspective
-       sodipodi:type="inkscape:persp3d"
-       inkscape:vp_x="0 : 526.18109 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_z="744.09448 : 526.18109 : 1"
-       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
-       id="perspective10-5" />
-    <linearGradient
-       id="linearGradient0">
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1;"
-         offset="0"
-         id="stop3620" />
-      <stop
-         id="stop3632"
-         offset="0.07"
-         style="stop-color:#c8c8e0;stop-opacity:1;" />
-      <stop
-         id="stop3630"
-         offset="0.17"
-         style="stop-color:#9696c8;stop-opacity:1;" />
-      <stop
-         id="stop3628"
-         offset="0.33"
-         style="stop-color:#6464b4;stop-opacity:1;" />
-      <stop
-         style="stop-color:#3232a0;stop-opacity:1;"
-         offset="0.5"
-         id="stop3634" />
-      <stop
-         id="stop3636"
-         offset="0.66"
-         style="stop-color:#282898;stop-opacity:1;" />
-      <stop
-         id="stop3626"
-         offset="0.85"
-         style="stop-color:#1e1e90;stop-opacity:1;" />
-      <stop
-         style="stop-color:#000088;stop-opacity:1;"
-         offset="1"
-         id="stop3622" />
-    </linearGradient>
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient0"
-       id="radialGradient0"
-       cx="450"
-       cy="750"
-       fx="450"
-       fy="750"
-       r="201.5"
-       gradientTransform="matrix(1,0,0,0.75369458,-1.760006,108.15135)"
-       gradientUnits="userSpaceOnUse" />
-    <linearGradient
-       id="linearGradient1">
-      <stop
-         style="stop-color:#ffffff;stop-opacity:1;"
-         offset="0"
-         id="stop0" />
-      <stop
-         id="stop1"
-         offset="0.0625"
-         style="stop-color:#f8fcff;stop-opacity:1;" />
-      <stop
-         id="stop2"
-         offset="0.17166339"
-         style="stop-color:#f0f8ff;stop-opacity:1;" />
-      <stop
-         id="stop3"
-         offset="0.30279359"
-         style="stop-color:#ecf4ff;stop-opacity:1;" />
-      <stop
-         style="stop-color:#e8f0ff;stop-opacity:1;"
-         offset="0.5"
-         id="stop4" />
-      <stop
-         id="stop5"
-         offset="0.65893352"
-         style="stop-color:#e0ecff;stop-opacity:1;" />
-      <stop
-         id="stop6"
-         offset="0.83552629"
-         style="stop-color:#d8e8ff;stop-opacity:1;" />
-      <stop
-         style="stop-color:#d0e0ff;stop-opacity:1;"
-         offset="1"
-         id="stop7" />
-    </linearGradient>
-    <radialGradient
-       inkscape:collect="always"
-       xlink:href="#linearGradient1"
-       id="radialGradient1"
-       cx="0"
-       cy="440"
-       fx="0"
-       fy="440"
-       r="80"
-       gradientUnits="userSpaceOnUse" />
-    <filter
-       inkscape:collect="always"
-       id="filter0"
-       x="-0.1423529"
-       width="1.2847058"
-       y="-0.13404847"
-       height="1.2680969">
-      <feGaussianBlur
-         inkscape:collect="always"
-         stdDeviation="2.0538481"
-         id="feGaussianBlur0" />
-    </filter>
-    <inkscape:perspective
-       sodipodi:type="inkscape:persp3d"
-       inkscape:vp_x="0 : 0.5 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_z="1 : 0.5 : 1"
-       inkscape:persp3d-origin="0.5 : 0.33333333 : 1"
-       id="perspective2884" />
-    <inkscape:perspective
-       id="perspective10"
-       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
-       inkscape:vp_z="744.09448 : 526.18109 : 1"
-       inkscape:vp_y="0 : 1000 : 0"
-       inkscape:vp_x="0 : 526.18109 : 1"
-       sodipodi:type="inkscape:persp3d" />
-    <linearGradient
-       id="linearGradient4290"
-       inkscape:collect="always">
-      <stop
-         id="stop4292"
-         offset="0"
-         style="stop-color:#000734;stop-opacity:1;" />
-      <stop
-         id="stop4294"
-         offset="1"
-         style="stop-color:#000734;stop-opacity:0;" />
-    </linearGradient>
-  </defs>
-  <sodipodi:namedview
-     inkscape:document-units="mm"
-     id="base"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:pageopacity="0.0"
-     inkscape:pageshadow="2"
-     inkscape:zoom="0.35"
-     inkscape:cx="-75.714286"
-     inkscape:cy="520"
-     inkscape:current-layer="layer1"
-     showgrid="false"
-     inkscape:window-width="1122"
-     inkscape:window-height="692"
-     inkscape:window-x="150"
-     inkscape:window-y="51"
-     inkscape:window-maximized="0" />
-  <metadata
-     id="metadata4">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <g
-     inkscape:label="Layer 1"
-     inkscape:groupmode="layer"
-     id="layer1">
-    <g
-       style="display:inline"
-       transform="translate(0.5,-946.62598)"
-       id="layer1-63"
-       inkscape:label="Layer1"
-       inkscape:tile-cx="124.59931"
-       inkscape:tile-cy="53.118107"
-       inkscape:tile-w="248.19862"
-       inkscape:tile-h="105.23622"
-       inkscape:tile-x0="0.5"
-       inkscape:tile-y0="0.49999656">
-      <rect
-         y="947.12598"
-         x="0"
-         height="105.23622"
-         width="248.19862"
-         id="rect0"
-         style="fill:#d9fffe;fill-opacity:1;stroke:none" />
-      <line id="line0"
-	    x1="0" y1="947.12598" x2="20" y2="947.12598"
-	    style="stroke:#000044;stroke-width:0.5;stroke-opacity:1;stroke-dasharray:2,1;stroke-dashoffset:1" />
-      <line id="line1"
-	    x1="248.19862" y1="947.12598" x2="248.19862" y2="957.12598"
-	    style="stroke:#000044;stroke-width:0.5;stroke-opacity:1;stroke-dasharray:2,1;stroke-dashoffset:1" />
-      <line id="line2"
-	    x1="248.19862" y1="1052.3622" x2="228.19862" y2="1052.3622"
-	    style="stroke:#000044;stroke-width:0.5;stroke-opacity:1;stroke-dasharray:2,1;stroke-dashoffset:1" />
-      <line id="line3"
-	    x1="0" y1="1052.3622" x2="0" y2="1042.3622"
-	    style="stroke:#000044;stroke-width:0.5;stroke-opacity:1;stroke-dasharray:2,1;stroke-dashoffset:1" />
-      <image
-         xlink:href="FSIJ-s.png"
-         width="41.757679"
-         height="28.346457"
-         id="image2886"
-         x="202.27382"
-         y="951.12598" />
-      <text
-         sodipodi:linespacing="100%"
-         id="text2890"
-         y="1014.9048"
-         x="94.433884"
-         style="font-size:52.27830124px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#032b7f;fill-opacity:1;stroke:none;font-family:Courier 10 Pitch;-inkscape-font-specification:Courier 10 Pitch Bold"
-         xml:space="preserve"><tspan
-           y="1014.9048"
-           x="94.433884"
-           id="tspan2892"
-           sodipodi:role="line">GNUK</tspan></text>
-      <g
-         inkscape:label="Layer 1"
-         id="layer1-6"
-         transform="matrix(-0.1014557,0,0,0.1014557,90.73972,926.6016)">
-        <path
-           style="fill:#000050;fill-opacity:1;stroke:#000000;stroke-width:2.29999995px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-           d="m 0,0 c 0,0 0,0 -76,0 0,0 -8,-9 -12,-12 -18,-15 -48,-48 -36,-84 4,-14 12,-36 12,-36 -10,6 -50,26 -66,54 -8,16 -18,30 -18,54 0,24 25,100 48,108 0,0 0,0 150,0 0,0 0,0 150,0 23,-8 48,-84 48,-108 0,-24 -10,-38 -18,-54 -16,-28 -46,-48 -66,-54 0,0 8,22 12,36 12,36 -18,69 -36,84 C 88,-9 80,0 80,0 z"
-           transform="matrix(-1.76,0,0,1.76,410,560)"
-           id="path0" />
-        <path
-           inkscape:connector-curvature="0"
-           style="fill:#000040;fill-opacity:1;stroke:none"
-           d="m 411.01194,560.94628 c 0,0 0,0 133.76,0 0,0 14.08,-15.84 21.12,-21.12 31.68,-26.4 84.48,-84.48 63.36,-147.84 -7.04,-24.64 -21.12,-63.36 -21.12,-63.36 17.6,10.56 38,45.76 66.16,95.04 14.08,28.16 19.18,52.8 19.18,95.04 0,42.24 -44,176 -84.48,190.08 0,0 62.5,0 -201.5,0 0,0 62.5,0 -201.5,0 -40.48,-14.08 -84.48,-147.84 -84.48,-190.08 0,-42.24 5.1,-66.88 19.18,-95.04 28.16,-49.28 30.96,-84.48 66.16,-95.04 0,0 -14.08,38.72 -21.12,63.36 -21.12,63.36 31.68,121.44 63.36,147.84 7.04,5.28 21.12,21.12 21.12,21.12 z"
-           id="path0-9"
-           sodipodi:nodetypes="ccccccscccscccccc" />
-        <path
-           style="fill:#c0c0fd;fill-opacity:1;stroke:#000000;stroke-width:4px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-           d="m 409.21999,592 c 0,0 90,0 90,-33 0,-20 -4,-28 -12,-40 -5,-8 -8,-18 -8,-28 -1,-13 -1,-20 8,-36 6,-9 8,-23 5,-33 -5,-14 -19,-23 -33,-25 -16,-5 -35,-4 -50,-5 -15,1 -34,0 -50,5 -14,2 -28,9 -33,25 -3,10 1,24 5,33 9,16 9,23 8,36 0,10 -3,20 -8,28 -8,12 -12,20 -12,40 0,33 90,33 90,33 z"
-           id="path1" />
-        <path
-           style="fill:url(#radialGradient1);fill-opacity:1;fill-rule:evenodd;stroke:#d0e0ff;stroke-width:10px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-           d="m 0,592 c 0,0 -90,0 -90,-33 0,-20 4,-28 12,-40 5,-8 8,-18 8,-28 1,-13 1,-20 -8,-36 -6,-9 -8,-23 -5,-33 5,-14 19,-23 33,-25 16,-5 35,-4 50,-5 15,1 34,0 50,5 14,2 28,9 33,25 3,10 -1,24 -5,33 -9,16 -9,23 -8,36 0,10 3,20 8,28 8,12 12,20 12,40 0,33 -90,33 -90,33 z"
-           id="path1-1"
-           transform="matrix(-0.75,0,0,0.8,410,100)" />
-        <path
-           style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none;filter:url(#filter0)"
-           d="m 344.11439,411.54794 c 7.16035,-2.82917 12.68023,-7.05316 25.88561,-1.83463 -11.82218,3.36559 -30.19974,8.74598 -28.4554,30.10894 0,1.43822 0.19526,2.84651 0.53302,4.18858 -5.07909,-3.45362 -6.70449,-9.04022 -6.70449,-15.93734 0,-10.74221 5.00989,-12.63545 8.74126,-16.52555 z"
-           id="path1-2"
-           sodipodi:nodetypes="ccccsc" />
-        <path
-           style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none;filter:url(#filter0)"
-           d="m 474.68123,406.16125 c 7.16035,-2.82917 12.68023,-7.05316 25.88561,-1.83463 -11.82218,3.36559 -30.19974,8.74598 -28.4554,30.10894 0,1.43822 0.19526,2.84651 0.53302,4.18858 -5.07909,-3.45362 -6.70449,-9.04022 -6.70449,-15.93734 0,-10.74221 5.00989,-12.63545 8.74126,-16.52555 z"
-           id="path1-3"
-           sodipodi:nodetypes="ccccsc"
-           transform="matrix(-1,0,0,1,949.00681,5.38669)" />
-        <path
-           style="fill:#afcfff;fill-opacity:1;stroke:#000000;stroke-width:4px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-           d="M 236.90125,452.90625 C 135.34805,496.35376 97.060607,634.496 151.37,761.4375 c 50.02335,116.92341 158.1859,159.40625 257.75,159.40625 99.5641,0 207.72665,-42.48284 257.75,-159.40625 C 721.17939,634.496 682.89195,496.35376 581.33875,452.90625 526.07714,429.26367 466.8919,524.375 409.12,524.375 c -57.7719,0 -116.77668,-94.67646 -172.21875,-71.46875 z"
-           id="path2"
-           inkscape:connector-curvature="0" />
-        <path
-           style="fill:url(#radialGradient0);fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:4px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-           id="path3"
-           d="m 538.23999,720 a 130,150 0 0 1 -260,0 130,150 0 1 1 260,0 z"
-           inkscape:connector-curvature="0" />
-        <path
-           style="fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:4.47213602px;stroke-opacity:1"
-           d="m 538.30032,722.21875 c 56.32313,26.16396 100.82185,68.68738 119.76563,119.4375 33.50451,82.59901 -5.55269,179.72665 -93.67188,230.71875 -89.66782,55.4574 -224.43374,55.4574 -314.10156,0 -88.11919,-50.9921 -127.13733,-148.11974 -93.63281,-230.71875 18.61816,-50.41349 63.06491,-92.92973 119.25781,-119.1875 11.1304,10.32118 18.58377,23.0939 22.34375,36.6875 -5.94376,3.59375 -11.63988,7.47175 -16.99219,11.625 -73.95399,55.19241 -81.85302,155.28934 -18.59375,218.125 47.75721,51.30795 139.68,72.55545 213.4375,46.68755 87.41094,-28.2229 135.47694,-110.93384 113.94531,-183.2813 -9.09953,-36.85675 -36.47131,-70.33241 -73.67187,-92.96875 2.51871,-9.1715 6.69761,-18.00492 12.57812,-26 2.55237,-3.99852 5.70954,-7.71801 9.33594,-11.125 z"
-           id="path4"
-           inkscape:connector-curvature="0" />
-      </g>
-      <text
-         sodipodi:linespacing="85.000002%"
-         id="text3817"
-         y="1038.1145"
-         x="98.368591"
-         style="font-size:18px;font-style:italic;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:85.00000238%;writing-mode:lr-tb;text-anchor:start;fill:#120054;fill-opacity:1;stroke:none;display:inline;font-family:Gentium Basic;-inkscape-font-specification:Gentium Basic Bold Italic"
-         xml:space="preserve"><tspan
-           y="1038.1145"
-           x="98.368591"
-           style="fill:#120054;fill-opacity:1"
-           id="tspan4288"
-           sodipodi:role="line">GnuPG USB Token</tspan></text>
-    </g>
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       id="use4758" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,105.23622)"
-       id="use4760" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,210.47244)"
-       id="use4762" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,315.70866)"
-       id="use4764" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,420.94489)"
-       id="use4766" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,526.18111)"
-       id="use4768" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,631.41733)"
-       id="use4770" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,736.65355)"
-       id="use4772" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,841.88977)"
-       id="use4774" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(0,947.12599)"
-       id="use4776" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,0)"
-       id="use4778" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,105.23622)"
-       id="use4780" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,210.47244)"
-       id="use4782" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,315.70866)"
-       id="use4784" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,420.94489)"
-       id="use4786" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,526.18111)"
-       id="use4788" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,631.41733)"
-       id="use4790" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,736.65355)"
-       id="use4792" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,841.88977)"
-       id="use4794" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(248.19862,947.12599)"
-       id="use4796" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,0)"
-       id="use4798" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,105.23622)"
-       id="use4800" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,210.47244)"
-       id="use4802" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,315.70866)"
-       id="use4804" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,420.94489)"
-       id="use4806" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,526.18111)"
-       id="use4808" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,631.41733)"
-       id="use4810" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,736.65355)"
-       id="use4812" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,841.88977)"
-       id="use4814" />
-    <use
-       x="0"
-       y="0"
-       inkscape:tiled-clone-of="#layer1-63"
-       xlink:href="#layer1-63"
-       transform="translate(496.39725,947.12599)"
-       id="use4816" />
-  </g>
-</svg>

misc/debug-bn.c

@@ -0,0 +1,220 @@
+/*
+ * debug-bn.c - Debug Bignum
+ * Copyright (C) 2014 Free Software Initiative of Japan
+ * Author: NIIBE Yutaka <gniibe@fsij.org>
+ *
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include "bn.h"
+
+void
+print_le_bn256 (const bn256 *X)
+{
+  int i;
+  const uint8_t *p = (const uint8_t *)X;
+
+  for (i = 0; i < 32; i++)
+    printf ("%02x", p[i]);
+  puts ("");
+}
+
+void
+print_be_bn256 (const bn256 *X)
+{
+  int i;
+
+  for (i = 7; i >= 0; i--)
+    printf ("%08x", X->word[i]);
+  puts ("");
+}
+
+#define MAXLINE 4096
+
+static int lineno;
+static int test_no;
+static bn256 sk[1];
+static bn256 pk[1];
+static unsigned char msg[MAXLINE];
+static size_t msglen;
+static bn512 sig[1];
+
+const char *
+skip_white_space (const char *l)
+{
+  while (*l != '\n' && isspace (*l))
+    l++;
+
+  return l;
+}
+
+
+static int
+read_hex_4bit (char c)
+{
+  int r;
+
+  if (c >= '0' && c <= '9')
+    r = c - '0';
+  else if (c >= 'a' && c <= 'f')
+    r = c - 'a' + 10;
+  else if (c >= 'A' && c <= 'F')
+    r = c - 'A' + 10;
+  else
+    r = -1;
+  return r;
+}
+
+static int
+read_hex_8bit (const char **l_p)
+{
+  const char *l = *l_p;
+  int r, v;
+
+  r = read_hex_4bit (*l++);
+  if (r < 0)
+    return -1;
+  v = r*16;
+  r = read_hex_4bit (*l++);
+  if (r < 0)
+    return -1;
+  v += r;
+
+  *l_p = l;
+  return v;
+}
+
+static int
+read_msg (unsigned char *msg, const char *l, int len)
+{
+  int i, r;
+
+  for (i = 0; i < len; i++)
+    {
+      r = read_hex_8bit (&l);
+      if (r < 0)
+	return -1;
+      msg[i] = r;
+    }
+
+  return 0;
+}
+
+
+static int
+read_le_bn256 (bn256 *sk, const char *l)
+{
+  int i;
+  uint8_t *p = (uint8_t *)sk;
+
+  for (i = 0; i < sizeof (bn256); i++)
+    {
+      int r;
+
+      if (*l == '\n')
+	{
+	  /* should support small input??? */
+	  return -1;
+	}
+
+      r = read_hex_8bit (&l);
+      if (r < 0)
+	return -1;
+
+      p[i] = r;
+    }
+
+  return 0;
+}
+
+static int
+read_be_bn256 (bn256 *sk, const char *l)
+{
+  int i;
+  uint8_t *p = (uint8_t *)sk;
+
+  for (i = 0; i < sizeof (bn256); i++)
+    {
+      int r;
+
+      if (*l == '\n')
+	{
+	  /* should support small input??? */
+	  return -1;
+	}
+
+      r = read_hex_8bit (&l);
+      if (r < 0)
+	return -1;
+
+      p[31 - i] = r;
+    }
+
+  return 0;
+}
+
+
+static int
+read_pk (bn256 *pk, const char *l, int len)
+{
+  int r;
+
+  if (len == 64)		/* 64 chars == 32-byte */
+    {				/* compressed form */
+      r = read_le_bn256 (pk, l);
+      if (r < 0)
+	return -1;
+      return 0;
+    }
+  else
+    {
+      bn256 x[1];
+
+      r = read_hex_8bit (&l);
+      if (r < 0)
+	return -1;
+      if (r != 4)
+	return -1;
+
+      r = read_be_bn256 (x, l);
+      if (r < 0)
+	return -1;
+      r = read_be_bn256 (pk, l+64);
+      if (r < 0)
+	return -1;
+
+      pk->word[7] ^= (x->word[0] & 1) * 0x80000000;
+      return 0;
+    }
+}
+
+static int
+read_le_bn512 (bn512 *sig, const char *l)
+{
+  int i;
+  uint8_t *p = (uint8_t *)sig;
+
+  for (i = 0; i < sizeof (bn512); i++)
+    {
+      int r;
+
+      if (*l == '\n')
+	{
+	  /* should support small input??? */
+	  return -1;
+	}
+
+      r = read_hex_8bit (&l);
+      if (r < 0)
+	return -1;
+
+      p[i] = r;
+    }
+
+  return 0;
+}

misc/stm32f103.cfg

@@ -0,0 +1,4 @@
+telnet_port 4444
+source [find interface/stlink.cfg]
+source [find target/stm32f1x.cfg]
+set WORKAREASIZE 0x10000

misc/t-mont.c

@@ -0,0 +1,92 @@
+/*
+ * t-eddsa.c - testing EdDSA
+ * Copyright (C) 2014 Free Software Initiative of Japan
+ * Author: NIIBE Yutaka <gniibe@fsij.org>
+ *
+ * Run following commands.  The file t-ed25519.inp is available in GNU
+ * libgcrypt source code under 'tests' directory.
+
+  gcc -Wall -c -DBN256_C_IMPLEMENTATION ecc-mont.c
+  gcc -Wall -c -DBN256_NO_RANDOM -DBN256_C_IMPLEMENTATION bn.c
+  gcc -Wall -c mod.c
+  gcc -Wall -c -DBN256_C_IMPLEMENTATION mod25638.c
+  gcc -Wall -c t-mont.c
+  gcc -Wall -c debug-bn.c
+  gcc -o t-mont t-mont.o ecc-mont.o bn.o mod.o mod25638.o debug-bn.o
+
+
+ *
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+
+#include "bn.h"
+
+const uint8_t k[32] = {
+  0x30, 0x01, 0x33, 0xE7, 0xDC, 0x52, 0xAD, 0x9F,
+  0x89, 0xFE, 0xC0, 0x59, 0x4A, 0x6D, 0x65, 0xE5,
+  0xF8, 0x7A, 0xD6, 0xA9, 0xA4, 0x89, 0x00, 0xB1,
+  0x93, 0x7E, 0xD3, 0x6F, 0x09, 0x1E, 0xB7, 0x76,
+};
+
+int
+main (int argc, char *argv[])
+{
+  int all_good = 1;
+  int r;
+  bn256 *pk;
+  bn256 a[1];
+  uint8_t out[32];
+
+  extern void ecdh_decrypt_curve25519 (const uint8_t *input,
+				       uint8_t *output,
+				       const bn256 *k);
+  extern uint8_t *ecdh_compute_public_25519 (const uint8_t*k);
+  extern void print_le_bn256 (const bn256 *X);
+
+  while (1)
+    {
+#if 0
+      hash[0] &= 248;
+      hash[31] &= 127;
+      hash[31] |= 64;
+      memcpy (a, hash, sizeof (bn256)); /* Lower half of hash */
+#endif
+
+      pk = ecdh_compute_public_25519 (k);
+      print_le_bn256 (pk);
+      return 0;
+
+#if 0
+      if (memcmp (pk, pk_calculated, sizeof (bn256)) != 0)
+	{
+	  printf ("ERR PK: %d\n", test_no);
+	  print_be_bn256 (sk);
+	  print_be_bn256 (pk);
+	  print_be_bn256 (pk_calculated);
+	  all_good = 0;
+	  continue;
+	}
+
+      ecdh_decrypt_25519 (msg, out, a);
+      if (memcmp (sig, R, sizeof (bn256)) != 0
+	  || memcmp (((const uint8_t *)sig)+32, S, sizeof (bn256)) != 0)
+	{
+	  printf ("ERR SIG: %d\n", test_no);
+	  print_le_bn256 (R);
+	  print_le_bn256 (S);
+	  print_le_bn256 ((const bn256 *)sig);
+	  print_le_bn256 ((const bn256 *)(((const uint8_t *)sig)+32));
+	  all_good = 0;
+	  continue;
+	}
+
+      printf ("%d\n", test_no);
+#endif
+    }
+  return all_good == 1?0:1;
+}

polarssl/include/polarssl/bn_mul.h

@@ -495,6 +495,67 @@
 #endif /* TriCore */
 
 #if defined(__arm__)
+#if defined(__ARM_FEATURE_DSP)
+/* The ARM DSP instructions are available on Cortex M4, M7 and
+   Cortex A CPUs */
+
+#define MULADDC_1024_CORE \
+        "ldmia  %[s]!, { r7, r8, r9, r10 } \n\t" \
+        "ldmia  %[d], { r3, r4, r5, r6 }   \n\t" \
+        "umaal  r3, %2, %[b], r7           \n\t" \
+        "umaal  r4, %2, %[b], r8           \n\t" \
+        "umaal  r5, %2, %[b], r9           \n\t" \
+        "umaal  r6, %2, %[b], r10          \n\t" \
+        "stmia  %[d]!, {r3, r4, r5, r6}    \n\t"
+
+#define MULADDC_1024_LOOP                        \
+   asm( "tst    %[i], #0xfe0           \n\t"     \
+        "beq    0f                     \n"       \
+"1:	 sub    %[i], %[i], #32        \n\t"     \
+        MULADDC_1024_CORE MULADDC_1024_CORE      \
+        MULADDC_1024_CORE MULADDC_1024_CORE      \
+        MULADDC_1024_CORE MULADDC_1024_CORE      \
+        MULADDC_1024_CORE MULADDC_1024_CORE      \
+        "tst    %[i], #0xfe0           \n\t"     \
+        "bne    1b                     \n"       \
+"0:"                                             \
+        : [s] "=r" (s), [d] "=r" (d), [c] "=r" (c), [i] "=r" (i)    \
+        : [b] "r" (b), "[s]" (s), "[d]" (d), "[c]" (c), "[i]" (i)   \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", "memory", "cc" );
+
+#define MULADDC_INIT                                      \
+    asm(
+
+#define MULADDC_CORE                                      \
+                  "ldr    r0, [%0], #4            \n\t"   \
+                  "ldr    r1, [%1]                \n\t"   \
+                  "umaal  r1, %2, %3, r0          \n\t"   \
+                  "str    r1, [%1], #4            \n\t"
+
+#define MULADDC_HUIT                                      \
+                  "ldmia  %0!, {r0, r1, r2, r3}   \n\t"   \
+                  "ldmia  %1, {r4, r5, r6, r7}    \n\t"   \
+                  "umaal  r4, %2, %3, r0          \n\t"   \
+                  "umaal  r5, %2, %3, r1          \n\t"   \
+                  "umaal  r6, %2, %3, r2          \n\t"   \
+                  "umaal  r7, %2, %3, r3          \n\t"   \
+                  "stmia  %1!, {r4, r5, r6, r7}   \n\t"   \
+                  "ldmia  %0!, {r0, r1, r2, r3}   \n\t"   \
+                  "ldmia  %1, {r4, r5, r6, r7}    \n\t"   \
+                  "umaal  r4, %2, %3, r0          \n\t"   \
+                  "umaal  r5, %2, %3, r1          \n\t"   \
+                  "umaal  r6, %2, %3, r2          \n\t"   \
+                  "umaal  r7, %2, %3, r3          \n\t"   \
+                  "stmia  %1!, {r4, r5, r6, r7}   \n\t"
+
+#define MULADDC_STOP                                      \
+                  : "=r" (s), "=r" (d), "=r" (c)          \
+                  : "r" (b), "0" (s), "1" (d), "2" (c)    \
+                  : "r0", "r1", "r2", "r3", "r4", "r5",   \
+                    "r6", "r7", "memory");
+
+#else /* __ARM_FEATURE_DSP */
+
 #define MULADDC_1024_CORE                        \
        "ldmia  %[s]!, { r8, r9, r10 } \n\t"      \
        "ldmia  %[d], { r5, r6, r7 }   \n\t"      \
@@ -556,7 +617,7 @@
        : "r4", "r5", "r6", "r7", "r8", "r9", "r10", "memory", "cc" );
 
 /* Just for reference (dead code) */
-#define MULADDC_HUIT                                   \
+#define MULADDC_HUIT_DEAD                              \
                   "ldmia  %0!, { r4, r5 } \n\t"        \
                   "ldmia  %1, { r8, r9 }  \n\t"        \
                   "umull  r6, r7, %3, r4  \n\t"        \
@@ -620,6 +681,7 @@
                   : "r" (b), "0" (s), "1" (d), "2" (c)          \
                   : "r4", "r5", "r6", "r7", "memory", "cc" );
 
+#endif /* __ARM_FEATURE_DSP */
 #endif /* ARMv3 */
 
 #if defined(__alpha__)
@@ -811,8 +873,8 @@
 #else
 #define MULADDC_INIT                    \
 {                                       \
-    t_int s0, s1, b0, b1;               \
-    t_int r0, r1, rx, ry;               \
+    t_uint s0, s1, b0, b1;              \
+    t_uint r0, r1, rx, ry;              \
     b0 = ( b << biH ) >> biH;           \
     b1 = ( b >> biH );
 

polarssl/include/polarssl/config.h

@@ -209,9 +209,7 @@
  *
  * Enable the RSA prime-number generation code.
  */
-#ifdef KEYGEN_SUPPORT
 #define POLARSSL_GENPRIME
-#endif
 
 /**
  * \def POLARSSL_FS_IO

polarssl/library/aes.c

@@ -179,15 +179,15 @@ static const unsigned char FSb[256] =
     V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
 
 #define V(a,b,c,d) 0x##a##b##c##d
-const uint32_t FT0[256] __attribute__((section(".sys.0"))) = { FT };
+const uint32_t FT0[256] __attribute__((weak,section(".sys.0"))) = { FT };
 #undef V
 
 #define V(a,b,c,d) 0x##b##c##d##a
-const uint32_t FT1[256] __attribute__((section(".sys.1"))) = { FT };
+const uint32_t FT1[256] __attribute__((weak,section(".sys.1"))) = { FT };
 #undef V
 
 #define V(a,b,c,d) 0x##c##d##a##b
-const uint32_t FT2[256] __attribute__((section(".sys.2"))) = { FT };
+const uint32_t FT2[256] __attribute__((weak,section(".sys.2"))) = { FT };
 #undef V
 
 #define V(a,b,c,d) 0x##d##a##b##c

polarssl/library/bignum.c

@@ -37,7 +37,7 @@
 #include "polarssl/bignum.h"
 #include "polarssl/bn_mul.h"
 
-#include <stdlib.h>
+#include <gnuk-malloc.h>
 
 #define ciL    (sizeof(t_uint))         /* chars in limb  */
 #define biL    (ciL << 3)               /* bits  in limb  */
@@ -223,6 +223,26 @@ size_t mpi_lsb( const mpi *X )
     return( 0 );
 }
 
+#if !defined(POLARSSL_HAVE_UDBL)
+/*
+ * Count leading zero bits in a given integer
+ */
+static size_t int_clz( const t_uint x )
+{
+    size_t j;
+    t_uint mask = (t_uint) 1 << (biL - 1);
+
+    for( j = 0; j < biL; j++ )
+    {
+        if( x & mask ) break;
+
+        mask >>= 1;
+    }
+
+    return j;
+}
+#endif
+
 /*
  * Return the number of most significant bits
  */
@@ -1102,6 +1122,100 @@ int mpi_mul_int( mpi *X, const mpi *A, t_sint b )
     return( mpi_mul_mpi( X, A, &_B ) );
 }
 
+/*
+ * Unsigned integer divide - 64bit dividend and 32bit divisor
+ */
+static t_uint int_div_int(t_uint u1, t_uint u0, t_uint d, t_uint *r)
+{
+#if defined(POLARSSL_HAVE_UDBL)
+    t_udbl dividend, quotient;
+#else
+    const t_uint radix = (t_uint) 1 << biH;
+    const t_uint uint_halfword_mask = ( (t_uint) 1 << biH ) - 1;
+    t_uint d0, d1, q0, q1, rAX, r0, quotient;
+    t_uint u0_msw, u0_lsw;
+    size_t s;
+#endif
+
+    /*
+     * Check for overflow
+     */
+    if(( 0 == d ) || ( u1 >= d ))
+    {
+        if (r != NULL) *r = (~0UL);
+
+        return (~0UL);
+    }
+
+#if defined(POLARSSL_HAVE_UDBL)
+    dividend  = (t_udbl) u1 << biL;
+    dividend |= (t_udbl) u0;
+    quotient = dividend / d;
+    if( quotient > ( (t_udbl) 1 << biL ) - 1 )
+        quotient = ( (t_udbl) 1 << biL ) - 1;
+
+    if( r != NULL )
+        *r = (t_uint)( dividend - (quotient * d ) );
+
+    return (t_uint) quotient;
+#else
+
+    /*
+     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+     *   Vol. 2 - Seminumerical Algorithms, Knuth
+     */
+
+    /*
+     * Normalize the divisor, d, and dividend, u0, u1
+     */
+    s = int_clz( d );
+    d = d << s;
+
+    u1 = u1 << s;
+    u1 |= ( u0 >> ( biL - s ) ) & ( -(t_sint)s >> ( biL - 1 ) );
+    u0 =  u0 << s;
+
+    d1 = d >> biH;
+    d0 = d & uint_halfword_mask;
+
+    u0_msw = u0 >> biH;
+    u0_lsw = u0 & uint_halfword_mask;
+
+    /*
+     * Find the first quotient and remainder
+     */
+    q1 = u1 / d1;
+    r0 = u1 - d1 * q1;
+
+    while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
+    {
+        q1 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    rAX = (u1 * radix) + (u0_msw - q1 * d);
+    q0 = rAX / d1;
+    r0 = rAX - q0 * d1;
+
+    while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
+    {
+        q0 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    if (r != NULL)
+        *r = (rAX * radix + u0_lsw - q0 * d) >> s;
+
+    quotient = q1 * radix + q0;
+
+    return quotient;
+#endif
+}
+
 /*
  * Division by mpi: A = Q * B + R  (HAC 14.20)
  */
@@ -1156,60 +1270,10 @@ int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
     for( i = n; i > t ; i-- )
     {
         if( X.p[i] >= Y.p[t] )
-            Z.p[i - t - 1] = ~0;
+            Z.p[i - t - 1] = ~0UL;
         else
         {
-#if defined(POLARSSL_HAVE_UDBL)
-            t_udbl r;
-
-            r  = (t_udbl) X.p[i] << biL;
-            r |= (t_udbl) X.p[i - 1];
-            r /= Y.p[t];
-            if( r > ((t_udbl) 1 << biL) - 1)
-                r = ((t_udbl) 1 << biL) - 1;
-
-            Z.p[i - t - 1] = (t_uint) r;
-#else
-            /*
-             * __udiv_qrnnd_c, from gmp/longlong.h
-             */
-            t_uint q0, q1, r0, r1;
-            t_uint d0, d1, d, m;
-
-            d  = Y.p[t];
-            d0 = ( d << biH ) >> biH;
-            d1 = ( d >> biH );
-
-            q1 = X.p[i] / d1;
-            r1 = X.p[i] - d1 * q1;
-            r1 <<= biH;
-            r1 |= ( X.p[i - 1] >> biH );
-
-            m = q1 * d0;
-            if( r1 < m )
-            {
-                q1--, r1 += d;
-                while( r1 >= d && r1 < m )
-                    q1--, r1 += d;
-            }
-            r1 -= m;
-
-            q0 = r1 / d1;
-            r0 = r1 - d1 * q0;
-            r0 <<= biH;
-            r0 |= ( X.p[i - 1] << biH ) >> biH;
-
-            m = q0 * d0;
-            if( r0 < m )
-            {
-                q0--, r0 += d;
-                while( r0 >= d && r0 < m )
-                    q0--, r0 += d;
-            }
-            r0 -= m;
-
-            Z.p[i - t - 1] = ( q1 << biH ) | q0;
-#endif
+            Z.p[i - t - 1] = int_div_int( X.p[i], X.p[i-1], Y.p[t], NULL);
         }
 
         Z.p[i - t - 1]++;
@@ -1233,7 +1297,7 @@ int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
         MPI_CHK( mpi_shift_l( &T1,  biL * (i - t - 1) ) );
         MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
 
-        if( mpi_cmp_int( &X, 0 ) < 0 )
+        while( mpi_cmp_int( &X, 0 ) < 0 )
         {
             MPI_CHK( mpi_copy( &T1, &Y ) );
             MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
@@ -1450,9 +1514,17 @@ static void mpi_montred( size_t n, const t_uint *np, t_uint mm, t_uint *d )
 /*
  * Montgomery square: A = A * A * R^-1 mod N
  * A is placed at the upper half of D.
+ *
+ * n : number of limbs of N
+ * np: pointer to limbs of bignum N
+ * mm: m' = -N^(-1) mod b where b = 2^number-of-bit-in-limb
+ * d (destination): the result [<-- temp -->][<--- A ---->]
+ *                               lower part    upper part
+ *                                   n-limb       n-limb
  */
 static void mpi_montsqr( size_t n, const t_uint *np, t_uint mm, t_uint *d )
 {
+#if defined(POLARSSL_HAVE_ASM) && defined(__arm__)
   size_t i;
   register t_uint c = 0;
 
@@ -1464,6 +1536,52 @@ static void mpi_montsqr( size_t n, const t_uint *np, t_uint mm, t_uint *d )
 
       x_i = *xj;
       *xj++ = c;
+
+#if defined(__ARM_FEATURE_DSP)
+      asm (/* (C,R4,R5) := w_i_i + x_i*x_i; w_i_i := R5; */
+           "mov    %[c], #0\n\t"
+           "ldr    r5, [%[wij]]\n\t"          /* R5 := w_i_i; */
+           "mov    r4, %[c]\n\t"
+           "umlal  r5, r4, %[x_i], %[x_i]\n\t"
+           "str    r5, [%[wij]], #4\n\t"
+           "cmp    %[xj], %[x_max1]\n\t"
+           "bhi    0f\n\t"
+           "mov    r9, %[c]\n\t"  /* R9 := 0, the constant ZERO from here.  */
+           "beq    1f\n"
+   "2:\n\t"
+           "ldmia  %[xj]!, { r7, r8 }\n\t"
+           "ldmia  %[wij], { r5, r6 }\n\t"
+           /* (C,R4,R5) := (C,R4) + w_i_j + 2*x_i*x_j; */
+           "umaal  r5, r4, %[x_i], r7\n\t"
+           "umlal  r5, %[c], %[x_i], r7\n\t"
+           "umaal  r4, %[c], r9, r9\n\t"
+           /* (C,R4,R6) := (C,R4) + w_i_j + 2*x_i*x_j; */
+           "umaal  r6, r4, %[x_i], r8\n\t"
+           "umlal  r6, %[c], %[x_i], r8\n\t"
+           "umaal  r4, %[c], r9, r9\n\t"
+           /**/
+           "stmia  %[wij]!, { r5, r6 }\n\t"
+           "cmp    %[xj], %[x_max1]\n\t"
+           "bcc    2b\n\t"
+           "bne    0f\n"
+   "1:\n\t"
+           /* (C,R4,R5) := (C,R4) + w_i_j + 2*x_i*x_j; */
+           "ldr    r5, [%[wij]]\n\t"
+           "ldr    r6, [%[xj]], #4\n\t"
+           "umaal  r5, r4, %[x_i], r6\n\t"
+           "umlal  r5, %[c], %[x_i], r6\n\t"
+           "umaal  r4, %[c], r9, r9\n\t"
+           "str    r5, [%[wij]], #4\n"
+   "0:\n\t"
+           "ldr    r5, [%[wij]]\n\t"
+           "adds   r4, r4, r5\n\t"
+           "adc    %[c], %[c], #0\n\t"
+           "str    r4, [%[wij]]"
+           : [c] "=&r" (c), [wij] "=r" (wij), [xj] "=r" (xj)
+           : [x_i] "r" (x_i), [x_max1] "r" (&d[n*2-1]),
+             "[wij]" (wij), "[xj]" (xj)
+           : "r4", "r5", "r6", "r7", "r8", "r9", "memory", "cc");
+#else
       asm (/* (C,R4,R5) := w_i_i + x_i*x_i; w_i_i := R5; */
            "mov    %[c], #0\n\t"
            "ldr    r5, [%[wij]]\n\t"          /* R5 := w_i_i; */
@@ -1525,6 +1643,7 @@ static void mpi_montsqr( size_t n, const t_uint *np, t_uint mm, t_uint *d )
            : [x_i] "r" (x_i), [x_max1] "r" (&d[n*2-1]),
              "[wij]" (wij), "[xj]" (xj)
            : "r4", "r5", "r6", "r7", "r8", "r9", "r12", "memory", "cc");
+#endif
 
         c += mpi_mul_hlp( n, np, &d[i], d[i] * mm );
     }
@@ -1536,16 +1655,30 @@ static void mpi_montsqr( size_t n, const t_uint *np, t_uint mm, t_uint *d )
       mpi_sub_hlp( n, np, d );
   else
       mpi_sub_hlp( n, d - n, d - n);
+#else
+  t_uint a_input[n];
+
+  memcpy (a_input, &d[n], sizeof (a_input));
+  mpi_montmul (n, np, mm, d, a_input);
+#endif
 }
 
 /*
  * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
  */
+#if MEMORY_SIZE >= 32
+#define MAX_WSIZE 6
+#elif MEMORY_SIZE >= 24
+#define MAX_WSIZE 5
+#else
+#define MAX_WSIZE 4
+#endif
 int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
 {
     int ret;
     size_t i = mpi_msb( E );
-    size_t wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
+    size_t wsize = ( i > 1024 ) ? MAX_WSIZE :
+      		   ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
                    ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
     size_t wbits, one = 1;
     size_t nblimbs;
@@ -1569,7 +1702,6 @@ int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
      * Init temps and window size
      */
     mpi_montg_init( &mm, N );
-    MPI_CHK( mpi_grow( X, N->n ) );
 
     /*
      * If 1st call, pre-compute R^2 mod N
@@ -1583,6 +1715,7 @@ int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
         memset (d, 0, 2 * N->n * ciL); /* Set D zero. */
         mpi_sub_hlp( N->n, N->p, d + N->n);
         MPI_CHK( mpi_mod_mpi( &RR, &T, N ) );
+        MPI_CHK( mpi_grow( &RR, N->n ) );
 
         if( _RR != NULL )
             memcpy( _RR, &RR, sizeof( mpi ) );
@@ -1594,6 +1727,8 @@ int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
         memset (d, 0, N->n * ciL); /* Set lower half of D zero. */
     }
 
+    MPI_CHK( mpi_grow( X, N->n ) );
+
     /*
      * W[1] = A * R^2 * R^-1 mod N = A * R mod N
      */
@@ -1987,17 +2122,19 @@ jkiss (struct jkiss_state *s)
 static int mpi_fill_pseudo_random ( mpi *X, size_t size)
 {
   int ret;
-  uint32_t *p;
+  uint32_t *p, *p_end;
 
   MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( size ) ) );
   MPI_CHK( mpi_lset( X, 0 ) );
 
   /* Assume little endian.  */
-  p = X->p;
-  while (p < X->p + (size/ciL))
+  p = (uint32_t *)X->p;
+  p_end = (uint32_t *)(X->p + (size/sizeof (uint32_t)));
+  while (p < p_end)
     *p++ = jkiss (&jkiss_state_v);
-  if ((size % ciL))
-    *p = jkiss (&jkiss_state_v) & ((1 << (8*(size % ciL))) - 1);
+
+  if ((size%sizeof (uint32_t)))
+    *p = jkiss (&jkiss_state_v) & ((1 << (8*(size % sizeof (uint32_t)))) - 1);
 
 cleanup:
   return ret;
@@ -2138,10 +2275,24 @@ cleanup:
  * Value M: multiply all primes up to 701 (except 97) and 797
  * (so that MAX_A will be convenient value)
  */
+#ifdef __LP64__
+#define M_LIMBS 16
+#else
 #define M_LIMBS 31
+#endif
 #define M_SIZE 122
 
 static const t_uint limbs_M[] = { /* Little endian */
+#ifdef __LP64__
+  0x9344A6AB84EEB59EUL, 0xEC855CDAFF21529FUL,
+  0x477E991E009BAB38UL, 0x2EEA23579F5B86F3UL, 
+  0xAC17D30441D6502FUL, 0x38FF52B90A468A6DUL, 
+  0x63630419FD42E5EFUL, 0x48CE17D091DB2572UL, 
+  0x708AB00AE3B57D0EUL, 0xF8A9DE08CD723598UL, 
+  0x731411374432C93BUL, 0x554DF2612779FAB3UL, 
+  0xDEEBDA58953D2BA5UL, 0xD1D66F2F5F57D007UL, 
+  0xB85C9607E84E9F2BUL, 0x000000000000401DUL
+#else
   0x84EEB59E, 0x9344A6AB, 0xFF21529F, 0xEC855CDA,
   0x009BAB38, 0x477E991E, 0x9F5B86F3, 0x2EEA2357,
   0x41D6502F, 0xAC17D304, 0x0A468A6D, 0x38FF52B9,
@@ -2150,6 +2301,7 @@ static const t_uint limbs_M[] = { /* Little endian */
   0x4432C93B, 0x73141137, 0x2779FAB3, 0x554DF261,
   0x953D2BA5, 0xDEEBDA58, 0x5F57D007, 0xD1D66F2F,
   0xE84E9F2B, 0xB85C9607, 0x0000401D
+#endif
 };
 
 static const mpi M[1] = {{ 1, M_LIMBS, (t_uint *)limbs_M }};
@@ -2157,10 +2309,18 @@ static const mpi M[1] = {{ 1, M_LIMBS, (t_uint *)limbs_M }};
 /*
  * MAX_A : 2^1024 / M - 1
  */
+#ifdef __LP64__
+#define MAX_A_LIMBS 1
+#else
 #define MAX_A_LIMBS 2
+#endif
 #define MAX_A_FILL_SIZE  6
 static const t_uint limbs_MAX_A[] = { /* Little endian */
+#ifdef __LP64__
+  0x0003FE2556A2B35FUL
+#else
   0x56A2B35F, 0x0003FE25
+#endif
 };
 
 static const mpi MAX_A[1] = {{ 1, MAX_A_LIMBS, (t_uint *)limbs_MAX_A }};
@@ -2210,9 +2370,8 @@ int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
 
       MPI_CHK ( mpi_mul_mpi ( X, X, M ) );
       MPI_CHK ( mpi_add_abs ( X, X, B ) );
-      if (X->n <= 31 || (X->p[31] & 0xc0000000) == 0)
+      if (X->n <= M_LIMBS || (X->p[M_LIMBS-1] & 0xc0000000) == 0)
         continue;
-
       ret = mpi_is_prime ( X );
       if (ret == 0 || ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE)
         break;

polarssl/library/rsa.c

@@ -39,7 +39,6 @@
 #include "polarssl/md.h"
 #endif
 
-#include <stdlib.h>
 #include <stdio.h>
 
 /*
@@ -671,14 +670,14 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
     size_t ilen, pad_count = 0;
     unsigned char *p, *q;
     unsigned char bt;
-    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
+    unsigned char buf[ctx->len];
 
     if( ctx->padding != RSA_PKCS_V15 )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     ilen = ctx->len;
 
-    if( ilen < 16 || ilen > sizeof( buf ) )
+    if( ilen < 16)
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     ret = ( mode == RSA_PUBLIC )

regnual/Makefile

@@ -1,8 +1,11 @@
 # Makefile for reGNUal
 
-PROJECT = regnual
+PROJECT = regnual-no-vidpid
+
+OBJS = regnual.o usb-stm32f103.o reset.o
+
+include ../src/config.mk
 
-OBJS = regnual.o usb_stm32f103.o sys.o
 LDSCRIPT= regnual.ld
 
 ###################################
@@ -19,11 +22,11 @@ TOPT = -mthumb -DTHUMB -mno-thumb-interwork
 # Define C warning options here
 CWARN = -Wall -Wextra -Wstrict-prototypes
 MCFLAGS= -mcpu=$(MCU)
-DEFS = -DFREE_STANDING
+DEFS += -DFREE_STANDING
 
 CFLAGS = -O2 -g
 CFLAGS += -Wa,-alms=$(notdir $(<:.c=.lst)) -fpie
-CFLAGS += $(CWARN) -I . -I ../src -fno-common $(MCFLAGS) $(TOPT) $(DEFS)
+CFLAGS += $(CWARN) -I . -I ../chopstx -fno-common $(MCFLAGS) $(TOPT) $(DEFS)
 
 LDFLAGS = -T$(LDSCRIPT) -nostartfiles $(MCFLAGS) $(TOPT)
 
@@ -32,19 +35,24 @@ LDFLAGS = -T$(LDSCRIPT) -nostartfiles $(MCFLAGS) $(TOPT)
 
 all: regnual.hex
 
-regnual.o: regnual.c ../src/sys.h
+regnual.o: regnual.c ../chopstx/sys.h ../chopstx/usb_lld.h
 
 regnual.hex: regnual.elf
 	$(OBJCOPY) -Obinary regnual.elf regnual.bin
 	$(OBJCOPY) -Oihex regnual.elf regnual.hex
 
-usb_stm32f103.o: ../src/usb_stm32f103.c
-	$(CC) $(CFLAGS) -c -o usb_stm32f103.o ../src/usb_stm32f103.c
+regnual.elf: regnual-no-vidpid.elf
+	cp -p regnual-no-vidpid.elf regnual.elf
+	env FILE="regnual.elf" PATH="../src:$$PATH" bash put-vid-pid-ver.sh
 
-regnual.elf: $(OBJS) $(LDSCRIPT)
-	$(CC) $(LDFLAGS) -o regnual.elf $(OBJS)
+usb-stm32f103.o: ../chopstx/mcu/usb-stm32f103.c
+	$(CC) $(CFLAGS) -c -o usb-stm32f103.o ../chopstx/mcu/usb-stm32f103.c
+
+regnual-no-vidpid.elf: $(OBJS) $(LDSCRIPT)
+	$(CC) $(LDFLAGS) -o regnual-no-vidpid.elf $(OBJS)
 
 clean:
-	-rm -f $(OBJS) regnual.elf regnual.hex regnual.bin
+	-rm -f $(OBJS) regnual-no-vidpid.elf regnual.elf regnual.hex regnual.bin \
+		*.lst
 
 distclean: clean

regnual/regnual.c

@@ -1,7 +1,8 @@
 /*
  * regnual.c -- Firmware installation for STM32F103 Flash ROM
  *
- * Copyright (C) 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2012, 2013, 2015, 2016, 2017, 2018
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -25,56 +26,66 @@
  * ReGNUal
  */
 
+#include <string.h>
+
 #include "types.h"
 #include "usb_lld.h"
 #include "sys.h"
 
-extern void *memset (void *s, int c, size_t n);
-
 extern void set_led (int);
-extern uint8_t _flash_start,  _flash_end;
 extern int flash_write (uint32_t dst_addr, const uint8_t *src, size_t len);
 extern int flash_protect (void);
 extern void nvic_system_reset (void);
 
 
+#define FLASH_START_ADDR 0x08000000 /* Fixed for all STM32F1.  */
+#define FLASH_OFFSET     0x1000     /* First pages are not-writable.  */
+#define FLASH_START      (FLASH_START_ADDR+FLASH_OFFSET)
+#define FLASH_SIZE_REG   ((uint16_t *)0x1ffff7e0)
+static uint32_t flash_end;
+
+
 #define ENDP0_RXADDR        (0x40)
 #define ENDP0_TXADDR        (0x80)
 
 /* USB Standard Device Descriptor */
 static const uint8_t regnual_device_desc[] = {
   18,   /* bLength */
-  USB_DEVICE_DESCRIPTOR_TYPE,     /* bDescriptorType */
+  DEVICE_DESCRIPTOR,     /* bDescriptorType */
   0x10, 0x01,   /* bcdUSB = 1.1 */
   0xFF,   /* bDeviceClass: VENDOR */
   0x00,   /* bDeviceSubClass */
   0x00,   /* bDeviceProtocol */
   0x40,   /* bMaxPacketSize0 */
-#include "../src/usb-vid-pid-ver.c.inc"
+  0x00, 0x00,		/* idVendor  (will be replaced)     */
+  0x00, 0x00,		/* idProduct (will be replaced)     */
+  0x00, 0x00,		/* bcdDevice (will be replaced)     */
   1, /* Index of string descriptor describing manufacturer */
   2, /* Index of string descriptor describing product */
   3, /* Index of string descriptor describing the device's serial number */
   0x01    /* bNumConfigurations */
 };
 
+#if defined(USB_SELF_POWERED)
+#define REGNUAL_FEATURE_INIT 0xC0  /* self powered */
+#else
+#define REGNUAL_FEATURE_INIT 0x80  /* bus powered */
+#endif
+
 static const uint8_t regnual_config_desc[] = {
   9,
-  USB_CONFIGURATION_DESCRIPTOR_TYPE, /* bDescriptorType: Configuration */
-  18, 0,			/* wTotalLength: no of returned bytes */
-  1,			/* bNumInterfaces: single vender interface */
+  CONFIG_DESCRIPTOR,	/* bDescriptorType: Configuration */
+  18, 0,		/* wTotalLength: no of returned bytes */
+  1,			/* bNumInterfaces: single vendor interface */
   0x01,			/* bConfigurationValue: Configuration value */
   0x00,			/* iConfiguration: None */
-#if defined(USB_SELF_POWERED)
-  0xC0,				/* bmAttributes: self powered */
-#else
-  0x80,				/* bmAttributes: bus powered */
-#endif
-  50,				/* MaxPower 100 mA */
+  REGNUAL_FEATURE_INIT, /* bmAttributes: bus powered */
+  50,			/* MaxPower 100 mA */
 
   /* Interface Descriptor */
   9,
-  USB_INTERFACE_DESCRIPTOR_TYPE, /* bDescriptorType: Interface */
-  0,				 /* bInterfaceNumber: Index of this interface */
+  INTERFACE_DESCRIPTOR,	    /* bDescriptorType: Interface */
+  0,		            /* bInterfaceNumber: Index of this interface */
   0,			    /* Alternate setting for this interface */
   0,			    /* bNumEndpoints: None */
   0xFF,
@@ -85,7 +96,7 @@ static const uint8_t regnual_config_desc[] = {
 
 static const uint8_t regnual_string_lang_id[] = {
   4,				/* bLength */
-  USB_STRING_DESCRIPTOR_TYPE,
+  STRING_DESCRIPTOR,
   0x09, 0x04			/* LangID = 0x0409: US-English */
 };
 
@@ -93,23 +104,17 @@ static const uint8_t regnual_string_lang_id[] = {
 
 static const uint8_t regnual_string_serial[] = {
   8*2+2,
-  USB_STRING_DESCRIPTOR_TYPE,
+  STRING_DESCRIPTOR,
   /* FSIJ-0.0 */
   'F', 0, 'S', 0, 'I', 0, 'J', 0, '-', 0, 
   '0', 0, '.', 0, '0', 0,
 };
 
 
-void
-usb_cb_device_reset (void)
+static void
+usb_device_reset (struct usb_dev *dev)
 {
-  /* Set DEVICE as not configured */
-  usb_lld_set_configuration (0);
-
-  /* Current Feature initialization */
-  usb_lld_set_feature (regnual_config_desc[7]);
-
-  usb_lld_reset ();
+  usb_lld_reset (dev, REGNUAL_FEATURE_INIT);
 
   /* Initialize Endpoint 0 */
   usb_lld_setup_endpoint (ENDP0, EP_CONTROL, 0, ENDP0_RXADDR, ENDP0_TXADDR,
@@ -144,19 +149,33 @@ static uint32_t fetch (int i)
 }
 
 struct CRC {
-  __IO uint32_t DR;
-  __IO uint8_t  IDR;
+  volatile uint32_t DR;
+  volatile uint8_t  IDR;
   uint8_t   RESERVED0;
   uint16_t  RESERVED1;
-  __IO uint32_t CR;
+  volatile uint32_t CR;
 };
+static struct CRC *const CRC = (struct CRC *)0x40023000;
+
+struct RCC {
+  volatile uint32_t CR;
+  volatile uint32_t CFGR;
+  volatile uint32_t CIR;
+  volatile uint32_t APB2RSTR;
+  volatile uint32_t APB1RSTR;
+  volatile uint32_t AHBENR;
+  /* ... */
+};
+static struct RCC *const RCC = (struct RCC *)0x40021000;
+#define RCC_AHBENR_CRCEN        0x00000040
+
 
 #define  CRC_CR_RESET 0x01
 static uint32_t calc_crc32 (void)
 {
-  struct CRC *CRC = (struct CRC *)0x40023000;
   int i;
 
+  RCC->AHBENR |= RCC_AHBENR_CRCEN;
   CRC->CR = CRC_CR_RESET;
 
   for (i = 0; i < 256/4; i++)
@@ -166,108 +185,101 @@ static uint32_t calc_crc32 (void)
 }
 
 
-void usb_cb_ctrl_write_finish (uint8_t req, uint8_t req_no, uint16_t value,
-			       uint16_t index, uint16_t len)
+static void
+usb_ctrl_write_finish (struct usb_dev *dev)
 {
-  uint8_t type_rcp = req & (REQUEST_TYPE|RECIPIENT);
+  struct device_req *arg = &dev->dev_req;
+  uint8_t type_rcp = arg->type & (REQUEST_TYPE|RECIPIENT);
 
-  if (type_rcp == (VENDOR_REQUEST | DEVICE_RECIPIENT) && USB_SETUP_SET (req))
+  if (type_rcp == (VENDOR_REQUEST | DEVICE_RECIPIENT)
+      && USB_SETUP_SET (arg->type))
     {
-      if (req_no == USB_REGNUAL_SEND && value == 0)
+      if (arg->request == USB_REGNUAL_SEND && arg->value == 0)
 	result = calc_crc32 ();
-      else if (req_no == USB_REGNUAL_FLASH && len == 0 && index == 0)
+      else if (arg->request == USB_REGNUAL_FLASH)
 	{
-	  uint32_t dst_addr = (0x08000000 + value * 0x100);
+	  uint32_t dst_addr = (0x08000000 + arg->value * 0x100);
 
 	  result = flash_write (dst_addr, (const uint8_t *)mem, 256);
 	}
-      else if (req_no == USB_REGNUAL_PROTECT && len == 0
-	       && value == 0 && index == 0)
+      else if (arg->request == USB_REGNUAL_PROTECT && arg->value == 0)
 	result = flash_protect ();
-      else if (req_no == USB_REGNUAL_FINISH && len == 0
-	       && value == 0 && index == 0)
+      else if (arg->request == USB_REGNUAL_FINISH && arg->value == 0)
 	nvic_system_reset ();
     }
 }
 
-int
-usb_cb_setup (uint8_t req, uint8_t req_no,
-	      uint16_t value, uint16_t index, uint16_t len)
+static int
+usb_setup (struct usb_dev *dev)
 {
-  uint8_t type_rcp = req & (REQUEST_TYPE|RECIPIENT);
+  struct device_req *arg = &dev->dev_req;
+  uint8_t type_rcp = arg->type & (REQUEST_TYPE|RECIPIENT);
 
   if (type_rcp == (VENDOR_REQUEST | DEVICE_RECIPIENT))
     {
-      if (USB_SETUP_GET (req))
+      if (USB_SETUP_GET (arg->type))
 	{
-	  if (req_no == USB_REGNUAL_MEMINFO)
+	  if (arg->request == USB_REGNUAL_MEMINFO)
 	    {
-	      static const uint8_t *mem_info[2];
+	      const uint8_t *mem_info[2];
 
-	      mem_info[0] = &_flash_start;
-	      mem_info[1] = &_flash_end;
-	      usb_lld_set_data_to_send (mem_info, sizeof (mem_info));
-	      return USB_SUCCESS;
-	    }
-	  else if (req_no == USB_REGNUAL_RESULT)
-	    {
-	      usb_lld_set_data_to_send (&result, sizeof (uint32_t));
-	      return USB_SUCCESS;
+	      mem_info[0] = (const uint8_t *)FLASH_START;
+	      mem_info[1] = (const uint8_t *)flash_end;
+	      return usb_lld_ctrl_send (dev, mem_info, sizeof (mem_info));
 	    }
+	  else if (arg->request == USB_REGNUAL_RESULT)
+	    return usb_lld_ctrl_send (dev, &result, sizeof (uint32_t));
 	}
       else /* SETUP_SET */
 	{
-	  if (req_no == USB_REGNUAL_SEND)
+	  if (arg->request == USB_REGNUAL_SEND)
 	    {
-	      if (value != 0 || index + len > 256)
-		return USB_UNSUPPORT;
+	      if (arg->value != 0 || arg->index + arg->len > 256)
+		return -1;
 
-	      if (index + len < 256)
-		memset ((uint8_t *)mem + index + len, 0xff,
-			256 - (index + len));
+	      if (arg->index + arg->len < 256)
+		memset ((uint8_t *)mem + arg->index + arg->len, 0xff,
+			256 - (arg->index + arg->len));
 
-	      usb_lld_set_data_to_recv (mem + index, len);
-	      return USB_SUCCESS;
+	      return usb_lld_ctrl_recv (dev, mem + arg->index, arg->len);
 	    }
-	  else if (req_no == USB_REGNUAL_FLASH && len == 0 && index == 0)
+	  else if (arg->request == USB_REGNUAL_FLASH && arg->len == 0
+		   && arg->index == 0)
 	    {
-	      uint32_t dst_addr = (0x08000000 + value * 0x100);
+	      uint32_t dst_addr = (0x08000000 + arg->value * 0x100);
 
-	      if (dst_addr + 256 <= (uint32_t)&_flash_end)
-		return USB_SUCCESS;
+	      if (dst_addr + 256 <= flash_end)
+		return usb_lld_ctrl_ack (dev);
 	    }
-	  else if (req_no == USB_REGNUAL_PROTECT && len == 0
-		   && value == 0 && index == 0)
-	    return USB_SUCCESS;
-	  else if (req_no == USB_REGNUAL_FINISH && len == 0
-		   && value == 0 && index == 0)
-	    return USB_SUCCESS;
+	  else if (arg->request == USB_REGNUAL_PROTECT && arg->len == 0
+		   && arg->value == 0 && arg->index == 0)
+	    return usb_lld_ctrl_ack (dev);
+	  else if (arg->request == USB_REGNUAL_FINISH && arg->len == 0
+		   && arg->value == 0 && arg->index == 0)
+	    return usb_lld_ctrl_ack (dev);
 	}
     }
 
-  return USB_UNSUPPORT;
+  return -1;
 }
 
-int
-usb_cb_get_descriptor (uint8_t rcp, uint8_t desc_type, uint8_t desc_index,
-		       uint16_t index)
+static int
+usb_get_descriptor (struct usb_dev *dev)
 {
-  (void)index;
+  struct device_req *arg = &dev->dev_req;
+  uint8_t rcp = arg->type & RECIPIENT;
+  uint8_t desc_type = (arg->value >> 8);
+  uint8_t desc_index = (arg->value & 0xff);
+
   if (rcp != DEVICE_RECIPIENT)
-    return USB_UNSUPPORT;
+    return -1;
 
   if (desc_type == DEVICE_DESCRIPTOR)
-    {
-      usb_lld_set_data_to_send (regnual_device_desc,
-				sizeof (regnual_device_desc));
-      return USB_SUCCESS;
-    }
+    return usb_lld_ctrl_send (dev, regnual_device_desc,
+			      sizeof (regnual_device_desc));
   else if (desc_type == CONFIG_DESCRIPTOR)
-    {
-      usb_lld_set_data_to_send (regnual_config_desc,
-				sizeof (regnual_config_desc));
-      return USB_SUCCESS;
-    }
+    return usb_lld_ctrl_send (dev, regnual_config_desc,
+			      sizeof (regnual_config_desc)); 
   else if (desc_type == STRING_DESCRIPTOR)
     {
       const uint8_t *str;
@@ -280,48 +292,50 @@ usb_cb_get_descriptor (uint8_t rcp, uint8_t desc_type, uint8_t desc_index,
 	  size = sizeof (regnual_string_lang_id);
 	  break;
 	case 1:
-	  str = gnukStringVendor;
-	  size = sizeof (gnukStringVendor);
+	  str = gnuk_string_vendor;
+	  size = sizeof (gnuk_string_vendor);
 	  break;
 	case 2:
-	  str = gnukStringProduct;
-	  size = sizeof (gnukStringProduct);
+	  str = gnuk_string_product;
+	  size = sizeof (gnuk_string_product);
 	  break;
 	case 3:
 	  str = regnual_string_serial;
 	  size = sizeof (regnual_string_serial);
 	  break;
 	default:
-	  return USB_UNSUPPORT;
+	  return -1;
 	}
 
-      usb_lld_set_data_to_send (str, size);
-      return USB_SUCCESS;
+      return usb_lld_ctrl_send (dev, str, size);
     }
 
-  return USB_UNSUPPORT;
+  return -1;
 }
 
-int usb_cb_handle_event (uint8_t event_type, uint16_t value)
+static int
+usb_set_configuration (struct usb_dev *dev)
 {
-  (void)value;
+  uint8_t current_conf;
 
-  switch (event_type)
+  current_conf = usb_lld_current_configuration (dev);
+  if (current_conf == 0)
     {
-    case USB_EVENT_ADDRESS:
-    case USB_EVENT_CONFIG:
-      return USB_SUCCESS;
-    default:
-      break;
+      if (dev->dev_req.value != 1)
+	return -1;
+
+      usb_lld_set_configuration (dev, 1);
+    }
+  else if (current_conf != dev->dev_req.value)
+    {
+      if (dev->dev_req.value != 0)
+	return -1;
+
+      usb_lld_set_configuration (dev, 0);
     }
 
-  return USB_UNSUPPORT;
-}
-
-int usb_cb_interface (uint8_t cmd, uint16_t interface, uint16_t alt)
-{
-  (void)cmd; (void)interface; (void)alt;
-  return USB_UNSUPPORT;
+  /* Do nothing when current_conf == value */
+  return usb_lld_ctrl_ack (dev);
 }
 
 
@@ -335,6 +349,31 @@ static void wait (int count)
 
 #define WAIT 2400000
 
+/* NVIC: Nested Vectored Interrupt Controller.  */
+struct NVIC {
+  volatile uint32_t ISER[8];
+  uint32_t unused1[24];
+  volatile uint32_t ICER[8];
+  uint32_t unused2[24];
+  volatile uint32_t ISPR[8];
+  uint32_t unused3[24];
+  volatile uint32_t ICPR[8];
+  uint32_t unused4[24];
+  volatile uint32_t IABR[8];
+  uint32_t unused5[56];
+  volatile uint32_t IPR[60];
+};
+static struct NVIC *const NVIC = (struct NVIC *const)0xE000E100;
+#define NVIC_ISER(n)	(NVIC->ISER[n >> 5])
+
+static void nvic_enable_intr (uint8_t irq_num)
+{
+  NVIC_ISER (irq_num) = 1 << (irq_num & 0x1f);
+}
+
+#define USB_LP_CAN1_RX0_IRQn	 20
+static struct usb_dev dev;
+
 int
 main (int argc, char *argv[])
 {
@@ -342,7 +381,19 @@ main (int argc, char *argv[])
 
   set_led (0);
 
-  usb_lld_init (regnual_config_desc[7]);
+#if defined(STM32F103_OVERRIDE_FLASH_SIZE_KB)
+  flash_end = FLASH_START_ADDR + STM32F103_OVERRIDE_FLASH_SIZE_KB*1024;
+#else
+  flash_end = FLASH_START_ADDR + (*FLASH_SIZE_REG)*1024;
+#endif
+
+  /*
+   * NVIC interrupt priority was set by Gnuk.
+   * USB interrupt is disabled by NVIC setting.
+   * We enable the interrupt again by nvic_enable_intr.
+   */
+  usb_lld_init (&dev, REGNUAL_FEATURE_INIT);
+  nvic_enable_intr (USB_LP_CAN1_RX0_IRQn);
 
   while (1)
     {
@@ -352,3 +403,69 @@ main (int argc, char *argv[])
       wait (WAIT);
     }
 }
+
+void
+usb_interrupt_handler (void)
+{
+  uint8_t ep_num;
+  int e;
+
+  e = usb_lld_event_handler (&dev);
+  ep_num = USB_EVENT_ENDP (e);
+
+  if (ep_num == 0)
+    switch (USB_EVENT_ID (e))
+      {
+      case USB_EVENT_DEVICE_RESET:
+	usb_device_reset (&dev);
+	break;
+
+      case USB_EVENT_DEVICE_ADDRESSED:
+	break;
+
+      case USB_EVENT_GET_DESCRIPTOR:
+	if (usb_get_descriptor (&dev) < 0)
+	  usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_SET_CONFIGURATION:
+	if (usb_set_configuration (&dev) < 0)
+	  usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_SET_INTERFACE:
+	usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_CTRL_REQUEST:
+	/* Device specific device request.  */
+	if (usb_setup (&dev) < 0)
+	  usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_GET_STATUS_INTERFACE:
+	usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_GET_INTERFACE:
+	usb_lld_ctrl_error (&dev);
+	break;
+
+      case USB_EVENT_SET_FEATURE_DEVICE:
+      case USB_EVENT_SET_FEATURE_ENDPOINT:
+      case USB_EVENT_CLEAR_FEATURE_DEVICE:
+      case USB_EVENT_CLEAR_FEATURE_ENDPOINT:
+	usb_lld_ctrl_ack (&dev);
+	break;
+
+      case USB_EVENT_CTRL_WRITE_FINISH:
+	/* Control WRITE transfer finished.  */
+	usb_ctrl_write_finish (&dev);
+	break;
+
+      case USB_EVENT_OK:
+      case USB_EVENT_DEVICE_SUSPEND:
+      default:
+	break;
+      }
+}

regnual/regnual.ld

@@ -12,8 +12,6 @@ MEMORY
 }
 
 vector = 0x08000000;
-_flash_start = 0x08001000;
-_flash_end   = 0x08020000;
 
 __ram_start__           = ORIGIN(ram0);
 __ram_size__            = 20k;

regnual/types.h

@@ -1,12 +1,7 @@
-typedef unsigned long size_t;
-
 typedef unsigned char uint8_t;
 typedef unsigned short uint16_t;
 typedef unsigned int uint32_t;
+typedef unsigned int uintptr_t;
 
 #define TRUE  1
 #define FALSE 0
-
-#define NULL  0
-
-#define     __IO    volatile

src/Makefile

@@ -0,0 +1,110 @@
+# Makefile for Gnuk
+
+# Define project name here
+PROJECT = gnuk
+
+CHOPSTX = ../chopstx
+
+CSRC = main.c call-rsa.c \
+	usb_desc.c usb_ctrl.c \
+	usb-ccid.c openpgp.c ac.c openpgp-do.c flash.c \
+	bn.c mod.c \
+	modp256r1.c jpc_p256r1.c ec_p256r1.c call-ec_p256r1.c \
+	modp256k1.c jpc_p256k1.c ec_p256k1.c call-ec_p256k1.c \
+	mod25638.c ecc-edwards.c ecc-mont.c sha512.c \
+	random.c neug.c sha256.c
+
+INCDIR =
+
+CRYPTDIR = ../polarssl
+CRYPTSRCDIR = $(CRYPTDIR)/library
+CRYPTINCDIR = $(CRYPTDIR)/include
+CRYPTSRC = $(CRYPTSRCDIR)/bignum.c $(CRYPTSRCDIR)/rsa.c $(CRYPTSRCDIR)/aes.c
+
+CSRC += $(CRYPTSRC)
+INCDIR += $(CRYPTINCDIR)
+
+include config.mk
+
+USE_SYS = yes
+USE_USB = yes
+USE_ADC = yes
+USE_EVENTFLAG = yes
+
+ifeq ($(EMULATION),)
+DEFS += -DFLASH_UPGRADE_SUPPORT
+else
+DEFS += -DBN256_C_IMPLEMENTATION
+endif
+
+ifneq ($(ENABLE_DEBUG),)
+CSRC += debug.c
+endif
+
+ifneq ($(ENABLE_PINPAD),)
+CSRC += pin-$(ENABLE_PINPAD).c
+endif
+
+ifeq ($(ENABLE_PINPAD),dnd)
+CSRC += usb-msc.c
+endif
+
+ifeq ($(CHIP),stm32f103)
+CSRC += mcu-stm32f103.c 
+endif
+
+ifneq ($(USE_DFU),)
+OBJS_ADD += build/stdaln-sys-bin.o
+endif
+
+###################################
+CC   = $(CROSS)gcc
+LD   = $(CROSS)gcc
+OBJCOPY   = $(CROSS)objcopy
+
+CWARN = -Wall -Wextra -Wstrict-prototypes
+OPT   = -O3 -Os -g
+
+#######################
+include $(CHOPSTX)/rules.mk
+
+board.h:
+	@echo Please run configure to have a symbolic link \'board.h\'
+	@exit 1
+
+sys.c: board.h
+
+build/bignum.o: OPT = -O3 -g
+
+build/stdaln-sys.elf: build/sys-$(CHIP).o stdaln-sys.ld
+	@echo
+	$(LD) -v $< $(MCFLAGS) -nostartfiles -Tstdaln-sys.ld -Wl,--no-warn-mismatch,--gc-sections $(LLIBDIR) -o $@
+
+build/stdaln-sys-bin.o: build/stdaln-sys.elf
+	@echo
+	$(OBJCOPY) -O binary -j .sys $< build/stdaln-sys.bin
+	$(OBJCOPY) -I binary -O default --rename-section .data=.rodata \
+		build/stdaln-sys.bin $@
+
+distclean: clean
+	-rm -f gnuk.ld stdaln-sys.ld config.h board.h config.mk \
+	       usb-strings.c.inc put-vid-pid-ver.sh
+
+ifeq ($(EMULATION),)
+build/gnuk.elf: build/gnuk-no-vidpid.elf binary-edit.sh put-vid-pid-ver.sh
+	cp -p build/gnuk-no-vidpid.elf build/gnuk.elf
+	env FILE="build/gnuk.elf" bash put-vid-pid-ver.sh
+	$(OBJCOPY) -O ihex build/gnuk.elf build/gnuk.hex
+	$(OBJCOPY) -O binary build/gnuk.elf build/gnuk.bin
+else
+# By specifying DESTDIR on invocation of "make", you can install
+# program to different ROOT.
+
+# The variables prefix, exec_prefix, libexecdir are defined in
+# config.mk.
+
+install: build/gnuk
+	test -d "$(DESTDIR)$(libexecdir)" || mkdir -p "$(DESTDIR)$(libexecdir)"
+	install -c build/gnuk "$(DESTDIR)$(libexecdir)"
+
+endif

src/Makefile.in

@@ -1,73 +0,0 @@
-# Makefile for Gnuk
-
-# Define project name here
-PROJECT = gnuk
-
-CHOPSTX = ../chopstx
-
-# Define linker script file here
-LDSCRIPT= gnuk.ld
-
-CSRC = main.c usb_stm32f103.c adc_stm32f103.c \
-	usb_desc.c usb_ctrl.c \
-	call-rsa.c \
-	usb-icc.c openpgp.c ac.c openpgp-do.c flash.c \
-	bn.c mod.c \
-	modp256r1.c jpc_p256r1.c ec_p256r1.c call-ec_p256r1.c \
-	modp256k1.c jpc_p256k1.c ec_p256k1.c call-ec_p256k1.c \
-	mod25638.c ecc-edwards.c sha512.c \
-	random.c neug.c sha256.c sys.c
-
-INCDIR =
-
-CRYPTDIR = ../polarssl
-CRYPTSRCDIR = $(CRYPTDIR)/library
-CRYPTINCDIR = $(CRYPTDIR)/include
-CRYPTSRC = $(CRYPTSRCDIR)/bignum.c $(CRYPTSRCDIR)/rsa.c $(CRYPTSRCDIR)/aes.c
-
-CSRC += $(CRYPTSRC)
-INCDIR += $(CRYPTINCDIR)
-
-@PINPAD_MAKE_OPTION@
-@DEBUG_MAKE_OPTION@
-@HEXOUTPUT_MAKE_OPTION@
-
-USE_EVENTFLAG = yes
-
-ifneq ($(ENABLE_DEBUG),)
-CSRC += debug.c
-endif
-
-ifneq ($(ENABLE_PINPAD),)
-CSRC += pin-$(ENABLE_PINPAD).c
-endif
-
-ifeq ($(ENABLE_PINPAD),dnd)
-CSRC += usb-msc.c
-endif
-
-###################################
-CROSS = arm-none-eabi-
-CC   = $(CROSS)gcc
-LD   = $(CROSS)gcc
-OBJCOPY   = $(CROSS)objcopy
-
-MCU   = cortex-m3
-CWARN = -Wall -Wextra -Wstrict-prototypes
-# DEFS: Add  
-DEFS  = -DCHX_PRIO_MAIN=5 -DRSA_AUTH -DRSA_SIG @KEYGEN_SUPPORT@ @HAVE_SYS_H@
-OPT   = -O3 -Os -g
-LIBS  =
-
-#######################
-include $(CHOPSTX)/rules.mk
-
-board.h:
-	@echo Please run configure to have a symbolic link \'board.h\'
-	@exit 1
-
-sys.c: board.h
-
-distclean: clean
-	-rm -f gnuk.ld config.h board.h Makefile \
-	       usb-strings.c.inc usb-vid-pid-ver.c.inc

src/ac.c

@@ -1,7 +1,7 @@
 /*
  * ac.c -- Check access condition
  *
- * Copyright (C) 2010, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2010, 2012, 2013, 2017 Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -63,7 +63,7 @@ verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len, int pw_len_known,
 	       const uint8_t *ks_pw1, int save_ks)
 {
   int pw_len;
-  int r1, r2;
+  int r;
   uint8_t keystring[KEYSTRING_MD_SIZE];
   const uint8_t *salt;
   int salt_len;
@@ -73,12 +73,14 @@ verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len, int pw_len_known,
 
   if (ks_pw1 == NULL)
     {
-      pw_len = strlen (OPENPGP_CARD_INITIAL_PW1);
+      const uint8_t *initial_pw;
+
       salt = NULL;
       salt_len = 0;
+      gpg_do_get_initial_pw_setting (0, &pw_len, &initial_pw);
       if ((pw_len_known >= 0 && pw_len_known != pw_len)
 	  || buf_len < pw_len
-	  || strncmp ((const char *)pw, OPENPGP_CARD_INITIAL_PW1, pw_len))
+	  || memcmp (pw, initial_pw, pw_len))
 	goto failure;
     }
   else
@@ -97,21 +99,31 @@ verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len, int pw_len_known,
     memcpy (keystring_md_pw3, keystring, KEYSTRING_MD_SIZE);
 
   if (access == AC_PSO_CDS_AUTHORIZED)
-    {
-      r1 = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
-      r2 = 0;
-    }
+    r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
   else
     {
+      int r1, r2;
+
       r1 = gpg_do_load_prvkey (GPG_KEY_FOR_DECRYPTION, BY_USER, keystring);
       r2 = gpg_do_load_prvkey (GPG_KEY_FOR_AUTHENTICATION, BY_USER, keystring);
+
+      if (r1 < 0 || r2 < 0)
+	r = -1;
+      else if (r1 == 0)
+	{
+	  if (r2 == 0)
+	    /* No encryption/authentication keys, then, check signing key.  */
+	    r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, keystring);
+	  else
+	    r = r2;
+	}
+      else if (r2 == 0)
+	r = r1;
+      else
+	r = 1;
     }
 
-  if (r1 < 0 || r2 < 0
-      || (r1 == 0 && r2 == 0 && ks_pw1 != NULL
-	  && ((ks_pw1[0] & PW_LEN_KEYSTRING_BIT) == 0
-	      || memcmp (KS_GET_KEYSTRING (ks_pw1),
-			 keystring, KEYSTRING_MD_SIZE) != 0)))
+  if (r < 0)
     {
     failure:
       gpg_pw_increment_err_counter (PW_ERR_PW1);
@@ -161,7 +173,7 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
 		 const uint8_t *ks, int save_ks)
 {
   int pw_len;
-  int r1, r2;
+  int r;
   uint8_t keystring[KEYSTRING_MD_SIZE];
   const uint8_t *salt;
   int salt_len;
@@ -169,7 +181,7 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
   pw_len = ks[0] & PW_LEN_MASK;
   salt = KS_GET_SALT (ks);
   salt_len = SALT_SIZE;
-  
+
   if ((pw_len_known >= 0 && pw_len_known != pw_len) || buf_len < pw_len)
     return -1;
 
@@ -177,12 +189,11 @@ verify_admin_00 (const uint8_t *pw, int buf_len, int pw_len_known,
   if (save_ks)
     memcpy (keystring_md_pw3, keystring, KEYSTRING_MD_SIZE);
 
-  r1 = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_ADMIN, keystring);
-  r2 = 0;
+  r = gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_ADMIN, keystring);
 
-  if (r1 < 0 || r2 < 0)
+  if (r < 0)
     return -1;
-  else if (r1 == 0 && r2 == 0)
+  else if (r == 0)
     if ((ks[0] & PW_LEN_KEYSTRING_BIT) == 0
 	|| memcmp (KS_GET_KEYSTRING (ks), keystring, KEYSTRING_MD_SIZE) != 0)
       return -1;
@@ -220,6 +231,7 @@ verify_admin_0 (const uint8_t *pw, int buf_len, int pw_len_known,
     }
   else
     {
+      const uint8_t *initial_pw;
       const uint8_t *ks_pw1 = gpg_do_read_simple (NR_DO_KEYSTRING_PW1);
 
       if (ks_pw1 != NULL)
@@ -237,13 +249,13 @@ verify_admin_0 (const uint8_t *pw, int buf_len, int pw_len_known,
 	return 0;
 
       /*
-       * For the case of empty PW3 (with empty PW1), pass phrase
-       * should be OPENPGP_CARD_INITIAL_PW3
+       * For the case of empty PW3 (with empty PW1), passphrase is
+       * OPENPGP_CARD_INITIAL_PW3, or defined by KDF DO.
        */
-      pw_len = strlen (OPENPGP_CARD_INITIAL_PW3);
+      gpg_do_get_initial_pw_setting (1, &pw_len, &initial_pw);
       if ((pw_len_known >=0 && pw_len_known != pw_len)
 	  || buf_len < pw_len
-	  || strncmp ((const char *)pw, OPENPGP_CARD_INITIAL_PW3, pw_len))
+	  || memcmp (pw, initial_pw, pw_len))
 	goto failure;
 
       admin_authorized = BY_ADMIN;

src/adc.h

@@ -1,16 +0,0 @@
-extern chopstx_mutex_t adc_mtx;
-extern chopstx_cond_t adc_cond;
-extern int adc_waiting;
-extern int adc_data_available;
-
-void adc_init (void);
-void adc_start (void);
-void adc_stop (void);
-
-#define ADC_SAMPLE_MODE 0
-#define ADC_CRC32_MODE  1
-
-extern uint32_t adc_buf[64];
-
-void adc_start_conversion (int offset, int count);
-int adc_wait_completion (chopstx_intr_t *intr);

src/adc_stm32f103.c

@@ -1,266 +0,0 @@
-/*
- * adc_stm32f103.c - ADC driver for STM32F103
- *                   In this ADC driver, there are NeuG specific parts.
- *                   You need to modify to use this as generic ADC driver.
- *
- * Copyright (C) 2011, 2012, 2013 Free Software Initiative of Japan
- * Author: NIIBE Yutaka <gniibe@fsij.org>
- *
- * This file is a part of NeuG, a True Random Number Generator
- * implementation based on quantization error of ADC (for STM32F103).
- *
- * NeuG is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * NeuG is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include <stdint.h>
-#include <stdlib.h>
-#include <chopstx.h>
-
-#include "neug.h"
-#include "stm32f103.h"
-#include "adc.h"
-
-#define NEUG_CRC32_COUNTS 4
-
-#define STM32_ADC_ADC1_DMA_PRIORITY         2
-
-#define ADC_SMPR1_SMP_VREF(n)   ((n) << 21)
-#define ADC_SMPR1_SMP_SENSOR(n) ((n) << 18)
-
-#define ADC_SMPR1_SMP_AN10(n)   ((n) << 0)
-#define ADC_SMPR1_SMP_AN11(n)   ((n) << 3)
-
-#define ADC_SMPR2_SMP_AN0(n)    ((n) << 0)
-#define ADC_SMPR2_SMP_AN1(n)    ((n) << 3)
-#define ADC_SMPR2_SMP_AN2(n)    ((n) << 6)
-#define ADC_SMPR2_SMP_AN9(n)    ((n) << 27)
-
-#define ADC_SQR1_NUM_CH(n)      (((n) - 1) << 20)
-
-#define ADC_SQR3_SQ1_N(n)       ((n) << 0)
-#define ADC_SQR3_SQ2_N(n)       ((n) << 5)
-#define ADC_SQR3_SQ3_N(n)       ((n) << 10)
-#define ADC_SQR3_SQ4_N(n)       ((n) << 15)
-
-#define ADC_SAMPLE_1P5          0
-
-#define ADC_CHANNEL_IN0         0
-#define ADC_CHANNEL_IN1         1
-#define ADC_CHANNEL_IN2         2
-#define ADC_CHANNEL_IN9         9
-#define ADC_CHANNEL_IN10        10
-#define ADC_CHANNEL_IN11        11
-#define ADC_CHANNEL_SENSOR      16
-#define ADC_CHANNEL_VREFINT     17
-
-#define DELIBARATELY_DO_IT_WRONG_VREF_SAMPLE_TIME
-#define DELIBARATELY_DO_IT_WRONG_START_STOP
-
-#ifdef DELIBARATELY_DO_IT_WRONG_VREF_SAMPLE_TIME
-#define ADC_SAMPLE_VREF ADC_SAMPLE_1P5
-#define ADC_SAMPLE_SENSOR ADC_SAMPLE_1P5
-#else
-#define ADC_SAMPLE_VREF ADC_SAMPLE_239P5
-#define ADC_SAMPLE_SENSOR ADC_SAMPLE_239P5
-#endif
-
-#define NEUG_DMA_CHANNEL STM32_DMA1_STREAM1
-#define NEUG_DMA_MODE							\
-  (  STM32_DMA_CR_PL (STM32_ADC_ADC1_DMA_PRIORITY)			\
-     | STM32_DMA_CR_MSIZE_WORD | STM32_DMA_CR_PSIZE_WORD		\
-     | STM32_DMA_CR_MINC       | STM32_DMA_CR_TCIE			\
-     | STM32_DMA_CR_TEIE  )
-
-#define NEUG_ADC_SETTING1_SMPR1 ADC_SMPR1_SMP_VREF(ADC_SAMPLE_VREF)     \
-                              | ADC_SMPR1_SMP_SENSOR(ADC_SAMPLE_SENSOR)
-#define NEUG_ADC_SETTING1_SMPR2 0
-#define NEUG_ADC_SETTING1_SQR3  ADC_SQR3_SQ1_N(ADC_CHANNEL_VREFINT)     \
-                              | ADC_SQR3_SQ2_N(ADC_CHANNEL_SENSOR)      \
-                              | ADC_SQR3_SQ3_N(ADC_CHANNEL_SENSOR)      \
-                              | ADC_SQR3_SQ4_N(ADC_CHANNEL_VREFINT)     
-#define NEUG_ADC_SETTING1_NUM_CHANNELS 4
-
-#if !defined(NEUG_ADC_SETTING2_SMPR1)
-#define NEUG_ADC_SETTING2_SMPR1 0
-#define NEUG_ADC_SETTING2_SMPR2 ADC_SMPR2_SMP_AN0(ADC_SAMPLE_1P5)    \
-                              | ADC_SMPR2_SMP_AN1(ADC_SAMPLE_1P5)
-#define NEUG_ADC_SETTING2_SQR3  ADC_SQR3_SQ1_N(ADC_CHANNEL_IN0)      \
-                              | ADC_SQR3_SQ2_N(ADC_CHANNEL_IN1)
-#define NEUG_ADC_SETTING2_NUM_CHANNELS 2
-#endif
-
-
-/*
- * Do calibration for both of ADCs.
- */
-void adc_init (void)
-{
-  RCC->APB2ENR |= (RCC_APB2ENR_ADC1EN | RCC_APB2ENR_ADC2EN);
-  RCC->APB2RSTR = (RCC_APB2RSTR_ADC1RST | RCC_APB2RSTR_ADC2RST);
-  RCC->APB2RSTR = 0;
-
-  ADC1->CR1 = 0;
-  ADC1->CR2 = ADC_CR2_ADON;
-  ADC1->CR2 = ADC_CR2_ADON | ADC_CR2_RSTCAL;
-  while ((ADC1->CR2 & ADC_CR2_RSTCAL) != 0)
-    ;
-  ADC1->CR2 = ADC_CR2_ADON | ADC_CR2_CAL;
-  while ((ADC1->CR2 & ADC_CR2_CAL) != 0)
-    ;
-  ADC1->CR2 = 0;
-
-  ADC2->CR1 = 0;
-  ADC2->CR2 = ADC_CR2_ADON;
-  ADC2->CR2 = ADC_CR2_ADON | ADC_CR2_RSTCAL;
-  while ((ADC2->CR2 & ADC_CR2_RSTCAL) != 0)
-    ;
-  ADC2->CR2 = ADC_CR2_ADON | ADC_CR2_CAL;
-  while ((ADC2->CR2 & ADC_CR2_CAL) != 0)
-    ;
-  ADC2->CR2 = 0;
-  RCC->APB2ENR &= ~(RCC_APB2ENR_ADC1EN | RCC_APB2ENR_ADC2EN);
-}
-
-
-void adc_start (void)
-{
-  /* Use DMA channel 1.  */
-  RCC->AHBENR |= RCC_AHBENR_DMA1EN;
-  DMA1_Channel1->CCR = STM32_DMA_CCR_RESET_VALUE;
-  DMA1->IFCR = 0xffffffff;
-
-  RCC->APB2ENR |= (RCC_APB2ENR_ADC1EN | RCC_APB2ENR_ADC2EN);
-
-  ADC1->CR1 = (ADC_CR1_DUALMOD_2 | ADC_CR1_DUALMOD_1 | ADC_CR1_DUALMOD_0
-	       | ADC_CR1_SCAN);
-  ADC1->CR2 = (ADC_CR2_TSVREFE | ADC_CR2_EXTTRIG | ADC_CR2_SWSTART
-	       | ADC_CR2_EXTSEL | ADC_CR2_DMA | ADC_CR2_CONT | ADC_CR2_ADON);
-  ADC1->SMPR1 = NEUG_ADC_SETTING1_SMPR1;
-  ADC1->SMPR2 = NEUG_ADC_SETTING1_SMPR2;
-  ADC1->SQR1 = ADC_SQR1_NUM_CH(NEUG_ADC_SETTING1_NUM_CHANNELS);
-  ADC1->SQR2 = 0;
-  ADC1->SQR3 = NEUG_ADC_SETTING1_SQR3;
-
-  ADC2->CR1 = (ADC_CR1_DUALMOD_2 | ADC_CR1_DUALMOD_1 | ADC_CR1_DUALMOD_0
-	       | ADC_CR1_SCAN);
-  ADC2->CR2 = ADC_CR2_EXTTRIG | ADC_CR2_CONT | ADC_CR2_ADON;
-  ADC2->SMPR1 = NEUG_ADC_SETTING2_SMPR1;
-  ADC2->SMPR2 = NEUG_ADC_SETTING2_SMPR2;
-  ADC2->SQR1 = ADC_SQR1_NUM_CH(NEUG_ADC_SETTING2_NUM_CHANNELS);
-  ADC2->SQR2 = 0;
-  ADC2->SQR3 = NEUG_ADC_SETTING2_SQR3;
-
-#ifdef DELIBARATELY_DO_IT_WRONG_START_STOP
-  /*
-   * We could just let ADC run continuously always and only enable DMA
-   * to receive stable data from ADC.  But our purpose is not to get
-   * correct data but noise.  In fact, we can get more noise when we
-   * start/stop ADC each time.
-   */
-  ADC2->CR2 = 0;
-  ADC1->CR2 = 0;
-#else
-  /* Start conversion.  */
-  ADC2->CR2 = ADC_CR2_EXTTRIG | ADC_CR2_CONT | ADC_CR2_ADON;
-  ADC1->CR2 = (ADC_CR2_TSVREFE | ADC_CR2_EXTTRIG | ADC_CR2_SWSTART
-	       | ADC_CR2_EXTSEL | ADC_CR2_DMA | ADC_CR2_CONT | ADC_CR2_ADON);
-#endif
-}
-
-uint32_t adc_buf[64];
-
-void adc_start_conversion (int offset, int count)
-{
-  DMA1_Channel1->CPAR = (uint32_t)&ADC1->DR;        /* SetPeripheral */
-  DMA1_Channel1->CMAR = (uint32_t)&adc_buf[offset]; /* SetMemory0    */
-  DMA1_Channel1->CNDTR = count;                     /* Counter       */
-  DMA1_Channel1->CCR = NEUG_DMA_MODE | DMA_CCR1_EN; /* Mode   */
-
-#ifdef DELIBARATELY_DO_IT_WRONG_START_STOP
-  /* Power on */
-  ADC2->CR2 = ADC_CR2_EXTTRIG | ADC_CR2_CONT | ADC_CR2_ADON;
-  ADC1->CR2 = (ADC_CR2_TSVREFE | ADC_CR2_EXTTRIG | ADC_CR2_SWSTART
-	       | ADC_CR2_EXTSEL | ADC_CR2_DMA | ADC_CR2_CONT | ADC_CR2_ADON);
-  /*
-   * Start conversion.  tSTAB is 1uS, but we don't follow the spec, to
-   * get more noise.
-   */
-  ADC2->CR2 = ADC_CR2_EXTTRIG | ADC_CR2_CONT | ADC_CR2_ADON;
-  ADC1->CR2 = (ADC_CR2_TSVREFE | ADC_CR2_EXTTRIG | ADC_CR2_SWSTART
-	       | ADC_CR2_EXTSEL | ADC_CR2_DMA | ADC_CR2_CONT | ADC_CR2_ADON);
-#endif
-}
-
-
-static void adc_stop_conversion (void)
-{
-  DMA1_Channel1->CCR &= ~DMA_CCR1_EN;
-
-#ifdef DELIBARATELY_DO_IT_WRONG_START_STOP
-  ADC2->CR2 = 0;
-  ADC1->CR2 = 0;
-#endif
-}
-
-void adc_stop (void)
-{
-  ADC1->CR1 = 0;
-  ADC1->CR2 = 0;
-
-  ADC2->CR1 = 0;
-  ADC2->CR2 = 0;
-
-  RCC->AHBENR &= ~RCC_AHBENR_DMA1EN;
-  RCC->APB2ENR &= ~(RCC_APB2ENR_ADC1EN | RCC_APB2ENR_ADC2EN);
-}
-
-
-static uint32_t adc_err;
-
-/*
- * Return 0 on success.
- * Return 1 on error.
- */
-int adc_wait_completion (chopstx_intr_t *intr)
-{
-  uint32_t flags;
-
-  while (1)
-    {
-      chopstx_intr_wait (intr);
-      flags = DMA1->ISR & STM32_DMA_ISR_MASK; /* Channel 1 interrupt cause.  */
-      /*
-       * Clear interrupt cause of channel 1.
-       *
-       * Note that CGIFx=0, as CGIFx=1 clears all of GIF, HTIF, TCIF
-       * and TEIF.
-       */
-      DMA1->IFCR = (flags & ~1);
-
-      if ((flags & STM32_DMA_ISR_TEIF) != 0)  /* DMA errors  */
-	{
-	  /* Should never happened.  If any, it's coding error. */
-	  /* Access an unmapped address space or alignment violation.  */
-	  adc_err++;
-	  adc_stop_conversion ();
-	  return 1;
-	}
-      else if ((flags & STM32_DMA_ISR_TCIF) != 0) /* Transfer complete */
-	{
-	  adc_stop_conversion ();
-	  return 0;
-	}
-    }
-}

src/binary-edit.sh

@@ -0,0 +1,76 @@
+# This is a Bash script to be included.
+
+# Idx Name          Size      VMA       LMA       File off  Algn
+# =================
+#   2 .text         00004a40  080010f0  080010f0  000110f0  2**4
+# 08006550 l     O .text	00000012 device_desc
+# =================
+# VMA =0x080010f0
+# FOFF=0x000110f0
+# ADDR=0x08005ad0
+# file_off_ADDR = ADDR - VMA + FOFF
+#               = 0x08005ad0 - 0x080010f0 + 0x000110f0 = 0x00015ad0
+
+function calc_addr () {
+    local line_sym="" VMA FOFF ADDR
+
+    arm-none-eabi-objdump -h -t -j .text $FILE       | \
+    egrep -e '(^ +[0-9] +\.text +|device_desc)' | \
+    while read -r F0 F1 F2 F3 F4 F5 F6; do
+	if [ -z "$line_sym" ]; then
+	    VMA=$F3
+	    FOFF=$F5
+	    line_sym="next is a line for the symbol"
+	else
+	    ADDR=$F0
+	    echo "$((0x$ADDR - 0x$VMA + 0x$FOFF))"
+	fi
+    done
+}
+
+declare -a OFFSETS
+OFFSETS=($(calc_addr))
+file_off_ADDR=${OFFSETS[0]}
+file_off_fraucheky_ADDR=${OFFSETS[1]}
+
+echo "Offset is $file_off_ADDR"
+if [ -n "$file_off_fraucheky_ADDR" ]; then
+    echo "Offset is $file_off_fraucheky_ADDR"
+fi
+
+function replace_file_byte_at () {
+    printf "\x$1" | dd of=$FILE bs=1 seek=$2 conv=notrunc >& /dev/null
+}
+
+#
+# vid_lsb:         8
+# vid_msb:         9
+# pid_lsb:        10
+# pid_msb:        11
+# bcd_device_lsb: 12
+# bcd_device_msb: 13
+#
+
+function replace_vid_lsb () {
+    replace_file_byte_at $1 $((addr + 8))
+}
+
+function replace_vid_msb () {
+    replace_file_byte_at $1 $((addr + 9))
+}
+
+function replace_pid_lsb () {
+    replace_file_byte_at $1 $((addr + 10))
+}
+
+function replace_pid_msb () {
+    replace_file_byte_at $1 $((addr + 11))
+}
+
+function replace_bcd_device_lsb () {
+    replace_file_byte_at $1 $((addr + 12))
+}
+
+function replace_bcd_device_msb () {
+    replace_file_byte_at $1 $((addr + 13))
+}

src/bn.c

@@ -1,7 +1,8 @@
 /*
  * bn.c -- 256-bit (and 512-bit) bignum calculation
  *
- * Copyright (C) 2011, 2013, 2014 Free Software Initiative of Japan
+ * Copyright (C) 2011, 2013, 2014, 2019
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -89,7 +90,7 @@ uint32_t
 bn256_add_uint (bn256 *X, const bn256 *A, uint32_t w)
 {
   int i;
-  uint32_t carry = 0;
+  uint32_t carry = w;
   uint32_t *px;
   const uint32_t *pa;
 
@@ -100,12 +101,6 @@ bn256_add_uint (bn256 *X, const bn256 *A, uint32_t w)
     {
       *px = *pa + carry;
       carry = (*px < carry);
-      if (i == 0)
-	{
-	  *px += w;
-	  carry += (*px < w);
-	}
-
       px++;
       pa++;
     }
@@ -117,7 +112,7 @@ uint32_t
 bn256_sub_uint (bn256 *X, const bn256 *A, uint32_t w)
 {
   int i;
-  uint32_t borrow = 0;
+  uint32_t borrow = w;
   uint32_t *px;
   const uint32_t *pa;
 
@@ -129,14 +124,7 @@ bn256_sub_uint (bn256 *X, const bn256 *A, uint32_t w)
       uint32_t borrow0 = (*pa < borrow);
 
       *px = *pa - borrow;
-      if (i == 0)
-	{
-	  borrow = (*px < w) + borrow0;
-	  *px -= w;
-	}
-      else
-	borrow = borrow0;
-
+      borrow = borrow0;
       px++;
       pa++;
     }
@@ -425,17 +413,15 @@ bn256_cmp (const bn256 *A, const bn256 *B)
 void
 bn256_random (bn256 *X)
 {
-  const uint8_t *rand = random_bytes_get ();
+  int i, j;
+  const uint8_t *rand;
 
-  X->word[7] = ((uint32_t *)rand)[7];
-  X->word[6] = ((uint32_t *)rand)[6];
-  X->word[5] = ((uint32_t *)rand)[5];
-  X->word[4] = ((uint32_t *)rand)[4];
-  X->word[3] = ((uint32_t *)rand)[3];
-  X->word[2] = ((uint32_t *)rand)[2];
-  X->word[1] = ((uint32_t *)rand)[1];
-  X->word[0] = ((uint32_t *)rand)[0];
-
-  random_bytes_free (rand);
+  for (i = 0; i < 256/256; i++)
+    {
+      rand = random_bytes_get ();
+      for (j = 0; j < BN256_WORDS; j++)
+	X->word[i*BN256_WORDS+j] = ((uint32_t *)rand)[j];
+      random_bytes_free (rand);
+    }
 }
 #endif

src/call-ec.c

@@ -1,7 +1,7 @@
 /*
  * call-ec.c - interface between Gnuk and Elliptic curve over GF(prime)
  *
- * Copyright (C) 2013 Free Software Initiative of Japan
+ * Copyright (C) 2013, 2014, 2017  Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -23,9 +23,10 @@
 
 #include "field-group-select.h"
 
-/* We are little endian.  */
+/* We are little-endian in the computation, but the protocol is big-endian.  */
 
 #define ECDSA_BYTE_SIZE 32
+#define ECDH_BYTE_SIZE 32
 
 int
 FUNC(ecdsa_sign) (const uint8_t *hash, uint8_t *output,
@@ -53,28 +54,21 @@ FUNC(ecdsa_sign) (const uint8_t *hash, uint8_t *output,
   return 0;
 }
 
-uint8_t *
-FUNC(ecdsa_compute_public) (const uint8_t *key_data)
+int
+FUNC(ecc_compute_public) (const uint8_t *key_data, uint8_t *pubkey)
 {
-  uint8_t *p0, *p, *p1;
+  uint8_t *p, *p1;
   ac q[1];
   bn256 k[1];
   int i;
 
-  p0 = (uint8_t *)malloc (ECDSA_BYTE_SIZE * 2);
-  if (p0 == NULL)
-    return NULL;
-
   p = (uint8_t *)k;
   for (i = 0; i < ECDSA_BYTE_SIZE; i++)
     p[ECDSA_BYTE_SIZE - i - 1] = key_data[i];
   if (FUNC(compute_kG) (q, k) < 0)
-    {
-      free (p0);
-      return NULL;
-    }
+    return -1;
 
-  p = p0;
+  p = pubkey;
   p1 = (uint8_t *)q->x;
   for (i = 0; i < ECDSA_BYTE_SIZE; i++)
     *p++ = p1[ECDSA_BYTE_SIZE - i - 1];
@@ -82,5 +76,61 @@ FUNC(ecdsa_compute_public) (const uint8_t *key_data)
   for (i = 0; i < ECDSA_BYTE_SIZE; i++)
     *p++ = p1[ECDSA_BYTE_SIZE - i - 1];
 
-  return p0;
+  return 0;
+}
+
+int
+FUNC(ecdh_decrypt) (const uint8_t *input, uint8_t *output,
+		    const uint8_t *key_data)
+{
+  bn256 k[1];
+  ac X[1], P[1];
+  int i;
+  uint8_t *p0;
+  const uint8_t *p1;
+  int r;
+
+  p0 = (uint8_t *)k;
+  for (i = 0; i < ECDH_BYTE_SIZE; i++)
+    p0[ECDH_BYTE_SIZE - i - 1] = key_data[i];
+
+  p1 = input+1;			/* skip '04' */
+  p0 = (uint8_t *)P->x;
+  for (i = 0; i < ECDH_BYTE_SIZE; i++)
+    p0[ECDH_BYTE_SIZE - i - 1] = *p1++;
+  p0 = (uint8_t *)P->y;
+  for (i = 0; i < ECDH_BYTE_SIZE; i++)
+    p0[ECDH_BYTE_SIZE - i - 1] = *p1++;
+
+  r = FUNC(compute_kP) (X, k, P);
+  if (r == 0)
+    {
+      p0 = output;
+      p1 = (const uint8_t *)X->x;
+      *p0++ = 4;
+      for (i = 0; i < ECDH_BYTE_SIZE; i++)
+	*p0++ = p1[ECDH_BYTE_SIZE - i - 1];
+      p1 = (const uint8_t *)X->y;
+      for (i = 0; i < ECDH_BYTE_SIZE; i++)
+	*p0++ = p1[ECDH_BYTE_SIZE - i - 1];
+    }
+
+  return r;
+}
+
+
+/**
+ * @brief Check if a secret d0 is valid or not
+ *
+ * @param D0	scalar D0: secret
+ * @param D1	scalar D1: secret candidate N-D0
+ *
+ * Return 0 on error.
+ * Return -1 when D1 should be used as the secret
+ * Return 1 when D0 should be used as the secret
+ */
+int
+FUNC(ecc_check_secret) (const uint8_t *d0, uint8_t *d1)
+{
+  return FUNC(check_secret) ((const bn256 *)d0, (bn256 *)d1);
 }

src/call-ec_p256k1.c

@@ -2,7 +2,7 @@
  * call-ec_p256k1.c - interface between Gnuk and Elliptic curve over
  *                    GF(p256k1)
  *
- * Copyright (C) 2014 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2017  Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -23,7 +23,6 @@
  */
 
 #include <stdint.h>
-#include <stdlib.h>
 #include <string.h>
 #include "bn.h"
 #include "affine.h"

src/call-ec_p256r1.c

@@ -2,7 +2,7 @@
  * call-ec_p256r1.c - interface between Gnuk and Elliptic curve over
  *                    GF(p256r1)
  *
- * Copyright (C) 2014 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2017  Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -23,7 +23,6 @@
  */
 
 #include <stdint.h>
-#include <stdlib.h>
 #include <string.h>
 #include "bn.h"
 #include "affine.h"

src/call-rsa.c

@@ -1,7 +1,8 @@
 /*
  * call-rsa.c -- Glue code between RSA computation and OpenPGP card protocol
  *
- * Copyright (C) 2010, 2011, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015, 2017
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -23,38 +24,44 @@
 
 #include <stdint.h>
 #include <string.h>
-#include <stdlib.h>
+#include <chopstx.h>
+
 #include "config.h"
 
 #include "gnuk.h"
-#include "openpgp.h"
+#include "status-code.h"
 #include "random.h"
 #include "polarssl/config.h"
 #include "polarssl/rsa.h"
 
-#define RSA_SIGNATURE_LENGTH KEY_CONTENT_LEN
- /* 256 byte == 2048-bit */
- /* 128 byte == 1024-bit */
-
 static rsa_context rsa_ctx;
+static struct chx_cleanup clp;
+
+static void
+rsa_cleanup (void *arg)
+{
+  (void)arg;
+  rsa_free (&rsa_ctx);
+}
+
 
 int
 rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
-	  struct key_data *kd)
+	  struct key_data *kd, int pubkey_len)
 {
   mpi P1, Q1, H;
   int ret = 0;
-  unsigned char temp[RSA_SIGNATURE_LENGTH];
+  unsigned char temp[pubkey_len];
 
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
 
   mpi_init (&P1);  mpi_init (&Q1);  mpi_init (&H);
 
-  rsa_ctx.len = KEY_CONTENT_LEN;
+  rsa_ctx.len = pubkey_len;
   MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
-  MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], rsa_ctx.len / 2) );
-  MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
-			    rsa_ctx.len / 2) );
+  MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], pubkey_len / 2) );
+  MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[pubkey_len / 2],
+			    pubkey_len / 2) );
 #if 0
   MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
 #endif
@@ -69,12 +76,20 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
   mpi_free (&P1);  mpi_free (&Q1);  mpi_free (&H);
   if (ret == 0)
     {
-      DEBUG_INFO ("RSA sign...");
+      int cs;
 
+      DEBUG_INFO ("RSA sign...");
+      clp.next = NULL;
+      clp.routine = rsa_cleanup;
+      clp.arg = NULL;
+      chopstx_cleanup_push (&clp);
+      cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
       ret = rsa_rsassa_pkcs1_v15_sign (&rsa_ctx, NULL, NULL,
 				       RSA_PRIVATE, SIG_RSA_RAW,
 				       msg_len, raw_message, temp);
-      memcpy (output, temp, RSA_SIGNATURE_LENGTH);
+      memcpy (output, temp, pubkey_len);
+      chopstx_setcancelstate (cs);
+      chopstx_cleanup_pop (0);
     }
 
   rsa_free (&rsa_ctx);
@@ -86,7 +101,6 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
     }
   else
     {
-      res_APDU_size = RSA_SIGNATURE_LENGTH;
       DEBUG_INFO ("done.\r\n");
       GPG_SUCCESS ();
       return 0;
@@ -96,41 +110,38 @@ rsa_sign (const uint8_t *raw_message, uint8_t *output, int msg_len,
 /*
  * LEN: length in byte
  */
-uint8_t *
-modulus_calc (const uint8_t *p, int len)
+int
+modulus_calc (const uint8_t *p, int len, uint8_t *pubkey)
 {
   mpi P, Q, N;
-  uint8_t *modulus;
   int ret;
 
-  modulus = malloc (len);
-  if (modulus == NULL)
-    return NULL;
-
   mpi_init (&P);  mpi_init (&Q);  mpi_init (&N);
   MPI_CHK( mpi_read_binary (&P, p, len / 2) );
   MPI_CHK( mpi_read_binary (&Q, p + len / 2, len / 2) );
   MPI_CHK( mpi_mul_mpi (&N, &P, &Q) );
-  MPI_CHK( mpi_write_binary (&N, modulus, len) );
+  MPI_CHK( mpi_write_binary (&N, pubkey, len) );
  cleanup:
   mpi_free (&P);  mpi_free (&Q);  mpi_free (&N);
   if (ret != 0)
-    return NULL;
-  else
-    return modulus;
+    return -1;
+
+  return 0;
 }
 
 
 int
 rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
-	     struct key_data *kd)
+	     struct key_data *kd, unsigned int *output_len_p)
 {
   mpi P1, Q1, H;
   int ret;
-  unsigned int output_len;
+#ifdef GNU_LINUX_EMULATION
+  size_t output_len;
+#endif
 
   DEBUG_INFO ("RSA decrypt:");
-  DEBUG_WORD ((uint32_t)&output_len);
+  DEBUG_WORD ((uint32_t)&ret);
 
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
   mpi_init (&P1);  mpi_init (&Q1);  mpi_init (&H);
@@ -139,9 +150,8 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   DEBUG_WORD (msg_len);
 
   MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
-  MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], KEY_CONTENT_LEN / 2) );
-  MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[KEY_CONTENT_LEN/2],
-			    KEY_CONTENT_LEN / 2) );
+  MPI_CHK( mpi_read_binary (&rsa_ctx.P, &kd->data[0], msg_len / 2) );
+  MPI_CHK( mpi_read_binary (&rsa_ctx.Q, &kd->data[msg_len / 2], msg_len / 2) );
 #if 0
   MPI_CHK( mpi_mul_mpi (&rsa_ctx.N, &rsa_ctx.P, &rsa_ctx.Q) );
 #endif
@@ -156,10 +166,26 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
   mpi_free (&P1);  mpi_free (&Q1);  mpi_free (&H);
   if (ret == 0)
     {
+      int cs;
+
       DEBUG_INFO ("RSA decrypt ...");
+      clp.next = NULL;
+      clp.routine = rsa_cleanup;
+      clp.arg = NULL;
+      chopstx_cleanup_push (&clp);
+      cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
+#ifdef GNU_LINUX_EMULATION
       ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, NULL, NULL,
 					 RSA_PRIVATE, &output_len, input,
 					 output, MAX_RES_APDU_DATA_SIZE);
+      *output_len_p = (unsigned int)output_len;
+#else
+      ret = rsa_rsaes_pkcs1_v15_decrypt (&rsa_ctx, NULL, NULL,
+					 RSA_PRIVATE, output_len_p, input,
+					 output, MAX_RES_APDU_DATA_SIZE);
+#endif
+      chopstx_setcancelstate (cs);
+      chopstx_cleanup_pop (0);
     }
 
   rsa_free (&rsa_ctx);
@@ -171,7 +197,6 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
     }
   else
     {
-      res_APDU_size = output_len;
       DEBUG_INFO ("done.\r\n");
       GPG_SUCCESS ();
       return 0;
@@ -179,14 +204,15 @@ rsa_decrypt (const uint8_t *input, uint8_t *output, int msg_len,
 }
 
 int
-rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
+rsa_verify (const uint8_t *pubkey, int pubkey_len,
+	    const uint8_t *hash, const uint8_t *sig)
 {
   int ret;
 
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
-  rsa_ctx.len = KEY_CONTENT_LEN;
+  rsa_ctx.len = pubkey_len;
   MPI_CHK( mpi_lset (&rsa_ctx.E, 0x10001) );
-  MPI_CHK( mpi_read_binary (&rsa_ctx.N, pubkey, KEY_CONTENT_LEN) );
+  MPI_CHK( mpi_read_binary (&rsa_ctx.N, pubkey, pubkey_len) );
 
   DEBUG_INFO ("RSA verify...");
 
@@ -210,45 +236,39 @@ rsa_verify (const uint8_t *pubkey, const uint8_t *hash, const uint8_t *sig)
 
 #define RSA_EXPONENT 0x10001
 
-#ifdef KEYGEN_SUPPORT
-uint8_t *
-rsa_genkey (void)
+int
+rsa_genkey (int pubkey_len, uint8_t *pubkey, uint8_t *p_q)
 {
   int ret;
   uint8_t index = 0;
-  uint8_t *p_q_modulus = (uint8_t *)malloc (KEY_CONTENT_LEN*2);
-  uint8_t *p = p_q_modulus;
-  uint8_t *q = p_q_modulus + KEY_CONTENT_LEN/2;
-  uint8_t *modulus = p_q_modulus + KEY_CONTENT_LEN;
+  uint8_t *p = p_q;
+  uint8_t *q = p_q + pubkey_len / 2;
+  int cs;
+
   extern int prng_seed (int (*f_rng)(void *, unsigned char *, size_t),
 			void *p_rng);
   extern void neug_flush (void);
 
-  if (p_q_modulus == NULL)
-    return NULL;
-
   neug_flush ();
   prng_seed (random_gen, &index);
-
   rsa_init (&rsa_ctx, RSA_PKCS_V15, 0);
-  MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index,
-			KEY_CONTENT_LEN * 8, RSA_EXPONENT) );
-  if (ret != 0)
-    {
-      free (p_q_modulus);
-      rsa_free (&rsa_ctx);
-      return NULL;
-    }
 
-  MPI_CHK( mpi_write_binary (&rsa_ctx.P, p, KEY_CONTENT_LEN/2) );
-  MPI_CHK( mpi_write_binary (&rsa_ctx.Q, q, KEY_CONTENT_LEN/2) );
-  MPI_CHK( mpi_write_binary (&rsa_ctx.N, modulus, KEY_CONTENT_LEN) );
+  clp.next = NULL;
+  clp.routine = rsa_cleanup;
+  clp.arg = NULL;
+  chopstx_cleanup_push (&clp);
+  cs = chopstx_setcancelstate (0); /* Allow cancellation.  */
+  MPI_CHK( rsa_gen_key (&rsa_ctx, random_gen, &index, pubkey_len * 8,
+			RSA_EXPONENT) );
+  MPI_CHK( mpi_write_binary (&rsa_ctx.P, p, pubkey_len / 2) );
+  MPI_CHK( mpi_write_binary (&rsa_ctx.Q, q, pubkey_len / 2) );
+  MPI_CHK( mpi_write_binary (&rsa_ctx.N, pubkey, pubkey_len) );
 
  cleanup:
-  rsa_free (&rsa_ctx);
+  chopstx_setcancelstate (cs);
+  chopstx_cleanup_pop (1);
   if (ret != 0)
-      return NULL;
+    return -1;
   else
-    return p_q_modulus;
+    return 0;
 }
-#endif

src/chconf.h

@@ -1,74 +0,0 @@
-/* ChibiOS/RT configuration file */
-
-#ifndef _CHCONF_H_
-#define _CHCONF_H_
-
-#include <config.h>
-#ifdef DFU_SUPPORT
-#define CORTEX_VTOR_INIT (0x00003000+0x00001000)
-#else
-#define CORTEX_VTOR_INIT 0x00001000
-#endif
-
-#define CH_FREQUENCY                    1000
-#define CH_TIME_QUANTUM                 20
-#define CH_USE_NESTED_LOCKS             FALSE
-#define CH_MEMCORE_SIZE                 0 /* Whole RAM */
-#define CH_NO_IDLE_THREAD               FALSE
-#define CH_OPTIMIZE_SPEED               TRUE
-#define CH_USE_REGISTRY                 TRUE
-#define CH_USE_WAITEXIT                 TRUE
-#define CH_USE_SEMAPHORES               TRUE
-#define CH_USE_SEMAPHORES_PRIORITY      FALSE
-#define CH_USE_SEMSW                    FALSE
-#define CH_USE_MUTEXES                  TRUE
-#define CH_USE_CONDVARS                 TRUE
-#define CH_USE_CONDVARS_TIMEOUT         TRUE
-#define CH_USE_EVENTS                   TRUE /* We use this! */
-#define CH_USE_EVENTS_TIMEOUT           TRUE /* We use this! */
-#define CH_USE_MESSAGES                 FALSE
-#define CH_USE_MESSAGES_PRIORITY        FALSE
-#define CH_USE_MAILBOXES                FALSE
-#define CH_USE_QUEUES                   FALSE
-#define CH_USE_MEMCORE                  TRUE
-#define CH_USE_HEAP                     TRUE
-#define CH_USE_MALLOC_HEAP              FALSE
-#define CH_USE_MEMPOOLS                 FALSE
-#define CH_USE_DYNAMIC                  TRUE
-
-/* Debug options */
-#define CH_DBG_ENABLE_CHECKS            FALSE
-#define CH_DBG_ENABLE_ASSERTS           FALSE
-#define CH_DBG_ENABLE_TRACE             FALSE
-#define CH_DBG_ENABLE_STACK_CHECK       TRUE
-#define CH_DBG_FILL_THREADS             FALSE
-#define CH_DBG_THREADS_PROFILING        FALSE
-
-#define THREAD_EXT_FIELDS                                               \
-  /* Add threads custom fields here.*/                                  \
-
-#define THREAD_EXT_INIT(tp) {                                           \
-  /* Add threads initialization code here.*/                            \
-}
-
-#define THREAD_CONTEXT_SWITCH_HOOK(ntp, otp) {                              \
-  /* System halt code here.*/                                               \
-}
-
-#define THREAD_EXT_EXIT(tp) {                                           \
-  /* Add threads finalization code here.*/                              \
-}
-
-#define IDLE_LOOP_HOOK() {                                              \
-  /* Idle loop code here.*/                                             \
-}
-
-#define SYSTEM_TICK_EVENT_HOOK() {                                          \
-  /* System tick event code here.*/                                         \
-}
-
-#define SYSTEM_HALT_HOOK() {                                                \
-  /* System halt code here.*/                                               \
-}
-
-#endif  /* _CHCONF_H_ */

src/config.h.in

@@ -3,8 +3,13 @@
 #define ENABLE_VIRTUAL_COM_PORT 1
 #endif
 @DFU_DEFINE@
+@ORIGIN_DEFINE@
+@ORIGIN_REAL_DEFINE@
 @PINPAD_DEFINE@
 @PINPAD_MORE_DEFINE@
 @CERTDO_DEFINE@
 @HID_CARD_CHANGE_DEFINE@
-@SERIALNO_STR_LEN@
+@LIFE_CYCLE_MANAGEMENT_DEFINE@
+@ACKBTN_DEFINE@
+@SERIALNO_STR_LEN_DEFINE@
+@KDF_DO_REQUIRED_DEFINE@

src/configure

@@ -1,11 +1,16 @@
 #! /bin/bash
 
+# This is bash which supports ANSI-C Quoting
+nl=$'\n'
+
 #
 # This file is *NOT* generated by GNU Autoconf, but written by NIIBE Yutaka
 #
-# Copyright (C) 2010, 2011, 2012, 2013 Free Software Initiative of Japan
+# Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2021
+#               Free Software Initiative of Japan
 #
 # This file is a part of Gnuk, a GnuPG USB Token implementation.
+#
 # Gnuk is free software: you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
@@ -19,31 +24,57 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+#
+# Submodule check
+#
+if ! test -f ../chopstx/rules.mk; then
+  echo "Submodule 'chopstx' not found" >&2
+  echo "You might need: git submodule update --init" >&2
+  exit 1
+fi
+
 # Default settings
 help=no
 vidpid=none
-target=OLIMEX_STM32_H103
-verbose=no
+target=ST_DONGLE
 with_dfu=default
 debug=no
+sys1_compat=yes
 pinpad=no
 certdo=no
-keygen=no
-sys1_compat=yes
 hid_card_change=no
+factory_reset=yes
+ackbtn_support=no
+flash_override=""
+kdf_do=${kdf_do:-optional}
+# For emulation
+prefix=/usr/local
+exec_prefix='${prefix}'
+libexecdir='${exec_prefix}/libexec'
+
+# Revision number
+if test -e ../.git; then
+  if type git >/dev/null 2>&1; then
+     REVISION=$(git describe --dirty="-modified")
+  else
+     # echo 'No git available, please install git'
+     GIT_REVISION=$(sed -e 's/^\(.......\).*$/g\1/' "../.git/$(sed -e 's/^ref: //' ../.git/HEAD)")
+     REVISION=$(cat ../VERSION)-$GIT_REVISION
+  fi
+else
+  REVISION=$(cat ../VERSION)
+fi
 
 # Process each option
 for option; do
   case $option in
-  *=*)	optarg=`expr "X$option" : '[^=]*=\(.*\)'` ;;
+  *=*)	optarg=$(expr "X$option" : '[^=]*=\(.*\)') ;;
   *)	optarg=yes ;;
   esac
 
   case $option in
   -h | --help)
     help=yes ;;
-  -v | --verbose)
-    verbose=yes ;;
   --vidpid=*)
     vidpid=$optarg ;;
   --target=*)
@@ -60,22 +91,31 @@ for option; do
     certdo=yes ;;
   --disable-certdo)
     certdo=no ;;
-  --enable-keygen)
-    keygen=yes ;;
-  --disable-keygen)
-    keygen=no ;;
-  --enable-sys1-compat)
-    sys1_compat = yes ;;
-  --disable-sys1-compat)
-    sys1_compat = no ;;
   --enable-hid-card-change)
-    hid_card_change = yes ;;
+    hid_card_change=yes ;;
   --disable-hid-card-change)
-    hid_card_change = no ;;
+    hid_card_change=no ;;
+  --enable-sys1-compat)
+    sys1_compat=yes ;;
+  --disable-sys1-compat)
+    sys1_compat=no ;;
+  --enable-factory-reset)
+    factory_reset=yes ;;
+  --disable-factory-reset)
+    factory_reset=no ;;
   --with-dfu)
     with_dfu=yes ;;
   --without-dfu)
     with_dfu=no ;;
+  #
+  # For emulation
+  #
+  --prefix=*)
+    prefix=optarg ;;
+  --exec-prefix=*)
+    exec_prefix=optarg ;;
+  --libexecdir=*)
+    libexecdir=optarg ;;
   *)
     echo "Unrecognized option \`$option'" >&2
     echo "Try \`$0 --help' for more information." >&2
@@ -93,17 +133,29 @@ Defaults for the options are specified in brackets.
 Configuration:
   -h, --help		display this help and exit	[no]
   --vidpid=VID:PID	specify vendor/product ID	[<NONE>]
-  --target=TARGET	specify target			[OLIMEX_STM32_H103]
+  --target=TARGET	specify target			[FST_01]
 			supported targets are:
-			   OLIMEX_STM32_H103
-			   STM8S_DISCOVERY
 			   FST_01
-			   FST_01_00
+			   FST_01G
+			   FST_01SZ
+			   OLIMEX_STM32_H103
+			   MAPLE_MINI
+			   ST_DONGLE
+			   ST_NUCLEO_F103
+			   NITROKEY_START
+			   BLUE_PILL
+			   STM8S_DISCOVERY
+			   CQ_STARM
+			   STM32_PRIMER2
+			   STBEE
+			   STBEE_MINI
+			   FST_01_00 (unreleased version with 8MHz XTAL)
+  --enable-factory-reset
+			support life cycle management	[no]
   --enable-debug	debug with virtual COM port	[no]
   --enable-pinpad=cir
 			PIN entry support		[no]
   --enable-certdo	support CERT.3 data object	[no]
-  --enable-keygen	support key generation		[no]
   --enable-sys1-compat	enable SYS 1.0 compatibility	[yes]
 			   executable is target dependent
   --disable-sys1-compat	disable SYS 1.0 compatibility	[no]
@@ -114,25 +166,25 @@ EOF
   exit 0
 fi
 
-if test "$vidpid" = "none"; then
-  echo "Please specify Vendor ID and Product ID by --vidpid option." 
-  exit 1
-fi
-
-TARGET_DEFINE="#define BOARD_$target 1"
-BOARD_HEADER_FILE=board-`echo $target | tr '_[:upper:]' '-[:lower:]'`.h
-echo Header file is: $BOARD_HEADER_FILE
-ln -sf ../chopstx/board/$BOARD_HEADER_FILE board.h
+BOARD_HEADER_FILE=board-$(echo $target | tr '_[:upper:]' '-[:lower:]').h
+echo "Header file is: $BOARD_HEADER_FILE"
+ln -sf "../chopstx/board/$BOARD_HEADER_FILE" board.h
 
+# Frequency
+MHZ=72
 # Flash page size in byte
 FLASH_PAGE_SIZE=1024
-# Flash memory size in KB
+# Flash memory size in KiB
 FLASH_SIZE=128
 # Memory size in KiB
 MEMORY_SIZE=20
 
 # Settings for TARGET
 case $target in
+BLUE_PILL|STM8S_DISCOVERY)
+  # It's 64KB version of STM32F103, but actually has 128KB
+  flash_override="-DSTM32F103_OVERRIDE_FLASH_SIZE_KB=128"
+  ;;
 CQ_STARM|STBEE_MINI)
   if test "$with_dfu" = "default"; then
     with_dfu=yes;
@@ -149,13 +201,57 @@ STBEE)
   if test "$with_dfu" = "default"; then
     with_dfu=yes;
   fi  ;;
-STM8S_DISCOVERY)
-  FLASH_SIZE=64
+BLUE_PILL_G)
+  MHZ=96
+  ;;
+FST_01SZ)
+  MHZ=96
   ;;
 *)
   ;;
 esac
 
+def_mhz="-DMHZ=$MHZ"
+if test "$target" = "GNU_LINUX"; then
+  ldscript=""
+  chip="gnu-linux"
+  arch="gnu-linux"
+  emulation="yes"
+  cross=""
+  mcu="none"
+  kdf_do=${kdf_do:-required}
+  def_emulation="-DGNU_LINUX_EMULATION"
+  def_memory_size="-DMEMORY_SIZE=1024"
+  enable_hexoutput=""
+  libs="-lpthread"
+else
+  ldscript="gnuk.ld"
+  chip="stm32f103"
+  arch="cortex-m"
+  emulation=""
+  cross="arm-none-eabi-"
+  mcu="cortex-m3"
+  def_emulation=""
+  def_memory_size="-DMEMORY_SIZE=$MEMORY_SIZE"
+  enable_hexoutput=yes
+  libs=""
+fi
+
+if test "$emulation" = "yes"; then
+  if test "$vidpid" = "none"; then
+    vidpid=0000:0000
+  else
+    echo "Please don't specify VID:PID for emulation at compile time;"
+    echo "It is a user who should specify VID:PID at run time."
+    exit 1
+  fi
+else
+  if test "$vidpid" = "none"; then
+    echo "Please specify Vendor ID and Product ID by --vidpid option." >&2
+  exit 1
+  fi
+fi
+
 # --enable-debug option
 if test "$debug" = "yes"; then
   DEBUG_MAKE_OPTION="ENABLE_DEBUG=1"
@@ -167,25 +263,35 @@ else
   echo "Debug option disabled"
 fi
 
+ORIGIN_REAL=0x08000000
+ORIGIN_REAL_DEFINE="#define ORIGIN_REAL $ORIGIN_REAL"
 # --with-dfu option
 if test "$with_dfu" = "yes"; then
+  if test "$target" = "FST_01" -o "$target" = "FST_01G" \
+     -o "$target" = "FST_01_00"; then
+      echo "FST-01 doesn't have DFU loader, you should not use --with-dfu." >&2
+      exit 1
+  fi
   echo "Configured for DFU"
-  ORIGIN=0x08003000
-  FLASH_SIZE=`expr $FLASH_SIZE - 12`
+  if test "$target" = "MAPLE_MINI"; then
+    # Note that the default bootloader is too large, need for instance
+    # STM32duino for DFU on Maple Mini
+    ORIGIN=0x08002000
+    FLASH_SIZE=$((FLASH_SIZE - 8))
+  else
+    ORIGIN=0x08003000
+    FLASH_SIZE=$((FLASH_SIZE - 12))
+  fi
   DFU_DEFINE="#define DFU_SUPPORT 1"
-  HEXOUTPUT_MAKE_OPTION="ENABLE_OUTPUT_HEX=yes"
 else
   with_dfu=no
   echo "Configured for bare system (no-DFU)"
-  ORIGIN=0x08000000
+  ORIGIN=${ORIGIN_REAL}
   DFU_DEFINE="#undef DFU_SUPPORT"
-  HEXOUTPUT_MAKE_OPTION=""
 fi
+ORIGIN_DEFINE="#define ORIGIN $ORIGIN"
 
 # --enable-pinpad option
-MSC_SIZE="0"
-TIM_SIZE="0"
-EXT_SIZE="0"
 if test "$pinpad" = "no"; then
   PINPAD_MAKE_OPTION="# ENABLE_PINPAD="
   PINPAD_DEFINE="#undef PINPAD_SUPPORT"
@@ -196,12 +302,6 @@ else
   PINPAD_DEFINE="#define PINPAD_SUPPORT 1"
   PINPAD_MORE_DEFINE="#define PINPAD_${pinpad^^[a-z]}_SUPPORT 1"
   echo "PIN pad option enabled ($pinpad)"
-  if test "$pinpad" = "dnd"; then
-     MSC_SIZE="0x0200"
-  elif test "$pinpad" = "cir"; then
-     TIM_SIZE="0x00c0"
-     EXT_SIZE="0x00c0"
-  fi
 fi
 
 # --enable-certdo option
@@ -213,15 +313,6 @@ else
   echo "CERT.3 Data Object is NOT supported"
 fi
 
-# --enable-keygen option
-if test "$keygen" = "yes"; then
-  KEYGEN_SUPPORT="-DKEYGEN_SUPPORT"
-  echo "Key generation on device is supported"
-else
-  KEYGEN_SUPPORT=""
-  echo "Key generation on device is NOT supported"
-fi
-
 # --enable-hid-card-change option
 if test "$hid_card_change" = "yes"; then
   HID_CARD_CHANGE_DEFINE="#define HID_CARD_CHANGE_SUPPORT 1"
@@ -231,115 +322,215 @@ else
   echo "Card insert/removal by HID device is NOT supported"
 fi
 
-if test -d ../.git; then
-  REVISION=`git describe --dirty="-modified"` 
+# --enable-factory-reset option
+if test "$factory_reset" = "yes"; then
+  LIFE_CYCLE_MANAGEMENT_DEFINE="#define LIFE_CYCLE_MANAGEMENT_SUPPORT 1"
+  echo "Life cycle management is supported"
 else
-  REVISION=`cat ../VERSION`
+  LIFE_CYCLE_MANAGEMENT_DEFINE="#undef LIFE_CYCLE_MANAGEMENT_SUPPORT"
+  echo "Life cycle management is NOT supported"
+fi
+
+# Acknowledge button support
+if test "$ackbtn_support" = "yes"; then
+  ACKBTN_DEFINE="#define ACKBTN_SUPPORT 1"
+  echo "Acknowledge button is supported"
+else
+  ACKBTN_DEFINE="#undef ACKBTN_SUPPORT"
+  echo "Acknowledge button is not supported"
+fi
+
+# KDF Data Object is always required for GNU/Linux emulation
+if test "$kdf_do" = "required"; then
+  KDF_DO_REQUIRED_DEFINE="#define KDF_DO_REQUIRED 1"
+  echo "KDF DO is required before key import/generation"
+else
+  KDF_DO_REQUIRED_DEFINE="#undef KDF_DO_REQUIRED"
 fi
 
 ### !!! Replace following string of "FSIJ" to yours !!! ####
-SERIALNO="FSIJ-`cat ../VERSION | sed -e 's%^[^/]*/%%'`-"
+SERIALNO="DTS-$(sed -e 's%^[^/]*/%%' <../VERSION)-"
 
 SERIALNO_STR_LEN_DEFINE="#define SERIALNO_STR_LEN ${#SERIALNO}"
 
 
-CONFIG="$target:dfu=$with_dfu:debug=$debug:pinpad=$pinpad:certdo=$certdo:keygen=$keygen"
+if test "$sys1_compat" = "yes"; then
+  CONFIG="$target:dfu=$with_dfu:debug=$debug:pinpad=$pinpad:certdo=$certdo:factory_reset=$factory_reset:kdf=$kdf_do"
+else
+  if test "$with_dfu" = "yes"; then
+    echo "Common binary can't support DFU loader, don't use --with-dfu." >&2
+    exit 1
+  fi
+  # Override settings for common binary.  Safer side.
+  FLASH_PAGE_SIZE=2048
+  FLASH_SIZE=128
+  MEMORY_SIZE=20
+  CONFIG="common:debug=$debug:pinpad=$pinpad:certdo=$certdo:factory_reset=$factory_reset:kdf=$kdf_do"
+fi
+
+output_vid_pid_version () {
+  echo "$VIDPID" | \
+  sed -n -e "s%^\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\):\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\)$%\1\t\2\t\3\t\4%p" | \
+  while read -r FIRST SECOND THIRD FOURTH; do
+    if test $FIRST != 00; then
+      echo replace_vid_msb $FIRST
+    fi
+    if test $SECOND != 00; then
+      echo replace_vid_lsb $SECOND
+    fi
+    if test $THIRD != 00; then
+      echo replace_pid_msb $THIRD
+    fi
+    if test $FOURTH != 00; then
+      echo replace_pid_lsb $FOURTH
+    fi
+  done
+  echo "$VERSION" | \
+  sed -n -e "s%^\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\)$%\1\t\2%p" | \
+  while read -r FIRST SECOND; do
+    if test $FIRST != 00; then
+      echo replace_bcd_device_msb $FIRST
+    fi
+    if test $SECOND != 00; then
+      echo replace_bcd_device_lsb $SECOND
+    fi
+  done
+}
+
+output_vendor_product_serial_strings () {
+  name=$1
+
+  echo "static const uint8_t ${name}string_vendor[] = {"
+  echo "  ${#VENDOR}*2+2,                       /* bLength */"
+  echo "  STRING_DESCRIPTOR,            /* bDescriptorType */"
+  echo "  /* Manufacturer: \"$VENDOR\" */"
+  echo "$VENDOR" | sed -e "s/\(........\)/\1\\${nl}/g" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "/^  ./s/ $//p"
+  echo '};'
+  echo
+  echo "static const uint8_t ${name}string_product[] = {"
+  echo "  ${#PRODUCT}*2+2,                      /* bLength */"
+  echo "  STRING_DESCRIPTOR,            /* bDescriptorType */"
+  echo "  /* Product name: \"$PRODUCT\" */"
+  echo "$PRODUCT" | sed -e "s/\(........\)/\1\\${nl}/g" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "/^  ./s/ $//p"
+  echo '};'
+
+  if test -n "$name"; then
+  echo
+  echo "const uint8_t ${name}string_serial[] = {"
+  echo "  ${#SERIALNO}*2+2+16,                  /* bLength */"
+  echo "  STRING_DESCRIPTOR,            /* bDescriptorType */"
+  echo "  /* Serial number: \"$SERIALNO\" */"
+  echo "$SERIALNO" | sed -e "s/\(........\)/\1\\${nl}/g" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "/^  ./s/ $//p"
+  if test "$emulation" = "yes"; then
+    echo "  'E', 0, 'M', 0, 'U', 0, 'L', 0,"
+    echo "  'A', 0, 'T', 0, 'E', 0, 'D', 0,"
+  else
+    echo "  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,"
+    echo "  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,"
+  fi
+  echo '};'
+  echo
+  echo '#ifdef USB_STRINGS_FOR_GNUK'
+  echo "static const uint8_t ${name}revision_detail[] = {"
+  echo "  ${#REVISION}*2+2,                     /* bLength */"
+  echo "  STRING_DESCRIPTOR,            /* bDescriptorType */"
+  echo "  /* revision detail: \"$REVISION\" */"
+  echo "$REVISION" | sed -e "s/\(........\)/\1\\${nl}/g" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "/^  ./s/ $//p"
+  echo '};'
+  echo
+  echo "static const uint8_t ${name}config_options[] = {"
+  echo "  ${#CONFIG}*2+2,                       /* bLength */"
+  echo "  STRING_DESCRIPTOR,            /* bDescriptorType */"
+  echo "  /* configure options: \"$CONFIG\" */"
+  echo $CONFIG | sed -e "s/\(........\)/\1\\${nl}/g" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "/^  ./s/ $//p"
+  echo '};'
+  echo '#endif'
+  fi
+}
+
+(echo "#! /bin/bash"
+ echo
+ echo 'source "binary-edit.sh"') > put-vid-pid-ver.sh
 
 if !(IFS="	"
-  while read VIDPID VERSION PRODUCT VENDOR; do
+  while read -r VIDPID VERSION PRODUCT VENDOR; do
     if test "$vidpid" = "$VIDPID"; then
-      (echo $VIDPID | sed -n -e "s%^\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\):\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\)$%  0x\2, 0x\1, /* idVendor  */\n  0x\4, 0x\3, /* idProduct */%p"
-       echo $VERSION | sed -n -e "s%^\([0-9a-f][0-9a-f]\)\([0-9a-f][0-9a-f]\)$%  0x\2, 0x\1, /* bcdDevice  */%p"
-      ) > usb-vid-pid-ver.c.inc
-      (echo 'static const uint8_t gnukStringVendor[] = {'
-       echo "  ${#VENDOR}*2+2,			/* bLength */"
-       echo "  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */"
-       echo "  /* Manufacturer: \"$VENDOR\" */"
-       echo $VENDOR | sed -n -e "s/\(........\)/\1\n/gp" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "s/ $//p"
-       echo '};'
-       echo
-       echo 'static const uint8_t gnukStringProduct[] = {'
-       echo "  ${#PRODUCT}*2+2,			/* bLength */"
-       echo "  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */"
-       echo "  /* Product name: \"$PRODUCT\" */"
-       echo $PRODUCT | sed -n -e "s/\(........\)/\1\n/gp" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "s/ $//p"
-       echo '};'
-       echo
-       echo 'const uint8_t gnukStringSerial[] = {'
-       echo "  ${#SERIALNO}*2+2+16,			/* bLength */"
-       echo "  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */"
-       echo "  /* Serial number: \"$SERIALNO\" */"
-       echo $SERIALNO | sed -n -e "s/\(........\)/\1\n/gp" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "s/ $//p"
-       echo "  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,"
-       echo "  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,"
-       echo '};'
-       echo
-       echo '#ifdef USB_STRINGS_FOR_GNUK'
-       echo 'static const uint8_t gnuk_revision_detail[] = {'
-       echo "  ${#REVISION}*2+2,			/* bLength */"
-       echo "  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */"
-       echo "  /* revision detail: \"$REVISION\" */"
-       echo $REVISION | sed -n -e "s/\(........\)/\1\n/gp" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "s/ $//p"
-       echo '};'
-       echo
-       echo 'static const uint8_t gnuk_config_options[] = {'
-       echo "  ${#CONFIG}*2+2,			/* bLength */"
-       echo "  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */"
-       echo "  /* configure options: \"$CONFIG\" */"
-       echo $CONFIG | sed -n -e "s/\(........\)/\1\n/gp" | sed -n -e "s/\(.\)/'\1', 0, /g" -e "s/^/  /" -e "s/ $//p"
-       echo '};'
-       echo '#endif'
-       ) >usb-strings.c.inc
+      echo                       >> put-vid-pid-ver.sh
+      echo 'addr=$file_off_ADDR' >> put-vid-pid-ver.sh
+      output_vid_pid_version     >> put-vid-pid-ver.sh
+      output_vendor_product_serial_strings gnuk_ >usb-strings.c.inc
       exit 0
     fi
   done; exit 1) < ../GNUK_USB_DEVICE_ID
 then
-  echo "Please specify valid Vendor ID and Product ID." 
-  echo "Check ../GNUK_USB_DEVICE_ID."
+  echo "Please specify valid Vendor ID and Product ID." >&2
+  echo "Check ../GNUK_USB_DEVICE_ID." >&2
   exit 1
 fi
 
 if test "$sys1_compat" = "no"; then
-   # Disable when you are sure that it's sys version 2.0.
-   # Note that Gnuk 1.0 and Neug (until 0.06) uses sys version 1.0.
-   # Disabling the compatibility, executable will be target independent,
-   # assuming the clock initialization will be done by SYS (before entry).
-   have_sys_h="-DHAVE_SYS_H"
+    # Disable when you are sure that it's sys version 3.0 or later.
+    # Note that Gnuk 1.0 and NeuG (until 0.06) uses sys version 1.0.
+    # Disabling the compatibility, executable will be target independent,
+    # assuming the clock initialization will be done by clock_init in 
+    # SYS.
+    use_sys3="-DUSE_SYS3"
 else
-   have_sys_h=""
+    use_sys3=""
 fi
 
-sed -e "s%@HAVE_SYS_H@%$have_sys_h%" \
-    -e "s%@DEBUG_MAKE_OPTION@%$DEBUG_MAKE_OPTION%" \
-    -e "s%@PINPAD_MAKE_OPTION@%$PINPAD_MAKE_OPTION%" \
-    -e "s%@KEYGEN_SUPPORT@%$KEYGEN_SUPPORT%" \
-    -e "s%@HEXOUTPUT_MAKE_OPTION@%$HEXOUTPUT_MAKE_OPTION%" \
-	< Makefile.in > Makefile
+
+(echo "CHIP=$chip";
+ echo "ARCH=$arch";
+ echo "EMULATION=$emulation";
+ echo "CROSS=$cross";
+ echo "MCU=$mcu";
+ echo "DEFS=$use_sys3 $flash_override $def_emulation $def_memory_size $def_mhz";
+ echo "LDSCRIPT=$ldscript";
+ echo "LIBS=$libs";
+ echo "$DEBUG_MAKE_OPTION";
+ echo "$PINPAD_MAKE_OPTION";
+ echo "ENABLE_FRAUCHEKY=$enable_fraucheky";
+ echo "ENABLE_OUTPUT_HEX=$enable_hexoutput"
+ if test "$ackbtn_support" = "yes"; then
+   echo "USE_ACKBTN=yes"
+ fi
+ if test "$with_dfu" = "yes"; then
+   echo "USE_DFU=yes"
+ fi
+ if test "$emulation" = "yes"; then
+   echo "prefix=$prefix"
+   echo "exec_prefix=$exec_prefix"
+   echo "libexecdir=$libexecdir"
+ fi
+)	> config.mk
+
 if test "$certdo" = "yes"; then
   sed -e "/^@CERTDO_SUPPORT_START@$/ d" -e "/^@CERTDO_SUPPORT_END@$/ d" \
       -e "s/@ORIGIN@/$ORIGIN/" -e "s/@FLASH_SIZE@/$FLASH_SIZE/" \
       -e "s/@MEMORY_SIZE@/$MEMORY_SIZE/" \
       -e "s/@FLASH_PAGE_SIZE@/$FLASH_PAGE_SIZE/" \
-      -e "s/@MSC_SIZE@/$MSC_SIZE/" \
-      -e "s/@TIM_SIZE@/$TIM_SIZE/" \
-      -e "s/@EXT_SIZE@/$EXT_SIZE/" \
 	< gnuk.ld.in > gnuk.ld
 else
   sed -e "/^@CERTDO_SUPPORT_START@$/,/^@CERTDO_SUPPORT_END@$/ d" \
       -e "s/@ORIGIN@/$ORIGIN/" -e "s/@FLASH_SIZE@/$FLASH_SIZE/" \
       -e "s/@MEMORY_SIZE@/$MEMORY_SIZE/" \
       -e "s/@FLASH_PAGE_SIZE@/$FLASH_PAGE_SIZE/" \
-      -e "s/@MSC_SIZE@/$MSC_SIZE/" \
-      -e "s/@TIM_SIZE@/$TIM_SIZE/" \
-      -e "s/@EXT_SIZE@/$EXT_SIZE/" \
 	< gnuk.ld.in > gnuk.ld
 fi
+sed -e "s/@ORIGIN_REAL@/$ORIGIN_REAL/" -e "s/@MEMORY_SIZE@/$MEMORY_SIZE/" \
+	< stdaln-sys.ld.in > stdaln-sys.ld
 sed -e "s/@DEBUG_DEFINE@/$DEBUG_DEFINE/" \
     -e "s/@DFU_DEFINE@/$DFU_DEFINE/" \
+    -e "s/@ORIGIN_DEFINE@/$ORIGIN_DEFINE/" \
+    -e "s/@ORIGIN_REAL_DEFINE@/$ORIGIN_REAL_DEFINE/" \
     -e "s/@PINPAD_DEFINE@/$PINPAD_DEFINE/" \
     -e "s/@PINPAD_MORE_DEFINE@/$PINPAD_MORE_DEFINE/" \
     -e "s/@CERTDO_DEFINE@/$CERTDO_DEFINE/" \
     -e "s/@HID_CARD_CHANGE_DEFINE@/$HID_CARD_CHANGE_DEFINE/" \
-    -e "s/@SERIALNO_STR_LEN@/$SERIALNO_STR_LEN_DEFINE/" \
+    -e "s/@LIFE_CYCLE_MANAGEMENT_DEFINE@/$LIFE_CYCLE_MANAGEMENT_DEFINE/" \
+    -e "s/@ACKBTN_DEFINE@/$ACKBTN_DEFINE/" \
+    -e "s/@SERIALNO_STR_LEN_DEFINE@/$SERIALNO_STR_LEN_DEFINE/" \
+    -e "s/@KDF_DO_REQUIRED_DEFINE@/$KDF_DO_REQUIRED_DEFINE/" \
 	< config.h.in > config.h
 exit 0

src/ec_p256k1.c

@@ -21,6 +21,12 @@
  *
  */
 
+/*
+ * Note: we don't take advantage of the specific feature of this curve,
+ * but use same method of computation as NIST P-256 curve.  That's due
+ * to some software patent(s).
+ */
+
 #include <stdint.h>
 #include <string.h>
 #include "bn.h"
@@ -36,9 +42,11 @@
 /*
  * a = 0, b = 7
  */
+#if 0
 static const bn256 coefficient_a[1] = {
   {{ 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }}
 };
+#endif
 
 static const bn256 coefficient_b[1] = {
   {{ 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }}

src/ec_p256k1.h

@@ -1,4 +1,4 @@
 int compute_kP_p256k1 (ac *X, const bn256 *K, const ac *P);
-
 int compute_kG_p256k1 (ac *X, const bn256 *K);
 void ecdsa_p256k1 (bn256 *r, bn256 *s, const bn256 *z, const bn256 *d);
+int check_secret_p256k1 (const bn256 *q, bn256 *d1);

src/ec_p256r1.h

@@ -1,5 +1,4 @@
 int compute_kP_p256r1 (ac *X, const bn256 *K, const ac *P);
-
 int compute_kG_p256r1 (ac *X, const bn256 *K);
 void ecdsa_p256r1 (bn256 *r, bn256 *s, const bn256 *z, const bn256 *d);
-
+int check_secret_p256r1 (const bn256 *q, bn256 *d1);

src/ecc-cdh.c

@@ -1,76 +0,0 @@
-/*
- * ecc-cdh.c - One-Pass Diffie-Hellman method implementation
- *             C(1, 1, ECC CDH) for EC DH of OpenPGP ECC
- *
- * Copyright (C) 2013 Free Software Initiative of Japan
- * Author: NIIBE Yutaka <gniibe@fsij.org>
- *
- * This file is a part of Gnuk, a GnuPG USB Token implementation.
- *
- * Gnuk is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * Gnuk is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-/*
- * References:
- *
- * [1] A. Jivsov, Elliptic Curve Cryptography (ECC) in OpenPGP, RFC 6637,
- *     June 2012.
- *
- * [2] Suite B Implementer's Guide to NIST SP 800-56A, July 28, 2009.
- *
- */
-
-static const char param[] = {
-  /**/
-  curve_OID_len,
-  curve_OID,
-  public-key_alg_ID, /*ecdh*/
-  0x03,
-  0x01,
-  KDF_hash_ID, /*sha256*/
-  KEK_alg_ID, /*aes128*/
-  "Anonymous Sender    ",
-  my_finger_print /*20-byte*/
-};
-
-/*
- *
- */
-int
-ecdh (unsigned char *key,
-      const unsigned char *key_encrypted, const ac *P,
-      const naf4_257 *naf_d, const unsigned char *fp)
-{
-  ac S[1];
-  sha256_context ctx;
-  unsigned char kek[32];
-  unsigned char x[32];
-  int i;
-  const unsigned char *p;
-
-  compute_kP (S, naf_d, P);	/* Get shared secret.  */
-
-  /* Endian change from big to little.  */
-  p = (const unsigned char *)S->x;
-  for (i = 0; i < 32; i++)
-    x[31-i] = p[i];
-
-  /* kdf (kek, S, parameter) */
-  sha256_start (&ctx);
-  sha256_update (&ctx, "\x00\x00\x00\x01", 4);
-  sha256_update (&ctx, x, size of x);
-  sha256_update (&ctx, (const char *)param, size of param);
-  sha256_finish (&ctx, kek);
-}

src/ecc-edwards.c

@@ -2,7 +2,7 @@
  * ecc-edwards.c - Elliptic curve computation for
  *                 the twisted Edwards curve: -x^2 + y^2 = 1 + d*x^2*y^2
  *
- * Copyright (C) 2014 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2017  Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -23,7 +23,6 @@
  */
 
 #include <stdint.h>
-#include <stdlib.h>
 #include <string.h>
 
 #include "bn.h"
@@ -50,7 +49,7 @@
  * IMPLEMENTATION NOTE
  *
  * (0) We assume that the processor has no cache, nor branch target
- *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     prediction.  Thus, we don't avoid indexing by secret value.
  *     We don't avoid conditional jump if both cases have same timing,
  *     either.
  *
@@ -127,7 +126,6 @@ mod25519_is_neg (const bn256 *a)
 static void
 point_double (ptc *X, const ptc *A)
 {
-  uint32_t borrow;
   bn256 b[1], d[1], e[1];
 
   /* Compute: B = (X1 + Y1)^2 */
@@ -141,33 +139,27 @@ point_double (ptc *X, const ptc *A)
   mod25638_sqr (d, A->y);
 
   /* E = aC; where a = -1 */
-  /* Compute: E - D = -(C+D)  : Y3_tmp */
+  /* Compute: D - E = D + C : Y3_tmp */
   mod25638_add (X->y, e, d);
-  /* Negation: it can result borrow, as it is in redundant representation. */
-  borrow = bn256_sub (X->y, n25638, X->y);
-  if (borrow)
-    bn256_add (X->y, X->y, n25638); /* carry ignored */
-  else
-    bn256_add (X->x, X->y, n25638); /* dummy calculation */
 
-  /* Compute: F = E + D = D - C; where a = -1 : E */
-  mod25638_sub (e, d, e);
+  /* Compute: -F = -(E + D) = C - D; where a = -1 : E */
+  mod25638_sub (e, e, d);
 
   /* Compute: H = Z1^2        : D     */
   mod25638_sqr (d, A->z);
 
-  /* Compute: J = F - 2*H     : D     */
+  /* Compute: -J = 2*H - F    : D     */
   mod25638_add (d, d, d);
-  mod25638_sub (d, e, d);
+  mod25638_add (d, d, e);
 
-  /* Compute: X3 = (B-C-D)*J = (B+Y3_tmp)*J  */
-  mod25638_add (X->x, b, X->y);
+  /* Compute: X3 = (B-C-D)*J = -J*(C+D-B) = -J*(Y3_tmp-B)  */
+  mod25638_sub (X->x, X->y, b);
   mod25638_mul (X->x, X->x, d);
 
-  /* Compute: Y3 = F*(E-D) = F*Y3_tmp            */
+  /* Compute: Y3 = -F*(D-E) = -F*Y3_tmp            */
   mod25638_mul (X->y, X->y, e);
 
-  /* Z3 = F*J             */
+  /* Z3 = -F*-J             */
   mod25638_mul (X->z, e, d);
 }
 
@@ -242,7 +234,7 @@ point_add (ptc *X, const ptc *A, const ac *B)
  * @param X	Destination AC
  * @param A	PTC
  *
- * (X1:Y1:Z1) represents the affine point (x=X1/Z1, y=Y1/Z1) 
+ * (X1:Y1:Z1) represents the affine point (x=X1/Z1, y=Y1/Z1)
  */
 static void
 point_ptc_to_ac (ac *X, const ptc *A)
@@ -265,195 +257,195 @@ point_ptc_to_ac (ac *X, const ptc *A)
 static const ac precomputed_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0x8f25d51a, 0xc9562d60, 0x9525a7b2, 0x692cc760, 
+  { {{{ 0x8f25d51a, 0xc9562d60, 0x9525a7b2, 0x692cc760,
         0xfdd6dc5c, 0xc0a4e231, 0xcd6e53fe, 0x216936d3 }}},
-    {{{ 0x66666658, 0x66666666, 0x66666666, 0x66666666, 
+    {{{ 0x66666658, 0x66666666, 0x66666666, 0x66666666,
         0x66666666, 0x66666666, 0x66666666, 0x66666666 }}} },
-  { {{{ 0x3713af22, 0xac7137bd, 0xac634604, 0x25ed77a4, 
+  { {{{ 0x3713af22, 0xac7137bd, 0xac634604, 0x25ed77a4,
         0xa815e038, 0xce0d0064, 0xbca90151, 0x041c030f }}},
-    {{{ 0x0780f989, 0xe9b33fcf, 0x3d4445e7, 0xe4e97c2a, 
+    {{{ 0x0780f989, 0xe9b33fcf, 0x3d4445e7, 0xe4e97c2a,
         0x655e5c16, 0xc67dc71c, 0xee43fb7a, 0x72467625 }}} },
-  { {{{ 0x3ee99893, 0x76a19171, 0x7ba9b065, 0xe647edd9, 
+  { {{{ 0x3ee99893, 0x76a19171, 0x7ba9b065, 0xe647edd9,
         0x6aeae260, 0x31f39299, 0x5f4a9bb2, 0x6d9e4545 }}},
-    {{{ 0x94cae280, 0xc41433da, 0x79061211, 0x8e842de8, 
+    {{{ 0x94cae280, 0xc41433da, 0x79061211, 0x8e842de8,
         0xa259dc8a, 0xaab95e0b, 0x99013cd0, 0x28bd5fc3 }}} },
-  { {{{ 0x7d23ea24, 0x59e22c56, 0x0460850e, 0x1e745a88, 
+  { {{{ 0x7d23ea24, 0x59e22c56, 0x0460850e, 0x1e745a88,
         0xda13ef4b, 0x4583ff4c, 0x95083f85, 0x1f13202c }}},
-    {{{ 0x90275f48, 0xad42025c, 0xb55c4778, 0x0085087e, 
+    {{{ 0x90275f48, 0xad42025c, 0xb55c4778, 0x0085087e,
         0xfdfd7ffa, 0xf21109e7, 0x6c381b7e, 0x66336d35 }}} },
-  { {{{ 0xd00851f2, 0xaa9476ab, 0x4a61600b, 0xe7838534, 
+  { {{{ 0xd00851f2, 0xaa9476ab, 0x4a61600b, 0xe7838534,
         0x1a52df87, 0x0de65625, 0xbd675870, 0x5f0dd494 }}},
-    {{{ 0xe23493ba, 0xf20aec1b, 0x3414b0a8, 0x8f7f2741, 
+    {{{ 0xe23493ba, 0xf20aec1b, 0x3414b0a8, 0x8f7f2741,
         0xa80e1eb6, 0x497e74bd, 0xe9365b15, 0x1648eaac }}} },
-  { {{{ 0x04ac2b69, 0x5b78dcec, 0x32001a73, 0xecdb66ce, 
+  { {{{ 0x04ac2b69, 0x5b78dcec, 0x32001a73, 0xecdb66ce,
         0xb34cf697, 0xb75832f4, 0x3a2bce94, 0x7aaf57c5 }}},
-    {{{ 0x60fdfc6f, 0xb32ed2ce, 0x757924c6, 0x77bf20be, 
+    {{{ 0x60fdfc6f, 0xb32ed2ce, 0x757924c6, 0x77bf20be,
         0x48742dd1, 0xaebd15dd, 0x55d38439, 0x6311bb16 }}} },
-  { {{{ 0x42ff5c97, 0x139cdd73, 0xdbd82964, 0xee4c359e, 
+  { {{{ 0x42ff5c97, 0x139cdd73, 0xdbd82964, 0xee4c359e,
         0x70611a3f, 0x91c1cd94, 0x8075dbcb, 0x1d0c34f6 }}},
-    {{{ 0x5f931219, 0x43eaa549, 0xa23d35a6, 0x3737aba7, 
+    {{{ 0x5f931219, 0x43eaa549, 0xa23d35a6, 0x3737aba7,
         0x46f167bb, 0x54b1992f, 0xb74a9944, 0x01a11f3c }}} },
-  { {{{ 0xba46b161, 0x67a5310e, 0xd9d67f6c, 0x790f8527, 
+  { {{{ 0xba46b161, 0x67a5310e, 0xd9d67f6c, 0x790f8527,
         0x2f6cc814, 0x359c5b5f, 0x7786383d, 0x7b6a5565 }}},
-    {{{ 0x663ab0d3, 0xf1431b60, 0x09995826, 0x14a32d8f, 
+    {{{ 0x663ab0d3, 0xf1431b60, 0x09995826, 0x14a32d8f,
         0xeddb8571, 0x61d526f6, 0x0eac739a, 0x0cb7acea }}} },
-  { {{{ 0x4a2d009f, 0x5eb1a697, 0xd8df987a, 0xdacb43b4, 
+  { {{{ 0x4a2d009f, 0x5eb1a697, 0xd8df987a, 0xdacb43b4,
         0x8397f958, 0x4870f214, 0x8a175fbb, 0x5aa0c67c }}},
-    {{{ 0x78887db3, 0x27dbbd4c, 0x64e322ab, 0xe327b707, 
+    {{{ 0x78887db3, 0x27dbbd4c, 0x64e322ab, 0xe327b707,
         0x7cbe4e3b, 0x87e293fa, 0xbda72395, 0x17040799 }}} },
-  { {{{ 0x99d1e696, 0xc833a5a2, 0x2d9d5877, 0x969bff8e, 
+  { {{{ 0x99d1e696, 0xc833a5a2, 0x2d9d5877, 0x969bff8e,
         0x2216fa67, 0x383a533a, 0x684d3925, 0x338bbe0a }}},
-    {{{ 0xd6cfb491, 0x35b5aae8, 0xaa12f3f8, 0x4a588279, 
+    {{{ 0xd6cfb491, 0x35b5aae8, 0xaa12f3f8, 0x4a588279,
         0x2e30380e, 0xa7c2e708, 0x9e4b3d62, 0x69f13e09 }}} },
-  { {{{ 0x27f1cd56, 0xec0dc2ef, 0xdb11cc97, 0x1af11548, 
+  { {{{ 0x27f1cd56, 0xec0dc2ef, 0xdb11cc97, 0x1af11548,
         0x9ebc7613, 0xb642f86a, 0xcb77c3b9, 0x5ce45e73 }}},
-    {{{ 0x3eddd6de, 0x5d128786, 0x4859eab7, 0x16f9a6b4, 
+    {{{ 0x3eddd6de, 0x5d128786, 0x4859eab7, 0x16f9a6b4,
         0xd8782345, 0x55c53916, 0xdb7b202a, 0x6b1dfa87 }}} },
-  { {{{ 0x19e30528, 0x2461a8ed, 0x665cfb1c, 0xaf756bf9, 
+  { {{{ 0x19e30528, 0x2461a8ed, 0x665cfb1c, 0xaf756bf9,
         0x3a6e8673, 0x0fcafd1d, 0x45d10f48, 0x0d264435 }}},
-    {{{ 0x5431db67, 0x543fd4c6, 0x60932432, 0xc153a5b3, 
+    {{{ 0x5431db67, 0x543fd4c6, 0x60932432, 0xc153a5b3,
         0xd2119aa4, 0x41d5b8eb, 0x8b09b6a5, 0x36bd9ab4 }}} },
-  { {{{ 0x21e06738, 0x6d39f935, 0x3765dd86, 0x4e6a7c59, 
+  { {{{ 0x21e06738, 0x6d39f935, 0x3765dd86, 0x4e6a7c59,
         0xa4730880, 0xefc0dd80, 0x4079fe2f, 0x40617e56 }}},
-    {{{ 0x921439b9, 0xbc83cdff, 0x98833c09, 0xd5cccc06, 
+    {{{ 0x921439b9, 0xbc83cdff, 0x98833c09, 0xd5cccc06,
         0xda13cdcb, 0xe315c425, 0x67ff5370, 0x37bc6e84 }}} },
-  { {{{ 0xf643b5f5, 0x65e7f028, 0x0ffbf5a8, 0x5b0d4831, 
+  { {{{ 0xf643b5f5, 0x65e7f028, 0x0ffbf5a8, 0x5b0d4831,
         0xf4085f62, 0x0f540498, 0x0db7bd1b, 0x6f0bb035 }}},
-    {{{ 0x9733742c, 0x51f65571, 0xf513409f, 0x2fc047a0, 
+    {{{ 0x9733742c, 0x51f65571, 0xf513409f, 0x2fc047a0,
         0x355facf6, 0x07f45010, 0x3a989a9c, 0x5cd416a9 }}} },
-  { {{{ 0x748f2a67, 0x0bdd7208, 0x415b7f7f, 0x0cf0b80b, 
+  { {{{ 0x748f2a67, 0x0bdd7208, 0x415b7f7f, 0x0cf0b80b,
         0x57aa0119, 0x44afdd5f, 0x430dc946, 0x05d68802 }}},
-    {{{ 0x1a60eeb2, 0x420c46e5, 0x665024f5, 0xc60a9b33, 
+    {{{ 0x1a60eeb2, 0x420c46e5, 0x665024f5, 0xc60a9b33,
         0x48c51347, 0x37520265, 0x00a21bfb, 0x6f4be0af }}} }
 };
 
 static const ac precomputed_2E_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0x199c4f7d, 0xec314ac0, 0xb2ebaaf9, 0x66a39c16, 
+  { {{{ 0x199c4f7d, 0xec314ac0, 0xb2ebaaf9, 0x66a39c16,
         0xedd4d15f, 0xab1c92b8, 0x57d9eada, 0x482a4cdf }}},
-    {{{ 0x6e4eb04b, 0xbd513b11, 0x25e4fd6a, 0x3f115fa5, 
+    {{{ 0x6e4eb04b, 0xbd513b11, 0x25e4fd6a, 0x3f115fa5,
         0x14519298, 0x0b3c5fc6, 0x81c2f7a8, 0x7391de43 }}} },
-  { {{{ 0x1254fe02, 0xa57dca18, 0x6da34368, 0xa56a2a14, 
+  { {{{ 0x1254fe02, 0xa57dca18, 0x6da34368, 0xa56a2a14,
         0x63e7328e, 0x44c6e34f, 0xca63ab3e, 0x3f748617 }}},
-    {{{ 0x7dc1641e, 0x5a13dc52, 0xee4e9ca1, 0x4cbb2899, 
+    {{{ 0x7dc1641e, 0x5a13dc52, 0xee4e9ca1, 0x4cbb2899,
         0x1ba9acee, 0x3938a289, 0x420fc47b, 0x0fed89e6 }}} },
-  { {{{ 0x49cbad08, 0x3c193f32, 0x15e80ef5, 0xdda71ef1, 
+  { {{{ 0x49cbad08, 0x3c193f32, 0x15e80ef5, 0xdda71ef1,
         0x9d128c33, 0xda44186c, 0xbf98c24f, 0x54183ede }}},
-    {{{ 0x93d165c1, 0x2cb483f7, 0x177f44aa, 0x51762ace, 
+    {{{ 0x93d165c1, 0x2cb483f7, 0x177f44aa, 0x51762ace,
         0xb4ab035d, 0xb3fe651b, 0xa0b0d4e5, 0x426c99c3 }}} },
-  { {{{ 0xef3f3fb1, 0xb3fcf4d8, 0x065060a0, 0x7052292b, 
+  { {{{ 0xef3f3fb1, 0xb3fcf4d8, 0x065060a0, 0x7052292b,
         0x24240b15, 0x18795ff8, 0x9989ffcc, 0x13aea184 }}},
-    {{{ 0xc2b81f44, 0x1930c101, 0x10600555, 0x672d6ca4, 
+    {{{ 0xc2b81f44, 0x1930c101, 0x10600555, 0x672d6ca4,
         0x1b25e570, 0xfbddbff2, 0x8ca12b70, 0x0884949c }}} },
-  { {{{ 0x00564bbf, 0x9983a033, 0xde61b72d, 0x95587d25, 
+  { {{{ 0x00564bbf, 0x9983a033, 0xde61b72d, 0x95587d25,
         0xeb17ad71, 0xb6719dfb, 0xc0bc3517, 0x46871ad0 }}},
-    {{{ 0xe95a6693, 0xb034fb61, 0x76eabad9, 0x5b0d8d18, 
+    {{{ 0xe95a6693, 0xb034fb61, 0x76eabad9, 0x5b0d8d18,
         0x884785dc, 0xad295dd0, 0x74a1276a, 0x359debad }}} },
-  { {{{ 0xe89fb5ca, 0x2e5a2686, 0x5656c6c5, 0xd3d200ba, 
+  { {{{ 0xe89fb5ca, 0x2e5a2686, 0x5656c6c5, 0xd3d200ba,
         0x9c969001, 0xef4c051e, 0x02cb45f4, 0x0d4ea946 }}},
-    {{{ 0x76d6e506, 0xa6f8a422, 0x63209e23, 0x454c768f, 
+    {{{ 0x76d6e506, 0xa6f8a422, 0x63209e23, 0x454c768f,
         0x2b372386, 0x5c12fd04, 0xdbfee11f, 0x1aedbd3e }}} },
-  { {{{ 0x00dbf569, 0x700ab50f, 0xd335b313, 0x9553643c, 
+  { {{{ 0x00dbf569, 0x700ab50f, 0xd335b313, 0x9553643c,
         0xa17dc97e, 0xeea9bddf, 0x3350a2bd, 0x0d12fe3d }}},
-    {{{ 0xa16a3dee, 0xe5ac35fe, 0xf81950c3, 0x4ae4664a, 
+    {{{ 0xa16a3dee, 0xe5ac35fe, 0xf81950c3, 0x4ae4664a,
         0x3dbbf921, 0x75c63df4, 0x2958a5a6, 0x545b109c }}} },
-  { {{{ 0x0a61b29c, 0xd7a52a98, 0x65aca9ee, 0xe21e0acb, 
+  { {{{ 0x0a61b29c, 0xd7a52a98, 0x65aca9ee, 0xe21e0acb,
         0x5985dcbe, 0x57a69c0f, 0xeb87a534, 0x3c0c1e7b }}},
-    {{{ 0x6384bd2f, 0xf0a0b50d, 0xc6939e4b, 0xff349a34, 
+    {{{ 0x6384bd2f, 0xf0a0b50d, 0xc6939e4b, 0xff349a34,
         0x6e2f1973, 0x922c4554, 0xf1347631, 0x74e826b2 }}} },
-  { {{{ 0xa655803c, 0xd7eaa066, 0x38292c5c, 0x09504e76, 
+  { {{{ 0xa655803c, 0xd7eaa066, 0x38292c5c, 0x09504e76,
         0x2c874953, 0xe298a02e, 0x8932b73f, 0x225093ed }}},
-    {{{ 0xe69c3efd, 0xf93e2b4d, 0x8a87c799, 0xa2cbd5fc, 
+    {{{ 0xe69c3efd, 0xf93e2b4d, 0x8a87c799, 0xa2cbd5fc,
         0x85dba986, 0xdf41da94, 0xccee8edc, 0x36fe85e7 }}} },
-  { {{{ 0x7d742813, 0x78df7dc5, 0x4a193e64, 0x333bcc6d, 
+  { {{{ 0x7d742813, 0x78df7dc5, 0x4a193e64, 0x333bcc6d,
         0x6a966d2d, 0x8242aa25, 0x4cd36d32, 0x03500a94 }}},
-    {{{ 0x580505d7, 0xd5d110fc, 0xfa11e1e9, 0xb2f47e16, 
+    {{{ 0x580505d7, 0xd5d110fc, 0xfa11e1e9, 0xb2f47e16,
         0x06eab6b4, 0xd0030f92, 0x62c91d46, 0x2dc80d5f }}} },
-  { {{{ 0x2a75e492, 0x5788b01a, 0xbae31352, 0x992acf54, 
+  { {{{ 0x2a75e492, 0x5788b01a, 0xbae31352, 0x992acf54,
         0x8159db27, 0x4591b980, 0xd3d84740, 0x36c6533c }}},
-    {{{ 0x103883b5, 0xc44c7c00, 0x515d0820, 0x10329423, 
+    {{{ 0x103883b5, 0xc44c7c00, 0x515d0820, 0x10329423,
         0x71b9dc16, 0xbd306903, 0xf88f8d32, 0x7edd5a95 }}} },
-  { {{{ 0x005523d7, 0xfd63b1ac, 0xad70dd21, 0x74482e0d, 
+  { {{{ 0x005523d7, 0xfd63b1ac, 0xad70dd21, 0x74482e0d,
         0x02b56105, 0x67c9d9d0, 0x5971b456, 0x4d318012 }}},
-    {{{ 0x841106df, 0xdc9a6f6d, 0xa326987f, 0x7c52ed9d, 
+    {{{ 0x841106df, 0xdc9a6f6d, 0xa326987f, 0x7c52ed9d,
         0x00607ea0, 0x4dbeaa6f, 0x6959e688, 0x115c221d }}} },
-  { {{{ 0xc80f7c16, 0xf8718464, 0xe9930634, 0x05dc8f40, 
+  { {{{ 0xc80f7c16, 0xf8718464, 0xe9930634, 0x05dc8f40,
         0xc2e9d5f4, 0xefa699bb, 0x021da209, 0x2469e813 }}},
-    {{{ 0xc602a3c4, 0x75c02845, 0x0a200f9d, 0x49d1b2ce, 
+    {{{ 0xc602a3c4, 0x75c02845, 0x0a200f9d, 0x49d1b2ce,
         0x2fb3ec8f, 0xd21b75e4, 0xd72a7545, 0x10dd726a }}} },
-  { {{{ 0x63ef1a6c, 0xeda58527, 0x051705e0, 0xb3fc0e72, 
+  { {{{ 0x63ef1a6c, 0xeda58527, 0x051705e0, 0xb3fc0e72,
         0x44f1161f, 0xbda6f3ee, 0xf339efe5, 0x7680aebf }}},
-    {{{ 0xb1b070a7, 0xe8d3fd01, 0xdbfbaaa0, 0xc3ff7dbf, 
+    {{{ 0xb1b070a7, 0xe8d3fd01, 0xdbfbaaa0, 0xc3ff7dbf,
         0xa320c916, 0xd81ef6f2, 0x62a3b54d, 0x3e22a1fb }}} },
-  { {{{ 0xb1fa18c8, 0xcdbb9187, 0xcb483a17, 0x8ddb5f6b, 
+  { {{{ 0xb1fa18c8, 0xcdbb9187, 0xcb483a17, 0x8ddb5f6b,
         0xea49af98, 0xc0a880b9, 0xf2dfddd0, 0x53bf600b }}},
-    {{{ 0x9e25b164, 0x4217404c, 0xafb74aa7, 0xfabf06ee, 
+    {{{ 0x9e25b164, 0x4217404c, 0xafb74aa7, 0xfabf06ee,
         0x2b9f233c, 0xb17712ae, 0xd0eb909e, 0x71f0b344 }}} }
 };
 
 static const ac precomputed_4E_KG[16] = {
   { {{{ 0, 0, 0, 0, 0, 0, 0, 0 }}},
     {{{ 1, 0, 0, 0, 0, 0, 0, 0 }}}                         },
-  { {{{ 0xe388a820, 0xbb6ec091, 0x5182278a, 0xa928b283, 
+  { {{{ 0xe388a820, 0xbb6ec091, 0x5182278a, 0xa928b283,
         0xa9a6eb83, 0x2259174d, 0x45500054, 0x184b48cb }}},
-    {{{ 0x26e77c33, 0xfe324dba, 0x83faf453, 0x6679a5e3, 
+    {{{ 0x26e77c33, 0xfe324dba, 0x83faf453, 0x6679a5e3,
         0x2380ef73, 0xdd60c268, 0x03dc33a9, 0x3ee0e07a }}} },
-  { {{{ 0xce974493, 0x403aff28, 0x9bf6f5c4, 0x84076bf4, 
+  { {{{ 0xce974493, 0x403aff28, 0x9bf6f5c4, 0x84076bf4,
         0xecd898fb, 0xec57038c, 0xb663ed49, 0x2898ffaa }}},
-    {{{ 0xf335163d, 0xf4b3bc46, 0xfa4fb6c6, 0xe613a0f4, 
+    {{{ 0xf335163d, 0xf4b3bc46, 0xfa4fb6c6, 0xe613a0f4,
         0xb9934557, 0xe759d6bc, 0xab6c9477, 0x094f3b96 }}} },
-  { {{{ 0x6afffe9e, 0x168bb5a0, 0xee748c29, 0x950f7ad7, 
+  { {{{ 0x6afffe9e, 0x168bb5a0, 0xee748c29, 0x950f7ad7,
         0xda17203d, 0xa4850a2b, 0x77289e0f, 0x0062f7a7 }}},
-    {{{ 0x4b3829fa, 0x6265d4e9, 0xbdfcd386, 0x4f155ada, 
+    {{{ 0x4b3829fa, 0x6265d4e9, 0xbdfcd386, 0x4f155ada,
         0x475795f6, 0x9f38bda4, 0xdece4a4c, 0x560ed4b3 }}} },
-  { {{{ 0x141e648a, 0xdad4570a, 0x019b965c, 0x8bbf674c, 
+  { {{{ 0x141e648a, 0xdad4570a, 0x019b965c, 0x8bbf674c,
         0xdb08fe30, 0xd7a8d50d, 0xa2851109, 0x7efb45d3 }}},
-    {{{ 0xd0c28cda, 0x52e818ac, 0xa321d436, 0x792257dd, 
+    {{{ 0xd0c28cda, 0x52e818ac, 0xa321d436, 0x792257dd,
         0x9d71f8b7, 0x867091c6, 0x11a1bf56, 0x0fe1198b }}} },
-  { {{{ 0x06137ab1, 0x4e848339, 0x3e6674cc, 0x5673e864, 
+  { {{{ 0x06137ab1, 0x4e848339, 0x3e6674cc, 0x5673e864,
         0x0140502b, 0xad882043, 0x6ea1e46a, 0x34b5c0cb }}},
-    {{{ 0x1d70aa7c, 0x29786814, 0x8cdbb8aa, 0x840ae3f9, 
+    {{{ 0x1d70aa7c, 0x29786814, 0x8cdbb8aa, 0x840ae3f9,
         0xbd4801fb, 0x78b4d622, 0xcf18ae9a, 0x6cf4e146 }}} },
-  { {{{ 0x36297168, 0x95c270ad, 0x942e7812, 0x2303ce80, 
+  { {{{ 0x36297168, 0x95c270ad, 0x942e7812, 0x2303ce80,
         0x0205cf0e, 0x71908cc2, 0x32bcd754, 0x0cc15edd }}},
-    {{{ 0x2c7ded86, 0x1db94364, 0xf141b22c, 0xc694e39b, 
+    {{{ 0x2c7ded86, 0x1db94364, 0xf141b22c, 0xc694e39b,
         0x5e5a9312, 0xf22f64ef, 0x3c5e6155, 0x649b8859 }}} },
-  { {{{ 0xb6417945, 0x0d5611c6, 0xac306c97, 0x9643fdbf, 
+  { {{{ 0xb6417945, 0x0d5611c6, 0xac306c97, 0x9643fdbf,
         0x0df500ff, 0xe81faaa4, 0x6f50e615, 0x0792c79b }}},
-    {{{ 0xd2af8c8d, 0xb45bbc49, 0x84f51bfe, 0x16c615ab, 
+    {{{ 0xd2af8c8d, 0xb45bbc49, 0x84f51bfe, 0x16c615ab,
         0xc1d02d32, 0xdc57c526, 0x3c8aaa55, 0x5fb9a9a6 }}} },
-  { {{{ 0xdee40b98, 0x82faa8db, 0x6d520674, 0xff8a5208, 
+  { {{{ 0xdee40b98, 0x82faa8db, 0x6d520674, 0xff8a5208,
         0x446ac562, 0x1f8c510f, 0x2cc6b66e, 0x4676d381 }}},
-    {{{ 0x2e7429f4, 0x8f1aa780, 0x8ed6bdf6, 0x2a95c1bf, 
+    {{{ 0x2e7429f4, 0x8f1aa780, 0x8ed6bdf6, 0x2a95c1bf,
         0x457fa0eb, 0x051450a0, 0x744c57b1, 0x7d89e2b7 }}} },
-  { {{{ 0x3f95ea15, 0xb6bdacd2, 0x2f1a5d69, 0xc9a9d1b1, 
+  { {{{ 0x3f95ea15, 0xb6bdacd2, 0x2f1a5d69, 0xc9a9d1b1,
         0xf4d22d72, 0xd4c2f1a9, 0x4dc516b5, 0x73ecfdf1 }}},
-    {{{ 0x05391e08, 0xa1ce93cd, 0x7b8aac17, 0x98f1e99e, 
+    {{{ 0x05391e08, 0xa1ce93cd, 0x7b8aac17, 0x98f1e99e,
         0xa098cbb3, 0x9ba84f2e, 0xf9bdd37a, 0x1425aa8b }}} },
-  { {{{ 0x966abfc0, 0x8a385bf4, 0xf081a640, 0x55e5e8bc, 
+  { {{{ 0x966abfc0, 0x8a385bf4, 0xf081a640, 0x55e5e8bc,
         0xee26f5ff, 0x835dff85, 0xe509e1ea, 0x4927e622 }}},
-    {{{ 0x352334b0, 0x164c8dbc, 0xa3fea31f, 0xcac1ad63, 
+    {{{ 0x352334b0, 0x164c8dbc, 0xa3fea31f, 0xcac1ad63,
         0x682fd457, 0x9b87a676, 0x1a53145f, 0x75f382ff }}} },
-  { {{{ 0xc3efcb46, 0x16b944f5, 0x68cb184c, 0x1fb55714, 
+  { {{{ 0xc3efcb46, 0x16b944f5, 0x68cb184c, 0x1fb55714,
         0x9ccf2dc8, 0xf1c2b116, 0x808283d8, 0x7417e00f }}},
-    {{{ 0x930199ba, 0x1ea67a22, 0x718990d8, 0x9fbaf765, 
+    {{{ 0x930199ba, 0x1ea67a22, 0x718990d8, 0x9fbaf765,
         0x8f3d5d57, 0x231fc664, 0xe5853194, 0x38141a19 }}} },
-  { {{{ 0x2f81290d, 0xb9f00390, 0x04a9ca6c, 0x44877827, 
+  { {{{ 0x2f81290d, 0xb9f00390, 0x04a9ca6c, 0x44877827,
         0xe1dbdd65, 0x65d7f9b9, 0xf7c6698a, 0x7133424c }}},
-    {{{ 0xa7cd250f, 0x604cfb3c, 0x5acc18f3, 0x460c3c4b, 
+    {{{ 0xa7cd250f, 0x604cfb3c, 0x5acc18f3, 0x460c3c4b,
         0xb518e3eb, 0xa53e50e0, 0x98a40196, 0x2b4b9267 }}} },
-  { {{{ 0xc5dbd06c, 0x591b0672, 0xaa1eeb65, 0x10d43dca, 
+  { {{{ 0xc5dbd06c, 0x591b0672, 0xaa1eeb65, 0x10d43dca,
         0xcd2517af, 0x420cdef8, 0x0b695a8a, 0x513a307e }}},
-    {{{ 0x66503215, 0xee9d6a7b, 0x088fd9a4, 0xdea58720, 
+    {{{ 0x66503215, 0xee9d6a7b, 0x088fd9a4, 0xdea58720,
         0x973afe12, 0x8f3cbbea, 0x872f2538, 0x005c2350 }}} },
-  { {{{ 0x35af3291, 0xe5024b70, 0x4f5e669a, 0x1d3eec2d, 
+  { {{{ 0x35af3291, 0xe5024b70, 0x4f5e669a, 0x1d3eec2d,
         0x6e79d539, 0xc1f6d766, 0x795b5248, 0x34ec043f }}},
-    {{{ 0x400960b6, 0xb2763511, 0x29e57df0, 0xff7a3d84, 
+    {{{ 0x400960b6, 0xb2763511, 0x29e57df0, 0xff7a3d84,
         0x1666c1f1, 0xaeac7792, 0x66084bc0, 0x72426e97 }}} },
-  { {{{ 0x44f826ca, 0x5b1c3199, 0x790aa408, 0x68b00b73, 
+  { {{{ 0x44f826ca, 0x5b1c3199, 0x790aa408, 0x68b00b73,
         0x69e9b92b, 0xaf0984b4, 0x3ffe9093, 0x5fe6736f }}},
-    {{{ 0xffd49312, 0xd67f2889, 0x5cb9ed21, 0x3520d747, 
+    {{{ 0xffd49312, 0xd67f2889, 0x5cb9ed21, 0x3520d747,
         0x3c65a606, 0x94f893b1, 0x2d65496f, 0x2fee5e8c }}} }
 };
 
@@ -593,7 +585,7 @@ bnX_mul_C (uint32_t *r, const uint32_t *q, int q_size)
 
 /**
  * @brief R = A mod M (using M=2^252+C) (Barret reduction)
- * 
+ *
  * See HAC 14.47.
  */
 static void
@@ -667,7 +659,7 @@ mod_reduce_M (bn256 *R, const bn512 *A)
 }
 
 
-void
+int
 eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint32_t *out,
 		  const bn256 *a, const uint8_t *seed, const bn256 *pk)
 {
@@ -711,9 +703,11 @@ eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint32_t *out,
     bn256_add (s, s, M);
   else
     bn256_add (tmp, s, M);
+
+  return 0;
 }
 
-void
+static void
 eddsa_public_key_25519 (bn256 *pk, const bn256 *a)
 {
   ac R[1];
@@ -735,18 +729,10 @@ eddsa_public_key_25519 (bn256 *pk, const bn256 *a)
 }
 
 
-uint8_t *
-eddsa_compute_public_25519 (const uint8_t *kd)
+void
+eddsa_compute_public_25519 (const uint8_t *kd, uint8_t *pubkey)
 {
-  uint8_t *p0;
-  const bn256 *a = (const bn256 *)kd;
-
-  p0 = (uint8_t *)malloc (sizeof (bn256));
-  if (p0 == NULL)
-    return NULL;
-
-  eddsa_public_key_25519 ((bn256 *)p0, a);
-  return p0;
+  eddsa_public_key_25519 ((bn256 *)pubkey, (const bn256 *)kd);
 }
 
 

src/ecc-mont.c

@@ -2,7 +2,7 @@
  * ecc-mont.c - Elliptic curve computation for
  *              the Montgomery curve: y^2 = x^3 + 486662*x^2 + x.
  *
- * Copyright (C) 2014 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2015, 2017  Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -32,7 +32,7 @@
  * References:
  *
  * [1] D. J. Bernstein. Curve25519: new Diffie-Hellman speed records.
- *     Proceedings of PKC 2006, to appear. 
+ *     Proceedings of PKC 2006, to appear.
  *     http://cr.yp.to/papers.html#curve25519. Date: 2006.02.09.
  *
  * [2] D. J. Bernstein. Can we avoid tests for zero in fast
@@ -45,7 +45,7 @@
  * IMPLEMENTATION NOTE
  *
  * (0) We assume that the processor has no cache, nor branch target
- *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     prediction.  Thus, we don't avoid indexing by secret value.
  *     We don't avoid conditional jump if both cases have same timing,
  *     either.
  *
@@ -58,6 +58,9 @@
  *
  */
 
+#ifndef BN256_C_IMPLEMENTATION
+#define ASM_IMPLEMENTATION 1
+#endif
 /*
  *
  * 121665 = 0x1db41
@@ -66,22 +69,32 @@
 static void
 mod25638_mul_121665 (bn256 *x, const bn256 *a)
 {
+#if ASM_IMPLEMENTATION
+#include "muladd_256.h"
+  const uint32_t *s;
+  uint32_t *d;
+  uint32_t w;
   uint32_t c;
+
+  s = a->word;
+  d = x->word;
+  memset (d, 0, sizeof (bn256));
+  w = 121665;
+  MULADD_256_ASM (s, d, w, c);
+#else
+  uint32_t c, c1;
   bn256 m[1];
 
-  c = 0;
-  memcpy (x, a, sizeof (bn256));                           /* X = A        */
-  c += bn256_shift (m, a, 6);   c += bn256_add (x, x, m);  /* X += A << 6  */
-  c += bn256_shift (m, a, 8);   c += bn256_add (x, x, m);  /* X += A << 8  */
-  c += bn256_shift (m, a, 9);   c += bn256_add (x, x, m);  /* X += A << 9  */
-  c += bn256_shift (m, a, 11);  c += bn256_add (x, x, m);  /* X += A << 11 */
-  c += bn256_shift (m, a, 12);  c += bn256_add (x, x, m);  /* X += A << 12 */
-  c += bn256_shift (m, a, 14);  c += bn256_add (x, x, m);  /* X += A << 14 */
-  c += bn256_shift (m, a, 15);  c += bn256_add (x, x, m);  /* X += A << 15 */
-  c += bn256_shift (m, a, 16);  c += bn256_add (x, x, m);  /* X += A << 16 */
-
-  c *= 38;
-  c = bn256_add_uint (x, x, c);
+  c = c1 = bn256_shift (m, a, 6); c += bn256_add (x, a, m);
+  c1 <<= 2; c1 |= bn256_shift (m, m, 2); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 1; c1 |= bn256_shift (m, m, 1); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 2; c1 |= bn256_shift (m, m, 2); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 1; c1 |= bn256_shift (m, m, 1); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 2; c1 |= bn256_shift (m, m, 2); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 1; c1 |= bn256_shift (m, m, 1); c = c + c1 + bn256_add (x, x, m);
+  c1 <<= 1; c1 |= bn256_shift (m, m, 1); c = c + c1 + bn256_add (x, x, m);
+#endif
+  c = bn256_add_uint (x, x, c*38);
   x->word[0] += c * 38;
 }
 
@@ -131,7 +144,7 @@ mont_d_and_a (pt *prd, pt *sum, pt *q0, pt *q1, const bn256 *dif_x)
  * @param Q_X	x-coordinate of Q
  *
  */
-void
+static void
 compute_nQ (bn256 *res, const bn256 *n, const bn256 *q_x)
 {
   int i, j;
@@ -173,7 +186,41 @@ compute_nQ (bn256 *res, const bn256 *n, const bn256 *q_x)
     }
 
   /* We know the LSB of N is always 0.  Thus, result is always in P0.  */
+  /*
+   * p0->z may be zero here, but our mod_inv doesn't raise error for 0,
+   * but returns 0 (like the implementation of z^(p-2)), thus, RES will
+   * be 0 in that case, which is correct value.
+   */
   mod_inv (res, p0->z, p25519);
   mod25638_mul (res, res, p0->x);
   mod25519_reduce (res);
 }
+
+
+void
+ecdh_compute_public_25519 (const uint8_t *key_data, uint8_t *pubkey)
+{
+  bn256 gx[1];
+  bn256 k[1];
+
+  memset (gx, 0, sizeof (bn256));
+  gx[0].word[0] = 9;			/* Gx = 9 */
+  memcpy (k, key_data, sizeof (bn256));
+
+  compute_nQ ((bn256 *)pubkey, k, gx);
+}
+
+int
+ecdh_decrypt_curve25519 (const uint8_t *input, uint8_t *output,
+			 const uint8_t *key_data)
+{
+  bn256 q_x[1];
+  bn256 k[1];
+  bn256 shared[1];
+
+  memcpy (q_x, input, sizeof (bn256));
+  memcpy (k, key_data, sizeof (bn256));
+  compute_nQ (shared, k, q_x);
+  memcpy (output, shared, sizeof (bn256));
+  return 0;
+}

src/ecc.c

@@ -1,7 +1,8 @@
 /*                                                    -*- coding: utf-8 -*-
  * ecc.c - Elliptic curve over GF(prime)
  *
- * Copyright (C) 2011, 2013, 2014 Free Software Initiative of Japan
+ * Copyright (C) 2011, 2013, 2014, 2015
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -33,7 +34,7 @@
  *     Pages 250-265, Springer-Verlag London, UK, 2001
  *     ISBN:3-540-41898-9
  *
- * [3] Mustapha Hedabou, Pierre Pinel, Lucien Bénéteau, 
+ * [3] Mustapha Hedabou, Pierre Pinel, Lucien Bénéteau,
  *     A comb method to render ECC resistant against Side Channel Attacks,
  *     2004
  */
@@ -169,7 +170,7 @@ point_is_on_the_curve (const ac *P)
   MFNC(sqr) (s, P->x);
   MFNC(mul) (s, s, P->x);
 
-#ifdef COEFFICIENT_A_IS_ZERO
+#ifndef COEFFICIENT_A_IS_ZERO
   MFNC(mul) (t, coefficient_a, P->x);
   MFNC(add) (s, s, t);
 #endif
@@ -311,7 +312,7 @@ FUNC(compute_kP) (ac *X, const bn256 *K, const ac *P)
     }
 
   dst = k_is_even ? Q : tmp;
-  FUNC(jpc_add_ac) (dst, Q, &precomputed_KG[0]);
+  FUNC(jpc_add_ac) (dst, Q, P);
 
   return FUNC(jpc_to_ac) (X, Q);
 }
@@ -366,3 +367,32 @@ FUNC(ecdsa) (bn256 *r, bn256 *s, const bn256 *z, const bn256 *d)
 #undef tmp_k
 #undef borrow
 }
+
+
+/**
+ * @brief Check if a secret d0 is valid or not
+ *
+ * @param D0	scalar D0: secret
+ * @param D1	scalar D1: secret candidate N-D0
+ *
+ * Return 0 on error.
+ * Return -1 when D1 should be used as the secret
+ * Return 1 when D0 should be used as the secret
+ */
+int
+FUNC(check_secret) (const bn256 *d0, bn256 *d1)
+{
+  ac Q0[1], Q1[1];
+
+  if (bn256_is_zero (d0) || bn256_sub (d1, N, d0) != 0)
+    /* == 0 or >= N, it's not valid.  */
+    return 0;
+
+  FUNC(compute_kG) (Q0, d0);
+  FUNC(compute_kG) (Q1, d1);
+
+  /*
+   * Jivsov compliant key check
+   */
+  return bn256_cmp (Q1[0].y, Q0[0].y);
+}

src/flash.c

@@ -1,7 +1,7 @@
 /*
  * flash.c -- Data Objects (DO) and GPG Key handling on Flash ROM
  *
- * Copyright (C) 2010, 2011, 2012, 2013
+ * Copyright (C) 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018
  *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
@@ -35,7 +35,6 @@
 
 #include "config.h"
 
-#include "board.h"
 #include "sys.h"
 #include "gnuk.h"
 
@@ -54,87 +53,161 @@
  *         <alignment to page>
  * ch_certificate_startp
  *         <2048 bytes>
+ * _keystore_pool
+ *         Three flash pages for keystore
+ *         a page contains a key data of:
+ *              For RSA-2048: 512-byte (p, q and N)
+ *              For RSA-4096: 1024-byte (p, q and N)
+ *              For ECDSA/ECDH and EdDSA, there are padding after public key
  * _data_pool
  *	   <two pages>
- * _keystore_pool
- *         three flash pages for keystore (single: 512-byte (p, q and N))
  */
-#define KEY_SIZE	512	/* P, Q and N */
 
 #define FLASH_DATA_POOL_HEADER_SIZE	2
-#define FLASH_DATA_POOL_SIZE		(FLASH_PAGE_SIZE*2)
+#define FLASH_DATA_POOL_SIZE		(flash_page_size*2)
 
+static uint16_t flash_page_size;
 static const uint8_t *data_pool;
-extern uint8_t _keystore_pool;
-
 static uint8_t *last_p;
 
 /* The first halfword is generation for the data page (little endian) */
-const uint8_t const flash_data[4] __attribute__ ((section (".gnuk_data"))) = {
-  0x01, 0x00, 0xff, 0xff
+const uint8_t flash_data[4] __attribute__ ((section (".gnuk_data"))) = {
+  0x00, 0x00, 0xff, 0xff
 };
 
-/* Linker set this symbol */
-extern uint8_t _data_pool;
+#ifdef GNU_LINUX_EMULATION
+extern uint8_t *flash_addr_key_storage_start;
+extern uint8_t *flash_addr_data_storage_start;
+#define FLASH_ADDR_KEY_STORAGE_START  flash_addr_key_storage_start
+#define FLASH_ADDR_DATA_STORAGE_START flash_addr_data_storage_start
+#else
+/* Linker sets these symbols */
+extern uint8_t _keystore_pool[];
+extern uint8_t _data_pool[];
+#define FLASH_ADDR_KEY_STORAGE_START  ((_keystore_pool))
+#define FLASH_ADDR_DATA_STORAGE_START ((_data_pool))
+#endif
 
-static int key_available_at (uint8_t *k)
+static int key_available_at (const uint8_t *k, int key_size)
 {
   int i;
 
-  for (i = 0; i < KEY_SIZE; i++)
+  for (i = 0; i < key_size; i++)
     if (k[i])
       break;
-  if (i == KEY_SIZE)	/* It's ZERO.  Released key.  */
+  if (i == key_size)	/* It's ZERO.  Released key.  */
     return 0;
 
-  for (i = 0; i < KEY_SIZE; i++)
+  for (i = 0; i < key_size; i++)
     if (k[i] != 0xff)
       break;
-  if (i == KEY_SIZE)	/* It's FULL.  Unused key.  */
+  if (i == key_size)	/* It's FULL.  Unused key.  */
     return 0;
 
   return 1;
 }
 
-const uint8_t *
-flash_init (void)
+
+#define CHIP_ID_REG      ((uint32_t *)0xe0042000)
+void
+flash_do_storage_init (const uint8_t **p_do_start, const uint8_t **p_do_end)
 {
   uint16_t gen0, gen1;
-  uint16_t *gen0_p = (uint16_t *)&_data_pool;
-  uint16_t *gen1_p = (uint16_t *)(&_data_pool + FLASH_PAGE_SIZE);
-  uint8_t *p;
-  int i; 
+  uint16_t *gen0_p = (uint16_t *)FLASH_ADDR_DATA_STORAGE_START;
+  uint16_t *gen1_p;
+
+  flash_page_size = 1024;
+#if !defined (GNU_LINUX_EMULATION)
+  if (((*CHIP_ID_REG) & 0xfff) == 0x0414)
+    flash_page_size = 2048;
+#endif
+
+  gen1_p = (uint16_t *)(FLASH_ADDR_DATA_STORAGE_START + flash_page_size);
+  data_pool = FLASH_ADDR_DATA_STORAGE_START;
 
   /* Check data pool generation and choose the page */
   gen0 = *gen0_p;
   gen1 = *gen1_p;
+
+  if (gen0 == 0xffff && gen1 == 0xffff)
+    {
+      /* It's terminated.  */
+      *p_do_start = *p_do_end = NULL;
+      return;
+    }
+
   if (gen0 == 0xffff)
-    data_pool = &_data_pool + FLASH_PAGE_SIZE;
+    /* Use another page if a page is erased.  */
+    data_pool = FLASH_ADDR_DATA_STORAGE_START + flash_page_size;
   else if (gen1 == 0xffff)
-    data_pool = &_data_pool;
-  else if (gen1 > gen0)
-    data_pool = &_data_pool + FLASH_PAGE_SIZE;
-  else
-    data_pool = &_data_pool;
+    /* Or use different page if another page is erased.  */
+    data_pool = FLASH_ADDR_DATA_STORAGE_START;
+  else if ((gen0 == 0xfffe && gen1 == 0) || gen1 > gen0)
+    /* When both pages have valid header, use newer page.   */
+    data_pool = FLASH_ADDR_DATA_STORAGE_START + flash_page_size;
+
+  *p_do_start = data_pool + FLASH_DATA_POOL_HEADER_SIZE;
+  *p_do_end = data_pool + flash_page_size;
+}
+
+static uint8_t *flash_key_getpage (enum kind_of_key kk);
+
+void
+flash_terminate (void)
+{
+  int i;
+
+#ifdef FLASH_UPGRADE_SUPPORT
+  const uint8_t *p;
+
+  p = gpg_get_firmware_update_key (0);
+  flash_erase_page ((uintptr_t)p);
+#endif
+  for (i = 0; i < 3; i++)
+    flash_erase_page ((uintptr_t)flash_key_getpage (i));
+  flash_erase_page ((uintptr_t)FLASH_ADDR_DATA_STORAGE_START);
+  flash_erase_page ((uintptr_t)(FLASH_ADDR_DATA_STORAGE_START + flash_page_size));
+  data_pool = FLASH_ADDR_DATA_STORAGE_START;
+  last_p = FLASH_ADDR_DATA_STORAGE_START + FLASH_DATA_POOL_HEADER_SIZE;
+#if defined(CERTDO_SUPPORT)
+  flash_erase_page ((uintptr_t)&ch_certificate_start);
+  if (FLASH_CH_CERTIFICATE_SIZE > flash_page_size)
+    flash_erase_page ((uintptr_t)(&ch_certificate_start + flash_page_size));
+#endif
+}
+
+void
+flash_activate (void)
+{
+  flash_program_halfword ((uintptr_t)FLASH_ADDR_DATA_STORAGE_START, 0);
+}
+
+
+void
+flash_key_storage_init (void)
+{
+  const uint8_t *p;
+  int i;
 
   /* For each key, find its address.  */
-  p = &_keystore_pool;
+  p = FLASH_ADDR_KEY_STORAGE_START;
   for (i = 0; i < 3; i++)
     {
-      uint8_t *k;
+      const uint8_t *k;
+      int key_size = gpg_get_algo_attr_key_size (i, GPG_KEY_STORAGE);
 
-      kd[i].key_addr = NULL;
-      for (k = p; k < p + FLASH_PAGE_SIZE; k += KEY_SIZE)
-	if (key_available_at (k))
+      kd[i].pubkey = NULL;
+      for (k = p; k < p + flash_page_size; k += key_size)
+	if (key_available_at (k, key_size))
 	  {
-	    kd[i].key_addr = k;
+	    int prv_len = gpg_get_algo_attr_key_size (i, GPG_KEY_PRIVATE);
+
+	    kd[i].pubkey = k + prv_len;
 	    break;
 	  }
 
-      p += FLASH_PAGE_SIZE;
+      p += flash_page_size;
     }
-
-  return data_pool + FLASH_DATA_POOL_HEADER_SIZE;
 }
 
 /*
@@ -151,6 +224,7 @@ flash_init (void)
  *     123-counter
  *     14-bit counter
  *     bool object
+ *     small enum
  *
  * Format of a Data Object:
  *    NR:   8-bit tag_number
@@ -174,29 +248,33 @@ flash_copying_gc (void)
   uint8_t *src, *dst;
   uint16_t generation;
 
-  if (data_pool == &_data_pool)
+  if (data_pool == FLASH_ADDR_DATA_STORAGE_START)
     {
-      src = &_data_pool;
-      dst = &_data_pool + FLASH_PAGE_SIZE;
+      src = FLASH_ADDR_DATA_STORAGE_START;
+      dst = FLASH_ADDR_DATA_STORAGE_START + flash_page_size;
     }
   else
     {
-      src = &_data_pool + FLASH_PAGE_SIZE;
-      dst = &_data_pool;
+      src = FLASH_ADDR_DATA_STORAGE_START + flash_page_size;
+      dst = FLASH_ADDR_DATA_STORAGE_START;
     }
 
   generation = *(uint16_t *)src;
   data_pool = dst;
   gpg_data_copy (data_pool + FLASH_DATA_POOL_HEADER_SIZE);
-  flash_erase_page ((uint32_t)src);
-  flash_program_halfword ((uint32_t)dst, generation+1);
+  if (generation == 0xfffe)
+    generation = 0;
+  else
+    generation++;
+  flash_program_halfword ((uintptr_t)dst, generation);
+  flash_erase_page ((uintptr_t)src);
   return 0;
 }
 
 static int
 is_data_pool_full (size_t size)
 {
-  return last_p + size > data_pool + FLASH_PAGE_SIZE;
+  return last_p + size > data_pool + flash_page_size;
 }
 
 static uint8_t *
@@ -219,10 +297,10 @@ void
 flash_do_write_internal (const uint8_t *p, int nr, const uint8_t *data, int len)
 {
   uint16_t hw;
-  uint32_t addr;
+  uintptr_t addr;
   int i;
 
-  addr = (uint32_t)p;
+  addr = (uintptr_t)p;
   hw = nr | (len << 8);
   if (flash_program_halfword (addr, hw) != 0)
     flash_warning ("DO WRITE ERROR");
@@ -275,13 +353,14 @@ flash_warning (const char *msg)
 void
 flash_do_release (const uint8_t *do_data)
 {
-  uint32_t addr = (uint32_t)do_data - 1;
-  uint32_t addr_tag = addr;
+  uintptr_t addr = (uintptr_t)do_data - 1;
+  uintptr_t addr_tag = addr;
   int i;
   int len = do_data[0];
 
   /* Don't filling zero for data in code (such as ds_count_initial_value) */
-  if (do_data < &_data_pool || do_data > &_data_pool + FLASH_DATA_POOL_SIZE)
+  if (do_data < FLASH_ADDR_DATA_STORAGE_START
+      || do_data > FLASH_ADDR_DATA_STORAGE_START + FLASH_DATA_POOL_SIZE)
     return;
 
   addr += 2;
@@ -306,25 +385,30 @@ flash_do_release (const uint8_t *do_data)
 }
 
 
+static uint8_t *
+flash_key_getpage (enum kind_of_key kk)
+{
+  /* There is a page for each KK.  */
+  return FLASH_ADDR_KEY_STORAGE_START + (flash_page_size * kk);
+}
+
 uint8_t *
 flash_key_alloc (enum kind_of_key kk)
 {
-  uint8_t *k0, *k;
-  int i; 
-
-  /* There is a page for each KK.  */
-  k0 = &_keystore_pool + (FLASH_PAGE_SIZE * kk);
+  uint8_t *k, *k0 = flash_key_getpage (kk);
+  int i;
+  int key_size = gpg_get_algo_attr_key_size (kk, GPG_KEY_STORAGE);
 
   /* Seek free space in the page.  */
-  for (k = k0; k < k0 + FLASH_PAGE_SIZE; k += KEY_SIZE)
+  for (k = k0; k < k0 + flash_page_size; k += key_size)
     {
       const uint32_t *p = (const uint32_t *)k;
 
-      for (i = 0; i < KEY_SIZE/4; i++)
+      for (i = 0; i < key_size/4; i++)
 	if (p[i] != 0xffffffff)
 	  break;
 
-      if (i == KEY_SIZE/4)	/* Yes, it's empty.  */
+      if (i == key_size/4)	/* Yes, it's empty.  */
 	return k;
     }
 
@@ -334,15 +418,16 @@ flash_key_alloc (enum kind_of_key kk)
 }
 
 int
-flash_key_write (uint8_t *key_addr, const uint8_t *key_data,
+flash_key_write (uint8_t *key_addr,
+		 const uint8_t *key_data, int key_data_len,
 		 const uint8_t *pubkey, int pubkey_len)
 {
   uint16_t hw;
-  uint32_t addr;
+  uintptr_t addr;
   int i;
 
-  addr = (uint32_t)key_addr;
-  for (i = 0; i < KEY_CONTENT_LEN/2; i ++)
+  addr = (uintptr_t)key_addr;
+  for (i = 0; i < key_data_len/2; i ++)
     {
       hw = key_data[i*2] | (key_data[i*2+1]<<8);
       if (flash_program_halfword (addr, hw) != 0)
@@ -362,14 +447,14 @@ flash_key_write (uint8_t *key_addr, const uint8_t *key_data,
 }
 
 static int
-flash_check_all_other_keys_released (const uint8_t *key_addr)
+flash_check_all_other_keys_released (const uint8_t *key_addr, int key_size)
 {
-  uint32_t start = (uint32_t)key_addr & ~(FLASH_PAGE_SIZE - 1);
+  uintptr_t start = (uintptr_t)key_addr & ~(flash_page_size - 1);
   const uint32_t *p = (const uint32_t *)start;
 
-  while (p < (const uint32_t *)(start + FLASH_PAGE_SIZE))
+  while (p < (const uint32_t *)(start + flash_page_size))
     if (p == (const uint32_t *)key_addr)
-      p += KEY_SIZE/4;
+      p += key_size/4;
     else
       if (*p)
 	return 0;
@@ -380,27 +465,33 @@ flash_check_all_other_keys_released (const uint8_t *key_addr)
 }
 
 static void
-flash_key_fill_zero_as_released (uint8_t *key_addr)
+flash_key_fill_zero_as_released (uint8_t *key_addr, int key_size)
 {
   int i;
-  uint32_t addr = (uint32_t)key_addr;
+  uintptr_t addr = (uintptr_t)key_addr;
 
-  for (i = 0; i < KEY_SIZE/2; i++)
+  for (i = 0; i < key_size/2; i++)
     flash_program_halfword (addr + i*2, 0);
 }
 
 void
-flash_key_release (uint8_t *key_addr)
+flash_key_release (uint8_t *key_addr, int key_size)
 {
-  if (flash_check_all_other_keys_released (key_addr))
-    flash_erase_page (((uint32_t)key_addr & ~(FLASH_PAGE_SIZE - 1)));
+  if (flash_check_all_other_keys_released (key_addr, key_size))
+    flash_erase_page (((uintptr_t)key_addr & ~(flash_page_size - 1)));
   else
-    flash_key_fill_zero_as_released (key_addr);
+    flash_key_fill_zero_as_released (key_addr, key_size);
+}
+
+void
+flash_key_release_page (enum kind_of_key kk)
+{
+  flash_erase_page ((uintptr_t)flash_key_getpage (kk));
 }
 
 
 void
-flash_clear_halfword (uint32_t addr)
+flash_clear_halfword (uintptr_t addr)
 {
   flash_program_halfword (addr, 0);
 }
@@ -409,7 +500,7 @@ flash_clear_halfword (uint32_t addr)
 void
 flash_put_data_internal (const uint8_t *p, uint16_t hw)
 {
-  flash_program_halfword ((uint32_t)p, hw);
+  flash_program_halfword ((uintptr_t)p, hw);
 }
 
 void
@@ -423,7 +514,7 @@ flash_put_data (uint16_t hw)
       DEBUG_INFO ("data allocation failure.\r\n");
     }
 
-  flash_program_halfword ((uint32_t)p, hw);
+  flash_program_halfword ((uintptr_t)p, hw);
 }
 
 
@@ -435,14 +526,14 @@ flash_bool_clear (const uint8_t **addr_p)
   if ((p = *addr_p) == NULL)
     return;
 
-  flash_program_halfword ((uint32_t)p, 0);
+  flash_program_halfword ((uintptr_t)p, 0);
   *addr_p = NULL;
 }
 
 void
 flash_bool_write_internal (const uint8_t *p, int nr)
 {
-  flash_program_halfword ((uint32_t)p, nr);
+  flash_program_halfword ((uintptr_t)p, nr);
 }
 
 const uint8_t *
@@ -458,7 +549,39 @@ flash_bool_write (uint8_t nr)
       return NULL;
     }
 
-  flash_program_halfword ((uint32_t)p, hw);
+  flash_program_halfword ((uintptr_t)p, hw);
+  return p;
+}
+
+
+void
+flash_enum_clear (const uint8_t **addr_p)
+{
+  flash_bool_clear (addr_p);
+}
+
+void
+flash_enum_write_internal (const uint8_t *p, int nr, uint8_t v)
+{
+  uint16_t hw = nr | (v << 8);
+
+  flash_program_halfword ((uintptr_t)p, hw);
+}
+
+const uint8_t *
+flash_enum_write (uint8_t nr, uint8_t v)
+{
+  uint8_t *p;
+  uint16_t hw = nr | (v << 8);
+
+  p = flash_data_pool_allocate (2);
+  if (p == NULL)
+    {
+      DEBUG_INFO ("enum allocation failure.\r\n");
+      return NULL;
+    }
+
+  flash_program_halfword ((uintptr_t)p, hw);
   return p;
 }
 
@@ -494,14 +617,14 @@ flash_cnt123_write_internal (const uint8_t *p, int which, int v)
   uint16_t hw;
 
   hw = NR_COUNTER_123 | (which << 8);
-  flash_program_halfword ((uint32_t)p, hw);
+  flash_program_halfword ((uintptr_t)p, hw);
 
   if (v == 1)
     return;
   else if (v == 2)
-    flash_program_halfword ((uint32_t)p+2, 0xc3c3);
+    flash_program_halfword ((uintptr_t)p+2, 0xc3c3);
   else				/* v == 3 */
-    flash_program_halfword ((uint32_t)p+2, 0);
+    flash_program_halfword ((uintptr_t)p+2, 0);
 }
 
 void
@@ -519,7 +642,7 @@ flash_cnt123_increment (uint8_t which, const uint8_t **addr_p)
 	  return;
 	}
       hw = NR_COUNTER_123 | (which << 8);
-      flash_program_halfword ((uint32_t)p, hw);
+      flash_program_halfword ((uintptr_t)p, hw);
       *addr_p = p + 2;
     }
   else
@@ -534,7 +657,7 @@ flash_cnt123_increment (uint8_t which, const uint8_t **addr_p)
       else
 	hw = 0;
 
-      flash_program_halfword ((uint32_t)p, hw);
+      flash_program_halfword ((uintptr_t)p, hw);
     }
 }
 
@@ -546,9 +669,9 @@ flash_cnt123_clear (const uint8_t **addr_p)
   if ((p = *addr_p) == NULL)
     return;
 
-  flash_program_halfword ((uint32_t)p, 0);
+  flash_program_halfword ((uintptr_t)p, 0);
   p -= 2;
-  flash_program_halfword ((uint32_t)p, 0);
+  flash_program_halfword ((uintptr_t)p, 0);
   *addr_p = NULL;
 }
 
@@ -562,10 +685,9 @@ flash_erase_binary (uint8_t file_id)
       const uint8_t *p = &ch_certificate_start;
       if (flash_check_blank (p, FLASH_CH_CERTIFICATE_SIZE) == 0)
 	{
-	  flash_erase_page ((uint32_t)p);
-#if FLASH_CH_CERTIFICATE_SIZE > FLASH_PAGE_SIZE
-	  flash_erase_page ((uint32_t)p + FLASH_PAGE_SIZE);
-#endif
+	  flash_erase_page ((uintptr_t)p);
+	  if (FLASH_CH_CERTIFICATE_SIZE > flash_page_size)
+	    flash_erase_page ((uintptr_t)p + flash_page_size);
 	}
 
       return 0;
@@ -588,17 +710,19 @@ flash_write_binary (uint8_t file_id, const uint8_t *data,
       maxsize = 6;
       p = &openpgpcard_aid[8];
     }
+#ifdef FLASH_UPGRADE_SUPPORT
   else if (file_id >= FILEID_UPDATE_KEY_0 && file_id <= FILEID_UPDATE_KEY_3)
     {
-      maxsize = KEY_CONTENT_LEN;
+      maxsize = FIRMWARE_UPDATE_KEY_CONTENT_LEN;
       p = gpg_get_firmware_update_key (file_id - FILEID_UPDATE_KEY_0);
       if (len == 0 && offset == 0)
 	{ /* This means removal of update key.  */
-	  if (flash_program_halfword ((uint32_t)p, 0) != 0)
+	  if (flash_program_halfword ((uintptr_t)p, 0) != 0)
 	    flash_warning ("DO WRITE ERROR");
 	  return 0;
 	}
     }
+#endif
 #if defined(CERTDO_SUPPORT)
   else if (file_id == FILEID_CH_CERTIFICATE)
     {
@@ -614,13 +738,13 @@ flash_write_binary (uint8_t file_id, const uint8_t *data,
   else
     {
       uint16_t hw;
-      uint32_t addr;
+      uintptr_t addr;
       int i;
 
       if (flash_check_blank (p + offset, len)  == 0)
 	return -1;
 
-      addr = (uint32_t)p + offset;
+      addr = (uintptr_t)p + offset;
       for (i = 0; i < len/2; i++)
 	{
 	  hw = data[i*2] | (data[i*2+1]<<8);

src/gnuk-malloc.h

@@ -0,0 +1,16 @@
+/*
+ * Gnuk uses its own malloc functions.
+ *
+ * The intention is no-dependency to C library.  But, we provide
+ * malloc and free here, since RSA routines uses malloc/free
+ * internally.
+ *
+ */
+
+#include <stddef.h> /* NULL and size_t */
+
+#define malloc(size)	gnuk_malloc (size)
+#define free(p)		gnuk_free (p)
+
+void *gnuk_malloc (size_t);
+void gnuk_free (void *);

src/gnuk.h

@@ -12,8 +12,8 @@ struct apdu {
 
   /* response APDU */
   uint16_t sw;
-  uint8_t *res_apdu_data;
   uint16_t res_apdu_data_len;
+  uint8_t *res_apdu_data;
 };
 
 extern struct apdu apdu;
@@ -24,24 +24,25 @@ extern struct apdu apdu;
 void ccid_card_change_signal (int how);
 
 /* CCID thread */
-#define EV_RX_DATA_READY (1) /* USB Rx data available  */
-#define EV_EXEC_FINISHED (2) /* OpenPGP Execution finished */
-#define EV_TX_FINISHED   (4) /* CCID Tx finished  */
-#define EV_CARD_CHANGE   (8)
+#define EV_CARD_CHANGE        1
+#define EV_TX_FINISHED        2 /* CCID Tx finished  */
+#define EV_EXEC_ACK_REQUIRED  4 /* OpenPGPcard Execution ACK required */
+#define EV_EXEC_FINISHED      8 /* OpenPGPcard Execution finished */
+#define EV_RX_DATA_READY     16 /* USB Rx data available  */
 
 /* OpenPGPcard thread */
-#define EV_PINPAD_INPUT_DONE    (1)
-#define EV_EXIT                 (2)
-#define EV_CMD_AVAILABLE        (4)
-#define EV_VERIFY_CMD_AVAILABLE (8)
-#define EV_MODIFY_CMD_AVAILABLE (16)
+#define EV_MODIFY_CMD_AVAILABLE   1
+#define EV_VERIFY_CMD_AVAILABLE   2
+#define EV_CMD_AVAILABLE          4
+#define EV_EXIT                   8
+#define EV_PINPAD_INPUT_DONE     16
 
-/* Maximum cmd apdu data is key import 22+4+128+128 (proc_key_import) */
-#define MAX_CMD_APDU_DATA_SIZE (22+4+128+128) /* without header */
-/* Maximum res apdu data is public key 5+9+256 (gpg_do_public_key) */
-#define MAX_RES_APDU_DATA_SIZE (5+9+256) /* without trailer */
+/* Maximum cmd apdu data is key import 24+4+256+256 (proc_key_import) */
+#define MAX_CMD_APDU_DATA_SIZE (24+4+256+256) /* without header */
+/* Maximum res apdu data is public key 5+9+512 (gpg_do_public_key) */
+#define MAX_RES_APDU_DATA_SIZE (5+9+512) /* without trailer */
 
-#define ICC_MSG_HEADER_SIZE	10
+#define CCID_MSG_HEADER_SIZE	10
 
 #define res_APDU apdu.res_apdu_data
 #define res_APDU_size apdu.res_apdu_data_len
@@ -49,21 +50,21 @@ void ccid_card_change_signal (int how);
 /* USB buffer size of LL (Low-level): size of single Bulk transaction */
 #define USB_LL_BUF_SIZE 64
 
-enum icc_state
-{
-  ICC_STATE_NOCARD,		/* No card available */
-  ICC_STATE_START,		/* Initial */
-  ICC_STATE_WAIT,		/* Waiting APDU */
-				/* Busy1, Busy2, Busy3, Busy5 */
-  ICC_STATE_EXECUTE,		/* Busy4 */
-  ICC_STATE_RECEIVE,		/* APDU Received Partially */
-  ICC_STATE_SEND,		/* APDU Sent Partially */
+enum ccid_state {
+  CCID_STATE_NOCARD,		/* No card available */
+  CCID_STATE_START,		/* Initial */
+  CCID_STATE_WAIT,		/* Waiting APDU */
 
-  ICC_STATE_EXITED,		/* ICC Thread Terminated */
-  ICC_STATE_EXEC_REQUESTED,	/* Exec requested */
+  CCID_STATE_EXECUTE,		/* Executing command */
+  CCID_STATE_ACK_REQUIRED_0,	/* Ack required (executing)*/
+  CCID_STATE_ACK_REQUIRED_1,	/* Waiting user's ACK (execution finished) */
+
+  CCID_STATE_EXITED,		/* CCID Thread Terminated */
+  CCID_STATE_EXEC_REQUESTED,	/* Exec requested */
 };
 
-extern enum icc_state *icc_state_p;
+
+enum ccid_state ccid_get_ccid_state (void);
 
 extern volatile uint8_t auth_status;
 #define AC_NONE_AUTHORIZED	0x00
@@ -76,58 +77,82 @@ extern volatile uint8_t auth_status;
 #define PW_ERR_PW1 0
 #define PW_ERR_RC  1
 #define PW_ERR_PW3 2
-extern int gpg_pw_get_retry_counter (int who);
-extern int gpg_pw_locked (uint8_t which);
-extern void gpg_pw_reset_err_counter (uint8_t which);
-extern void gpg_pw_increment_err_counter (uint8_t which);
+int gpg_pw_get_retry_counter (int who);
+int gpg_pw_locked (uint8_t which);
+void gpg_pw_reset_err_counter (uint8_t which);
+void gpg_pw_increment_err_counter (uint8_t which);
 
-extern int ac_check_status (uint8_t ac_flag);
-extern int verify_pso_cds (const uint8_t *pw, int pw_len);
-extern int verify_other (const uint8_t *pw, int pw_len);
-extern int verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len,
-			  int pw_len_known, const uint8_t *ks_pw1, int saveks);
-extern int verify_admin (const uint8_t *pw, int pw_len);
-extern int verify_admin_0 (const uint8_t *pw, int buf_len, int pw_len_known,
-			   const uint8_t *ks_pw3, int saveks);
+int ac_check_status (uint8_t ac_flag);
+int verify_pso_cds (const uint8_t *pw, int pw_len);
+int verify_other (const uint8_t *pw, int pw_len);
+int verify_user_0 (uint8_t access, const uint8_t *pw, int buf_len,
+		   int pw_len_known, const uint8_t *ks_pw1, int saveks);
+int verify_admin (const uint8_t *pw, int pw_len);
+int verify_admin_0 (const uint8_t *pw, int buf_len, int pw_len_known,
+		    const uint8_t *ks_pw3, int saveks);
 
-extern void ac_reset_pso_cds (void);
-extern void ac_reset_other (void);
-extern void ac_reset_admin (void);
-extern void ac_fini (void);
+void ac_reset_pso_cds (void);
+void ac_reset_other (void);
+void ac_reset_admin (void);
+void ac_fini (void);
 
 
-extern void set_res_sw (uint8_t sw1, uint8_t sw2);
+void set_res_sw (uint8_t sw1, uint8_t sw2);
+extern uint8_t file_selection;
+extern const uint8_t historical_bytes[];
 extern uint16_t data_objects_number_of_bytes;
 
 #define CHALLENGE_LEN	32
 
-extern void gpg_data_scan (const uint8_t *p);
-extern void gpg_data_copy (const uint8_t *p);
-extern void gpg_do_get_data (uint16_t tag, int with_tag);
-extern void gpg_do_put_data (uint16_t tag, const uint8_t *data, int len);
-extern void gpg_do_public_key (uint8_t kk_byte);
-extern void gpg_do_keygen (uint8_t kk_byte);
+void gpg_data_scan (const uint8_t *start, const uint8_t *end);
+void gpg_data_copy (const uint8_t *p);
+void gpg_do_terminate (void);
+void gpg_do_get_data (uint16_t tag, int with_tag);
+void gpg_do_put_data (uint16_t tag, const uint8_t *data, int len);
+void gpg_do_public_key (uint8_t kk_byte);
+void gpg_do_keygen (uint8_t *buf);
 
-extern const uint8_t *gpg_get_firmware_update_key (uint8_t keyno);
+const uint8_t *gpg_get_firmware_update_key (uint8_t keyno);
 
+/* Constants: algo+size */
+#define ALGO_RSA4K      0
+#define ALGO_NISTP256R1 1
+#define ALGO_SECP256K1  2
+#define ALGO_ED25519    3
+#define ALGO_CURVE25519 4
+#define ALGO_RSA2K      255
 
 enum kind_of_key {
   GPG_KEY_FOR_SIGNING = 0,
-  GPG_KEY_FOR_DECRYPTION,
-  GPG_KEY_FOR_AUTHENTICATION,
+  GPG_KEY_FOR_DECRYPTION = 1,
+  GPG_KEY_FOR_AUTHENTICATION = 2,
 };
 
-extern const uint8_t *flash_init (void);
-extern void flash_do_release (const uint8_t *);
-extern const uint8_t *flash_do_write (uint8_t nr, const uint8_t *data, int len);
-extern uint8_t *flash_key_alloc (enum kind_of_key);
-extern void flash_key_release (uint8_t *);
-extern int flash_key_write (uint8_t *key_addr, const uint8_t *key_data,
-			    const uint8_t *pubkey, int pubkey_len);
-extern void flash_set_data_pool_last (const uint8_t *p);
-extern void flash_clear_halfword (uint32_t addr);
-extern void flash_increment_counter (uint8_t counter_tag_nr);
-extern void flash_reset_counter (uint8_t counter_tag_nr);
+enum size_of_key {
+  GPG_KEY_STORAGE = 0,		/* PUBKEY + PRVKEY rounded to 2^N */
+  GPG_KEY_PUBLIC,
+  GPG_KEY_PRIVATE,
+};
+
+int gpg_get_algo_attr (enum kind_of_key kk);
+int gpg_get_algo_attr_key_size (enum kind_of_key kk, enum size_of_key s);
+
+void flash_do_storage_init (const uint8_t **, const uint8_t **);
+void flash_terminate (void);
+void flash_activate (void);
+void flash_key_storage_init (void);
+void flash_do_release (const uint8_t *);
+const uint8_t *flash_do_write (uint8_t nr, const uint8_t *data, int len);
+uint8_t *flash_key_alloc (enum kind_of_key);
+void flash_key_release (uint8_t *, int);
+void flash_key_release_page (enum kind_of_key);
+int flash_key_write (uint8_t *key_addr,
+		     const uint8_t *key_data, int key_data_len,
+		     const uint8_t *pubkey, int pubkey_len);
+void flash_set_data_pool_last (const uint8_t *p);
+void flash_clear_halfword (uintptr_t addr);
+void flash_increment_counter (uint8_t counter_tag_nr);
+void flash_reset_counter (uint8_t counter_tag_nr);
 
 #define FILEID_SERIAL_NO	0
 #define FILEID_UPDATE_KEY_0	1
@@ -135,30 +160,25 @@ extern void flash_reset_counter (uint8_t counter_tag_nr);
 #define FILEID_UPDATE_KEY_2	3
 #define FILEID_UPDATE_KEY_3	4
 #define FILEID_CH_CERTIFICATE	5
-extern int flash_erase_binary (uint8_t file_id);
-extern int flash_write_binary (uint8_t file_id, const uint8_t *data, uint16_t len, uint16_t offset);
+int flash_erase_binary (uint8_t file_id);
+int flash_write_binary (uint8_t file_id, const uint8_t *data,
+			uint16_t len, uint16_t offset);
 
 #define FLASH_CH_CERTIFICATE_SIZE 2048
 
 /* Linker set these two symbols */
 extern uint8_t ch_certificate_start;
-extern uint8_t random_bits_start;
 
-#define KEY_CONTENT_LEN 256	/* p and q */
+#define FIRMWARE_UPDATE_KEY_CONTENT_LEN 256	/* RSA-2048 (p and q) */
+
 #define INITIAL_VECTOR_SIZE 16
 #define DATA_ENCRYPTION_KEY_SIZE 16
 
-struct key_data {
-  uint8_t *key_addr;		 /* Pointer to encrypted data, and public */
-  uint8_t data[KEY_CONTENT_LEN]; /* decrypted data content */
-};
+#define MAX_PRVKEY_LEN 512	/* Maximum is the case for RSA 4096-bit.  */
 
-struct key_data_internal {
-  uint32_t data[KEY_CONTENT_LEN/4]; /*
-				     * Secret key data.
-				     * RSA: p and q, ECDSA: d, EdDSA: a+seed
-				     */
-  uint32_t checksum[DATA_ENCRYPTION_KEY_SIZE/4];
+struct key_data {
+  const uint8_t *pubkey;	/* Pointer to public key */
+  uint8_t data[MAX_PRVKEY_LEN]; /* decrypted private key data content */
 };
 
 struct prvkey_data {
@@ -204,29 +224,30 @@ void s2k (const unsigned char *salt, size_t slen,
 #define KS_GET_SALT(ks)       (ks + KEYSTRING_PASSLEN_SIZE)
 #define KS_GET_KEYSTRING(ks)  (ks + KS_META_SIZE)
 
-extern void gpg_do_clear_prvkey (enum kind_of_key kk);
-extern int gpg_do_load_prvkey (enum kind_of_key kk, int who, const uint8_t *keystring);
-extern int gpg_do_chks_prvkey (enum kind_of_key kk,
-			       int who_old, const uint8_t *old_ks,
-			       int who_new, const uint8_t *new_ks);
+void gpg_do_clear_prvkey (enum kind_of_key kk);
+int gpg_do_load_prvkey (enum kind_of_key kk, int who, const uint8_t *keystring);
+int gpg_do_chks_prvkey (enum kind_of_key kk,
+			int who_old, const uint8_t *old_ks,
+			int who_new, const uint8_t *new_ks);
 
-extern int gpg_change_keystring (int who_old, const uint8_t *old_ks,
-				 int who_new, const uint8_t *new_ks);
+int gpg_change_keystring (int who_old, const uint8_t *old_ks,
+			  int who_new, const uint8_t *new_ks);
 
 extern struct key_data kd[3];
 
 #ifdef DEBUG
+void stdout_init (void);
 #define DEBUG_MORE 1
 /*
  * Debug functions in debug.c
  */
-extern void put_byte (uint8_t b);
-extern void put_byte_with_no_nl (uint8_t b);
-extern void put_short (uint16_t x);
-extern void put_word (uint32_t x);
-extern void put_int (uint32_t x);
-extern void put_string (const char *s);
-extern void put_binary (const char *s, int len);
+void put_byte (uint8_t b);
+void put_byte_with_no_nl (uint8_t b);
+void put_short (uint16_t x);
+void put_word (uint32_t x);
+void put_int (uint32_t x);
+void put_string (const char *s);
+void put_binary (const char *s, int len);
 
 #define DEBUG_INFO(msg)	    put_string (msg)
 #define DEBUG_WORD(w)	    put_word (w)
@@ -241,41 +262,53 @@ extern void put_binary (const char *s, int len);
 #define DEBUG_BINARY(s,len)
 #endif
 
-extern int rsa_sign (const uint8_t *, uint8_t *, int, struct key_data *);
-extern uint8_t *modulus_calc (const uint8_t *, int);
-extern int rsa_decrypt (const uint8_t *, uint8_t *, int, struct key_data *);
-extern int rsa_verify (const uint8_t *pubkey, const uint8_t *hash,
-		       const uint8_t *signature);
-extern uint8_t *rsa_genkey (void);
+int rsa_sign (const uint8_t *, uint8_t *, int, struct key_data *, int);
+int modulus_calc (const uint8_t *, int, uint8_t *);
+int rsa_decrypt (const uint8_t *, uint8_t *, int, struct key_data *,
+		 unsigned int *);
+int rsa_verify (const uint8_t *, int, const uint8_t *, const uint8_t *);
+int rsa_genkey (int, uint8_t *, uint8_t *);
 
-extern int ecdsa_sign_p256r1 (const uint8_t *hash, uint8_t *output,
-			      const uint8_t *key_data);
-extern uint8_t *ecdsa_compute_public_p256r1 (const uint8_t *key_data);
+int ecdsa_sign_p256r1 (const uint8_t *hash, uint8_t *output,
+		       const uint8_t *key_data);
+int ecc_compute_public_p256r1 (const uint8_t *key_data, uint8_t *);
+int ecc_check_secret_p256r1 (const uint8_t *d0, uint8_t *d1);
+int ecdh_decrypt_p256r1 (const uint8_t *input, uint8_t *output,
+			 const uint8_t *key_data);
 
-extern int ecdsa_sign_p256k1 (const uint8_t *hash, uint8_t *output,
-			      const uint8_t *key_data);
-extern uint8_t *ecdsa_compute_public_p256k1 (const uint8_t *key_data);
+int ecdsa_sign_p256k1 (const uint8_t *hash, uint8_t *output,
+		       const uint8_t *key_data);
+int ecc_compute_public_p256k1 (const uint8_t *key_data, uint8_t *);
+int ecc_check_secret_p256k1 (const uint8_t *d0, uint8_t  *d1);
+int ecdh_decrypt_p256k1 (const uint8_t *input, uint8_t *output,
+			 const uint8_t *key_data);
 
-extern int eddsa_sign_25519 (const uint8_t *input, size_t ilen,
-			     uint32_t *output,
-			     const uint8_t *sk_a, const uint8_t *seed,
-			     const uint8_t *pk);
-extern uint8_t *eddsa_compute_public_25519 (const uint8_t *a);
+int eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint32_t *output,
+		      const uint8_t *sk_a, const uint8_t *seed,
+		      const uint8_t *pk);
+void eddsa_compute_public_25519 (const uint8_t *a, uint8_t *);
+void ecdh_compute_public_25519 (const uint8_t *a, uint8_t *);
+int ecdh_decrypt_curve25519 (const uint8_t *input, uint8_t *output,
+			     const uint8_t *key_data);
 
-extern const uint8_t *gpg_do_read_simple (uint8_t);
-extern void gpg_do_write_simple (uint8_t, const uint8_t *, int);
-extern void gpg_increment_digital_signature_counter (void);
+const uint8_t *gpg_do_read_simple (uint8_t);
+void gpg_do_write_simple (uint8_t, const uint8_t *, int);
+void gpg_increment_digital_signature_counter (void);
+void gpg_do_get_initial_pw_setting (int is_pw3, int *r_len,
+				    const uint8_t **r_p);
+int gpg_do_kdf_check (int len, int how_many);
+int gpg_do_get_uif (enum kind_of_key kk);
 
 
-extern void fatal (uint8_t code) __attribute__ ((noreturn));
+void fatal (uint8_t code) __attribute__ ((noreturn));
 #define FATAL_FLASH  1
 #define FATAL_RANDOM 2
+#define FATAL_HEAP   3
 
 extern uint8_t keystring_md_pw3[KEYSTRING_MD_SIZE];
 extern uint8_t admin_authorized;
 
 /*** Flash memory tag values ***/
-#define NR_NONE			0x00
 /* Data objects */
 /*
  * Representation of data object:
@@ -283,27 +316,27 @@ extern uint8_t admin_authorized;
  *   <-1 halfword-> <--len/2 halfwords->
  *   <-tag-><-len-> <---data content--->
  */
-#define NR_DO__FIRST__		0x01
-#define NR_DO_SEX		0x01
-#define NR_DO_FP_SIG		0x02
-#define NR_DO_FP_DEC		0x03
-#define NR_DO_FP_AUT		0x04
-#define NR_DO_CAFP_1		0x05
-#define NR_DO_CAFP_2		0x06
-#define NR_DO_CAFP_3		0x07
-#define NR_DO_KGTIME_SIG	0x08
-#define NR_DO_KGTIME_DEC	0x09
-#define NR_DO_KGTIME_AUT	0x0a
-#define NR_DO_LOGIN_DATA	0x0b
-#define NR_DO_URL		0x0c
-#define NR_DO_NAME		0x0d
-#define NR_DO_LANGUAGE		0x0e
-#define NR_DO_PRVKEY_SIG	0x0f
-#define NR_DO_PRVKEY_DEC	0x10
-#define NR_DO_PRVKEY_AUT	0x11
-#define NR_DO_KEYSTRING_PW1	0x12
-#define NR_DO_KEYSTRING_RC	0x13
-#define NR_DO_KEYSTRING_PW3	0x14
+#define NR_DO_SEX		0x00
+#define NR_DO_FP_SIG		0x01
+#define NR_DO_FP_DEC		0x02
+#define NR_DO_FP_AUT		0x03
+#define NR_DO_CAFP_1		0x04
+#define NR_DO_CAFP_2		0x05
+#define NR_DO_CAFP_3		0x06
+#define NR_DO_KGTIME_SIG	0x07
+#define NR_DO_KGTIME_DEC	0x08
+#define NR_DO_KGTIME_AUT	0x09
+#define NR_DO_LOGIN_DATA	0x0a
+#define NR_DO_URL		0x0b
+#define NR_DO_NAME		0x0c
+#define NR_DO_LANGUAGE		0x0d
+#define NR_DO_PRVKEY_SIG	0x0e
+#define NR_DO_PRVKEY_DEC	0x0f
+#define NR_DO_PRVKEY_AUT	0x10
+#define NR_DO_KEYSTRING_PW1	0x11
+#define NR_DO_KEYSTRING_RC	0x12
+#define NR_DO_KEYSTRING_PW3	0x13
+#define NR_DO_KDF		0x14
 #define NR_DO__LAST__		21   /* == 0x15 */
 /* 14-bit counter for DS: Recorded in flash memory by 1-halfword (2-byte).  */
 /*
@@ -323,7 +356,10 @@ extern uint8_t admin_authorized;
  *   1023: 0xc3ff
  */
 #define NR_COUNTER_DS_LSB	0xc0 /* ..0xc3 */
-/* 8-bit int or Boolean objects: Recorded in flash memory by 1-halfword (2-byte) */
+/*
+ * Boolean object, small enum, or 8-bit integer:
+ * Recorded in flash memory by 1-halfword (2-byte)
+ */
 /*
  * Representation of Boolean object:
  *   0: No record in flash memory
@@ -331,7 +367,30 @@ extern uint8_t admin_authorized;
  */
 #define NR_BOOL_PW1_LIFETIME	0xf0
 /*
- * NR_BOOL_SOMETHING, NR_UINT_SOMETHING could be here...  Use 0xf?
+ * Representation of algorithm attribute object:
+ *   RSA-2048:       No record in flash memory
+ *   RSA-4096:       0xf?00
+ *   ECC p256r1:     0xf?01
+ *   ECC p256k1:     0xf?02
+ *   ECC Ed25519:    0xf?03
+ *   ECC Curve25519: 0xf?04
+ * where <?> == 1 (signature), 2 (decryption) or 3 (authentication)
+ */
+#define NR_KEY_ALGO_ATTR_SIG	0xf1
+#define NR_KEY_ALGO_ATTR_DEC	0xf2
+#define NR_KEY_ALGO_ATTR_AUT	0xf3
+/*
+ * Representation of User Interaction Flag:
+ *  0 (UIF disabled):            0xf?00 or No record in flash memory
+ *  1 (UIF enabled):             0xf?01
+ *  2 (UIF permanently enabled): 0xf?02
+ *
+ */
+#define NR_DO_UIF_SIG		0xf6
+#define NR_DO_UIF_DEC		0xf7
+#define NR_DO_UIF_AUT		0xf8
+/*
+ * NR_UINT_SOMETHING could be here...  Use 0xf[459abcd]
  */
 /* 123-counters: Recorded in flash memory by 2-halfword (4-byte).  */
 /*
@@ -360,41 +419,49 @@ extern uint8_t admin_authorized;
 
 extern const uint8_t openpgpcard_aid[14];
 
-extern void flash_bool_clear (const uint8_t **addr_p);
-extern const uint8_t *flash_bool_write (uint8_t nr);
-extern int flash_cnt123_get_value (const uint8_t *p);
-extern void flash_cnt123_increment (uint8_t which, const uint8_t **addr_p);
-extern void flash_cnt123_clear (const uint8_t **addr_p);
-extern void flash_put_data (uint16_t hw);
-extern void flash_warning (const char *msg);
+void flash_bool_clear (const uint8_t **addr_p);
+const uint8_t *flash_bool_write (uint8_t nr);
+void flash_enum_clear (const uint8_t **addr_p);
+const uint8_t *flash_enum_write (uint8_t nr, uint8_t v);
+int flash_cnt123_get_value (const uint8_t *p);
+void flash_cnt123_increment (uint8_t which, const uint8_t **addr_p);
+void flash_cnt123_clear (const uint8_t **addr_p);
+void flash_put_data (uint16_t hw);
+void flash_warning (const char *msg);
 
-extern void flash_put_data_internal (const uint8_t *p, uint16_t hw);
-extern void flash_bool_write_internal (const uint8_t *p, int nr);
-extern void flash_cnt123_write_internal (const uint8_t *p, int which, int v);
-extern void flash_do_write_internal (const uint8_t *p, int nr, const uint8_t *data, int len);
+void flash_put_data_internal (const uint8_t *p, uint16_t hw);
+void flash_bool_write_internal (const uint8_t *p, int nr);
+void flash_enum_write_internal (const uint8_t *p, int nr, uint8_t v);
+void flash_cnt123_write_internal (const uint8_t *p, int which, int v);
+void flash_do_write_internal (const uint8_t *p, int nr,
+			      const uint8_t *data, int len);
 
-extern const uint8_t gnukStringSerial[];
+extern const uint8_t gnuk_string_serial[];
 
-#define LED_ONESHOT		(1)
-#define LED_TWOSHOTS		(2)
-#define LED_SHOW_STATUS		(4)
-#define LED_START_COMMAND	(8)
-#define LED_FINISH_COMMAND	(16)
-#define LED_FATAL		(32)
-extern void led_blink (int spec);
+#define LED_ONESHOT		  1
+#define LED_TWOSHOTS		  2
+#define LED_SHOW_STATUS		  4
+#define LED_FATAL		  8
+#define LED_SYNC	         16
+#define LED_GNUK_EXEC		 32
+#define LED_START_COMMAND	 64
+#define LED_FINISH_COMMAND	128
+#define LED_WAIT_FOR_BUTTON	256
+#define LED_OFF	 LED_FINISH_COMMAND
+void led_blink (int spec);
 
 #if defined(PINPAD_SUPPORT)
 # if defined(PINPAD_CIR_SUPPORT)
-extern void cir_init (void);
+void cir_init (void);
 # elif defined(PINPAD_DIAL_SUPPORT)
-extern void dial_sw_disable (void);
-extern void dial_sw_enable (void);
+void dial_sw_disable (void);
+void dial_sw_enable (void);
 # elif defined(PINPAD_DND_SUPPORT)
-extern void msc_init (void);
-extern void msc_media_insert_change (int available);
-extern int msc_scsi_write (uint32_t lba, const uint8_t *buf, size_t size);
-extern int msc_scsi_read (uint32_t lba, const uint8_t **sector_p);
-extern void msc_scsi_stop (uint8_t code);
+void msc_init (void);
+void msc_media_insert_change (int available);
+int msc_scsi_write (uint32_t lba, const uint8_t *buf, size_t size);
+int msc_scsi_read (uint32_t lba, const uint8_t **sector_p);
+void msc_scsi_stop (uint8_t code);
 # endif
 #define PIN_INPUT_CURRENT 1
 #define PIN_INPUT_NEW     2
@@ -403,8 +470,11 @@ extern void msc_scsi_stop (uint8_t code);
 extern uint8_t pin_input_buffer[MAX_PIN_CHARS];
 extern uint8_t pin_input_len;
 
-extern int pinpad_getline (int msg_code, uint32_t timeout_usec);
+int pinpad_getline (int msg_code, uint32_t timeout_usec);
 
 #endif
 
-extern uint8_t _regnual_start, __heap_end__[];
+
+extern uint8_t _regnual_start[], __heap_end__[];
+
+uint8_t * sram_address (uint32_t offset);

src/gnuk.ld.in

@@ -1,16 +1,6 @@
 /*
  * ST32F103 memory setup.
  */
-__main_stack_size__      = 0x0100;      /* Exception handlers     */
-__process0_stack_size__  = 0x0100;      /* main */
-__process1_stack_size__  = 0x0140;      /* ccid */
-__process2_stack_size__  = 0x0180;      /* rng */
-__process3_stack_size__  = 0x1600;      /* gpg */
-__process4_stack_size__  = 0x0100;      /* intr: usb */
-__process5_stack_size__  = @MSC_SIZE@;  /* msc */
-__process6_stack_size__  = @TIM_SIZE@;  /* intr: timer */
-__process7_stack_size__  = @EXT_SIZE@;  /* intr: ext */
-
 MEMORY
 {
     flash0 : org = @ORIGIN@, len = 4k
@@ -18,10 +8,6 @@ MEMORY
     ram : org = 0x20000000, len = @MEMORY_SIZE@k
 }
 
-/* __flash_start__: flash ROM start address regardless of DFU_SUPPORT */
-__flash_start__         = 0x08001000;
-__flash_end__           = ORIGIN(flash) + LENGTH(flash);
-
 __ram_start__           = ORIGIN(ram);
 __ram_size__            = LENGTH(ram);
 __ram_end__             = __ram_start__ + __ram_size__;
@@ -32,18 +18,20 @@ SECTIONS
 
     .sys : ALIGN(4) SUBALIGN(4)
     {
-        _sys = .;
-        KEEP(*(.vectors))
-        . = ALIGN(16);
-        *(.sys.version)
-        build/sys.o(.text)
-        build/sys.o(.text.*)
-        build/sys.o(.rodata)
-        build/sys.o(.rodata.*)
-        . = ALIGN(1024);
-        *(.sys.0)
-        *(.sys.1)
-        *(.sys.2)
+	_sys = .;
+	KEEP(*(.vectors))
+	. = ALIGN(16);
+	KEEP(*(.sys.version))
+	KEEP(*(.sys.board_id))
+	KEEP(*(.sys.board_name))
+	build/sys-*.o(.text)
+	build/sys-*.o(.text.*)
+	build/sys-*.o(.rodata)
+	build/sys-*.o(.rodata.*)
+	. = ALIGN(1024);
+	*(.sys.0)
+	*(.sys.1)
+	*(.sys.2)
     } > flash0
 
     _text = .;
@@ -64,6 +52,7 @@ SECTIONS
         *(.glue_7t)
         *(.glue_7)
         *(.gcc*)
+	. = ALIGN(8);
     } > flash
 
     .ARM.extab : {*(.ARM.extab* .gnu.linkonce.armextab.*)} > flash
@@ -83,45 +72,18 @@ SECTIONS
     _etext = .;
     _textdata = _etext;
 
-    .stacks :
+    .stacks (NOLOAD) :
     {
         . = ALIGN(8);
-        __main_stack_base__ = .;
-        . += __main_stack_size__;
-        . = ALIGN(8);
-        __main_stack_end__ = .;
-        __process0_stack_base__ = .;
-        . += __process0_stack_size__;
-        . = ALIGN(8);
-        __process0_stack_end__ = .;
-        __process1_stack_base__ = .;
-        . += __process1_stack_size__;
-        . = ALIGN(8);
-        __process1_stack_end__ = .;
-        __process2_stack_base__ = .;
-        . += __process2_stack_size__;
-        . = ALIGN(8);
-        __process2_stack_end__ = .;
-        __process3_stack_base__ = .;
-        . += __process3_stack_size__;
-        . = ALIGN(8);
-        __process3_stack_end__ = .;
-        __process4_stack_base__ = .;
-        . += __process4_stack_size__;
-        . = ALIGN(8);
-        __process4_stack_end__ = .;
-        __process5_stack_base__ = .;
-        . += __process5_stack_size__;
-        . = ALIGN(8);
-        __process5_stack_end__ = .;
-        __process6_stack_base__ = .;
-        . += __process6_stack_size__;
-        . = ALIGN(8);
-        __process6_stack_end__ = .;
-        __process7_stack_base__ = .;
-        . += __process7_stack_size__;
-        . = ALIGN(8);
-        __process7_stack_end__ = .;
+        *(.main_stack)
+        *(.process_stack.0)
+        *(.process_stack.1)
+        *(.process_stack.2)
+        *(.process_stack.3)
+        *(.process_stack.4)
+        *(.process_stack.5)
+        *(.process_stack.6)
+        *(.process_stack.7)
         . = ALIGN(8);
     } > ram
 
@@ -172,20 +134,20 @@ SECTIONS
     .gnuk_flash :
     {
         . = ALIGN (@FLASH_PAGE_SIZE@);
-        _data_pool = .;
-        KEEP(*(.gnuk_data))
-        . = ALIGN(@FLASH_PAGE_SIZE@);
-        . += @FLASH_PAGE_SIZE@;
         _keystore_pool = .;
-        . += 512;
+        . += 1024;
         . = ALIGN(@FLASH_PAGE_SIZE@);
-        . += 512;
+        . += 1024;
         . = ALIGN(@FLASH_PAGE_SIZE@);
-        . += 512;
+        . += 1024;
         . = ALIGN(@FLASH_PAGE_SIZE@);
         _updatekey_store = .;
         . += 1024;
         . = ALIGN(@FLASH_PAGE_SIZE@);
+        _data_pool = .;
+        KEEP(*(.gnuk_data))
+        . = ALIGN(@FLASH_PAGE_SIZE@);
+        . += @FLASH_PAGE_SIZE@;
     } > flash =0xffffffff
 }
 

src/halconf.h

@@ -1,29 +0,0 @@
-/* HAL configuration file for ChibiOS/RT */
-
-#ifndef _HALCONF_H_
-#define _HALCONF_H_
-
-#include "mcuconf.h"
-
-#define HAL_USE_PAL              TRUE
-#define HAL_USE_ADC              FALSE
-#define HAL_USE_CAN              FALSE
-#define HAL_USE_EXT              FALSE
-#define HAL_USE_GPT              FALSE
-#define HAL_USE_I2C              FALSE
-#define HAL_USE_ICU              FALSE
-#define HAL_USE_MAC              FALSE
-#define HAL_USE_MMC_SPI          FALSE
-#define HAL_USE_PWM              FALSE
-#define HAL_USE_RTC              FALSE
-#define HAL_USE_SDC              FALSE
-#define HAL_USE_SERIAL           FALSE
-#define HAL_USE_SERIAL_USB       FALSE
-#define HAL_USE_SPI              FALSE
-#define HAL_USE_UART             FALSE
-#define HAL_USE_USB              FALSE
-
-/* Define manually, as we implement ADC driver by ourselves.  */
-#define STM32_DMA_REQUIRED	1
-
-#endif /* _HALCONF_H_ */

src/main.c

@@ -1,7 +1,8 @@
 /*
  * main.c - main routine of Gnuk
  *
- * Copyright (C) 2010, 2011, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2021
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -27,7 +28,6 @@
 #include <eventflag.h>
 
 #include "config.h"
-#include "board.h"
 
 #include "sys.h"
 #include "adc.h"
@@ -35,98 +35,59 @@
 #include "usb_lld.h"
 #include "usb-cdc.h"
 #include "random.h"
-#include "stm32f103.h"
+#ifdef GNU_LINUX_EMULATION
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
 
-#ifdef DEBUG
-#include "debug.h"
-
-struct stdout stdout;
-
-static void
-stdout_init (void)
-{
-  chopstx_mutex_init (&stdout.m);
-  chopstx_mutex_init (&stdout.m_dev);
-  chopstx_cond_init (&stdout.cond_dev);
-  stdout.connected = 0;
-}
-
-void
-_write (const char *s, int len)
-{
-  int packet_len;
-
-  if (len == 0)
-    return;
-
-  chopstx_mutex_lock (&stdout.m);
-
-  chopstx_mutex_lock (&stdout.m_dev);
-  if (!stdout.connected)
-    chopstx_cond_wait (&stdout.cond_dev, &stdout.m_dev);
-  chopstx_mutex_unlock (&stdout.m_dev);
-
-  do
-    {
-      packet_len =
-	(len < VIRTUAL_COM_PORT_DATA_SIZE) ? len : VIRTUAL_COM_PORT_DATA_SIZE;
-
-      chopstx_mutex_lock (&stdout.m_dev);     
-      usb_lld_write (ENDP3, s, packet_len);
-      chopstx_cond_wait (&stdout.cond_dev, &stdout.m_dev);
-      chopstx_mutex_unlock (&stdout.m_dev);
-
-      s += packet_len;
-      len -= packet_len;
-    }
-  /* Send a Zero-Length-Packet if the last packet is full size.  */
-  while (len != 0 || packet_len == VIRTUAL_COM_PORT_DATA_SIZE);
-
-  chopstx_mutex_unlock (&stdout.m);
-}
-
-void
-EP3_IN_Callback (void)
-{
-  chopstx_mutex_lock (&stdout.m_dev);
-  chopstx_cond_signal (&stdout.cond_dev);
-  chopstx_mutex_unlock (&stdout.m_dev);
-}
-
-void
-EP5_OUT_Callback (void)
-{
-  chopstx_mutex_lock (&stdout.m_dev);
-  usb_lld_rx_enable (ENDP5);
-  chopstx_mutex_unlock (&stdout.m_dev);
-}
+#include <stdio.h>
+#include <stdlib.h>
+#define main emulated_main
 #else
-void
-_write (const char *s, int size)
-{
-  (void)s;
-  (void)size;
-}
+#include "mcu/stm32f103.h"
 #endif
 
-extern void *USBthread (void *arg);
-
 /*
  * main thread does 1-bit LED display output
  */
-#define MAIN_TIMEOUT_INTERVAL	(5000*1000)
-
 #define LED_TIMEOUT_INTERVAL	(75*1000)
 #define LED_TIMEOUT_ZERO	(25*1000)
 #define LED_TIMEOUT_ONE		(100*1000)
 #define LED_TIMEOUT_STOP	(200*1000)
 
+#ifdef DFU_SUPPORT
+static int
+flash_write_any (uintptr_t dst_addr, const uint8_t *src, size_t len)
+{
+  int status;
 
+  while (len)
+    {
+      uint16_t hw = *src++;
+
+      hw |= (*src++ << 8);
+      status = flash_program_halfword (dst_addr, hw);
+      if (status != 0)
+        return 0;              /* error return */
+
+      dst_addr += 2;
+      len -= 2;
+    }
+
+  return 1;
+}
+#endif
+
+#ifdef GNU_LINUX_EMULATION
+uint8_t *flash_addr_key_storage_start;
+uint8_t *flash_addr_data_storage_start;
+#else
 #define ID_OFFSET (2+SERIALNO_STR_LEN*2)
 static void
 device_initialize_once (void)
 {
-  const uint8_t *p = &gnukStringSerial[ID_OFFSET];
+  const uint8_t *p = &gnuk_string_serial[ID_OFFSET];
 
   if (p[0] == 0xff && p[1] == 0xff && p[2] == 0xff && p[3] == 0xff)
     {
@@ -134,12 +95,12 @@ device_initialize_once (void)
        * This is the first time invocation.
        * Setup serial number by unique device ID.
        */
-      const uint8_t *u = unique_device_id ();
+      const uint8_t *u = unique_device_id () + (MHZ < 96 ? 8: 0);
       int i;
 
       for (i = 0; i < 4; i++)
 	{
-	  uint8_t b = u[i];
+	  uint8_t b = u[3-i];
 	  uint8_t nibble;
 
 	  nibble = (b >> 4);
@@ -149,12 +110,66 @@ device_initialize_once (void)
 	  nibble += (nibble >= 10 ? ('A' - 10) : '0');
 	  flash_put_data_internal (&p[i*4+2], nibble);
 	}
+
+#ifdef DFU_SUPPORT
+#define CHIP_ID_REG ((uint32_t *)0xE0042000)
+      /*
+       * Overwrite DFU bootloader with a copy of SYS linked to ORIGIN_REAL.
+       * Then protect flash from readout.
+       */
+      {
+        extern uint8_t _binary_build_stdaln_sys_bin_start;
+        extern uint8_t _binary_build_stdaln_sys_bin_size;
+        size_t stdaln_sys_size = (size_t) &_binary_build_stdaln_sys_bin_size;
+        extern const uint32_t FT0[256], FT1[256], FT2[256];
+        extern handler vector_table[];
+        uintptr_t addr;
+        uint32_t flash_page_size = 1024; /* 1KiB default */
+
+        if (((*CHIP_ID_REG)&0x07) == 0x04) /* High density device.  */
+          flash_page_size = 2048; /* It's 2KiB. */
+
+        /* Kill DFU */
+        for (addr = ORIGIN_REAL; addr < ORIGIN;
+             addr += flash_page_size)
+          flash_erase_page (addr);
+
+        /* Copy SYS */
+        addr = ORIGIN_REAL;
+        flash_write_any(addr, &_binary_build_stdaln_sys_bin_start,
+                        stdaln_sys_size);
+        addr += stdaln_sys_size;
+        flash_write_any(addr, (const uint8_t *) &FT0, sizeof(FT0));
+        addr += sizeof(FT0);
+        flash_write_any(addr, (const uint8_t *) &FT1, sizeof(FT1));
+        addr += sizeof(FT1);
+        flash_write_any(addr, (const uint8_t *) &FT2, sizeof(FT2));
+
+        addr = ORIGIN_REAL + 0x1000;
+        if (addr < ORIGIN) {
+          /* Need to patch top of stack and reset vector there */
+          handler *new_vector = (handler *) addr;
+          flash_write((uintptr_t) &new_vector[0], (const uint8_t *)
+                      &vector_table[0], sizeof(handler));
+          flash_write((uintptr_t) &new_vector[1], (const uint8_t *)
+                      &vector[1], sizeof(handler));
+        }
+
+        flash_protect();
+        nvic_system_reset();
+      }
+#endif
     }
 }
+#endif
 
 
 static volatile uint8_t fatal_code;
 static struct eventflag led_event;
+static chopstx_poll_cond_t led_event_poll_desc;
+static struct chx_poll_head *const led_event_poll[] = {
+  (struct chx_poll_head *)&led_event_poll_desc
+};
 
 static void display_fatal_code (void)
 {
@@ -195,103 +210,88 @@ static void display_fatal_code (void)
 
 static uint8_t led_inverted;
 
-static eventmask_t emit_led (int on_time, int off_time)
+static void
+emit_led (uint32_t on_time, uint32_t off_time)
 {
-  eventmask_t m;
-
   set_led (!led_inverted);
-  m = eventflag_wait_timeout (&led_event, on_time);
+  chopstx_poll (&on_time, 1, led_event_poll);
   set_led (led_inverted);
-  if (m) return m;
-  if ((m = eventflag_wait_timeout (&led_event, off_time)))
-    return m;
-  return 0;
+  chopstx_poll (&off_time, 1, led_event_poll);
 }
 
-static eventmask_t display_status_code (void)
+static void
+display_status_code (void)
 {
-  enum icc_state icc_state;
-  eventmask_t m;
+  enum ccid_state ccid_state = ccid_get_ccid_state ();
+  uint32_t usec;
 
-  if (icc_state_p == NULL)
-    icc_state = ICC_STATE_START;
+  if (ccid_state == CCID_STATE_START)
+    emit_led (LED_TIMEOUT_ONE, LED_TIMEOUT_STOP);
   else
-    icc_state = *icc_state_p;
-
-  if (icc_state == ICC_STATE_START)
-    return emit_led (LED_TIMEOUT_ONE, LED_TIMEOUT_STOP);
-  else
-    /* OpenPGP card thread  running */
+    /* OpenPGP card thread is running */
     {
-      if ((m = emit_led ((auth_status & AC_ADMIN_AUTHORIZED)?
-			  LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO,
-			  LED_TIMEOUT_INTERVAL)))
-	return m;
-      if ((m = emit_led ((auth_status & AC_OTHER_AUTHORIZED)?
-			  LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO,
-			  LED_TIMEOUT_INTERVAL)))
-	return m;
-      if ((m = emit_led ((auth_status & AC_PSO_CDS_AUTHORIZED)?
-			  LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO,
-			  LED_TIMEOUT_INTERVAL)))
-	return m;
+      emit_led ((auth_status & AC_ADMIN_AUTHORIZED)?
+		LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO, LED_TIMEOUT_INTERVAL);
+      emit_led ((auth_status & AC_OTHER_AUTHORIZED)?
+		LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO, LED_TIMEOUT_INTERVAL);
+      emit_led ((auth_status & AC_PSO_CDS_AUTHORIZED)?
+		LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO, LED_TIMEOUT_INTERVAL);
 
-      if (icc_state == ICC_STATE_WAIT)
+      if (ccid_state == CCID_STATE_WAIT)
 	{
-	  if ((m = eventflag_wait_timeout (&led_event, LED_TIMEOUT_STOP * 2)))
-	    return m;
+	  usec = LED_TIMEOUT_STOP * 2;
+	  chopstx_poll (&usec, 1, led_event_poll);
 	}
       else
 	{
-	  if ((m = eventflag_wait_timeout (&led_event, LED_TIMEOUT_INTERVAL)))
-	    return m;
-
-	  if ((m = emit_led (icc_state == ICC_STATE_RECEIVE?
-			      LED_TIMEOUT_ONE : LED_TIMEOUT_ZERO,
-			      LED_TIMEOUT_STOP)))
-	    return m;
+	  usec = LED_TIMEOUT_INTERVAL;
+	  chopstx_poll (&usec, 1, led_event_poll);
+	  emit_led (LED_TIMEOUT_ZERO, LED_TIMEOUT_STOP);
 	}
-
-      return 0;
     }
 }
 
 void
 led_blink (int spec)
 {
+  if (spec == LED_START_COMMAND || spec == LED_FINISH_COMMAND)
+    {
+      led_inverted = (spec == LED_START_COMMAND);
+      spec = LED_SYNC;
+    }
+
   eventflag_signal (&led_event, spec);
 }
 
+#ifdef FLASH_UPGRADE_SUPPORT
 /*
  * In Gnuk 1.0.[12], reGNUal was not relocatable.
  * Now, it's relocatable, but we need to calculate its entry address
  * based on it's pre-defined address.
  */
 #define REGNUAL_START_ADDRESS_COMPATIBLE 0x20001400
-static uint32_t
+static uintptr_t
 calculate_regnual_entry_address (const uint8_t *addr)
 {
   const uint8_t *p = addr + 4;
-  uint32_t v = p[0] + (p[1] << 8) + (p[2] << 16) + (p[3] << 24);
+  uintptr_t v = p[0] + (p[1] << 8) + (p[2] << 16) + (p[3] << 24);
 
   v -= REGNUAL_START_ADDRESS_COMPATIBLE;
-  v += (uint32_t)addr;
+  v += (uintptr_t)addr;
   return v;
 }
+#endif
 
-extern uint8_t __process1_stack_base__, __process1_stack_size__;
-extern uint8_t __process4_stack_base__, __process4_stack_size__;
-
-const uint32_t __stackaddr_ccid = (uint32_t)&__process1_stack_base__;
-const size_t __stacksize_ccid = (size_t)&__process1_stack_size__;
-
-const uint32_t __stackaddr_usb = (uint32_t)&__process4_stack_base__;
-const size_t __stacksize_usb = (size_t)&__process4_stack_size__;
+#define STACK_MAIN
+#define STACK_PROCESS_1
+#include "stack-def.h"
+#define STACK_ADDR_CCID ((uintptr_t)process1_base)
+#define STACK_SIZE_CCID (sizeof process1_base)
 
 #define PRIO_CCID 3
-#define PRIO_USB  4
+#define PRIO_MAIN 5
 
-extern void *usb_intr (void *arg);
+extern void *ccid_thread (void *arg);
 
 static void gnuk_malloc_init (void);
 
@@ -300,29 +300,131 @@ extern uint32_t bDeviceState;
 
 /*
  * Entry point.
- *
- * NOTE: the main function is already a thread in the system on entry.
- *       See the hwinit1_common function.
  */
 int
-main (int argc, char *argv[])
+main (int argc, const char *argv[])
 {
-  unsigned int count = 0;
-  uint32_t entry;
-  chopstx_t usb_thd;
+#ifdef GNU_LINUX_EMULATION
+  uintptr_t flash_addr;
+  const char *flash_image_path;
+  char *path_string = NULL;
+#endif
+#ifdef FLASH_UPGRADE_SUPPORT
+  uintptr_t entry;
+#endif
   chopstx_t ccid_thd;
+  int wait_for_ack = 0;
 
-  (void)argc;
-  (void)argv;
+  chopstx_conf_idle (1);
 
   gnuk_malloc_init ();
 
+#ifdef GNU_LINUX_EMULATION
+#define FLASH_IMAGE_NAME ".gnuk-flash-image"
+
+  if (argc >= 4 || (argc == 2 && !strcmp (argv[1], "--help")))
+    {
+      fprintf (stdout, "Usage: %s [--vidpid=Vxxx:Pxxx] [flash-image-file]",
+	       argv[0]);
+      exit (0);
+    }
+
+  if (argc >= 2 && !strncmp (argv[1], "--debug=", 8))
+    {
+      debug = strtol (&argv[1][8], NULL, 10);
+      argc--;
+      argv++;
+    }
+
+  if (argc >= 2 && !strncmp (argv[1], "--vidpid=", 9))
+    {
+      extern uint8_t device_desc[];
+      uint32_t id;
+      char *p;
+
+      id = (uint32_t)strtol (&argv[1][9], &p, 16);
+      device_desc[8] = (id & 0xff);
+      device_desc[9] = (id >> 8);
+
+      if (p && p[0] == ':')
+	{
+	  id = (uint32_t)strtol (&p[1], NULL, 16);
+	  device_desc[10] = (id & 0xff);
+	  device_desc[11] = (id >> 8);
+	}
+
+      argc--;
+      argv++;
+    }
+
+  if (argc == 1)
+    {
+      char *p = getenv ("HOME");
+
+      if (p == NULL)
+	{
+	  fprintf (stderr, "Can't find $HOME\n");
+	  exit (1);
+	}
+
+      path_string = malloc (strlen (p) + strlen (FLASH_IMAGE_NAME) + 2);
+
+      p = stpcpy (path_string, p);
+      *p++ = '/';
+      strcpy (p, FLASH_IMAGE_NAME);
+      flash_image_path = path_string;
+    }
+  else
+    flash_image_path = argv[1];
+
+  if (access (flash_image_path, F_OK) < 0)
+    {
+      int fd;
+      char buf[8192];
+
+      memset (buf, 0xff, sizeof buf);
+      memset (buf+4*1024, 0, 2);
+      fd = open (flash_image_path, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR);
+      if (fd < 0)
+	{
+	  perror ("creating flash file");
+	  exit (1);
+	}
+
+      if (write (fd, buf, sizeof buf) != sizeof buf)
+	{
+	  perror ("initializing flash file");
+	  close (fd);
+	  exit (1);
+	}
+
+      close (fd);
+    }
+
+  puts ("Gnuk (emulation with USBIP), a GnuPG USB Token implementation");
+  puts ("Copyright (C) 2021 Free Software Initiative of Japan");
+  puts ("This is free software under GPLv3+.");
+
+  flash_addr = flash_init (flash_image_path);
+  flash_addr_key_storage_start = (uint8_t *)flash_addr;
+  flash_addr_data_storage_start = (uint8_t *)flash_addr + 4096;
+#else
+  (void)argc;
+  (void)argv;
+#endif
+
   flash_unlock ();
+
+#ifdef GNU_LINUX_EMULATION
+    if (path_string)
+      free (path_string);
+#else
   device_initialize_once ();
+#endif
 
   adc_init ();
 
-  eventflag_init (&led_event, chopstx_main);
+  eventflag_init (&led_event);
 
   random_init ();
 
@@ -330,8 +432,8 @@ main (int argc, char *argv[])
   stdout_init ();
 #endif
 
-  ccid_thd = chopstx_create (PRIO_CCID, __stackaddr_ccid,
-			     __stacksize_ccid, USBthread, NULL);
+  ccid_thd = chopstx_create (PRIO_CCID, STACK_ADDR_CCID, STACK_SIZE_CCID,
+			     ccid_thread, NULL);
 
 #ifdef PINPAD_CIR_SUPPORT
   cir_init ();
@@ -340,71 +442,57 @@ main (int argc, char *argv[])
   msc_init ();
 #endif
 
-  usb_thd = chopstx_create (PRIO_USB, __stackaddr_usb, __stacksize_usb,
-			    usb_intr, NULL);
+  chopstx_setpriority (PRIO_MAIN);
 
   while (1)
     {
-      if (bDeviceState != UNCONNECTED)
+      if (bDeviceState != USB_DEVICE_STATE_UNCONNECTED)
 	break;
 
       chopstx_usec_wait (250*1000);
     }
 
+  eventflag_prepare_poll (&led_event, &led_event_poll_desc);
+
   while (1)
     {
       eventmask_t m;
 
-      if (icc_state_p != NULL && *icc_state_p == ICC_STATE_EXEC_REQUESTED)
-	break;
+      if (wait_for_ack)
+	m = eventflag_wait_timeout (&led_event, LED_TIMEOUT_INTERVAL);
+      else
+	m = eventflag_wait (&led_event);
 
-      m = eventflag_wait_timeout (&led_event, MAIN_TIMEOUT_INTERVAL);
-    got_it:
-      count++;
       switch (m)
 	{
 	case LED_ONESHOT:
-	  if ((m = emit_led (100*1000, MAIN_TIMEOUT_INTERVAL))) goto got_it;
+	  emit_led (100*1000, LED_TIMEOUT_STOP);
 	  break;
 	case LED_TWOSHOTS:
-	  if ((m = emit_led (50*1000, 50*1000))) goto got_it;
-	  if ((m = emit_led (50*1000, MAIN_TIMEOUT_INTERVAL))) goto got_it;
+	  emit_led (50*1000, 50*1000);
+	  emit_led (50*1000, LED_TIMEOUT_STOP);
 	  break;
 	case LED_SHOW_STATUS:
-	  if ((count & 0x07) != 0) continue; /* Display once for eight times */
-	  if ((m = display_status_code ())) goto got_it;
-	  break;
-	case LED_START_COMMAND:
-	  set_led (1);
-	  led_inverted = 1;
-	  break;
-	case LED_FINISH_COMMAND:
-	  m = eventflag_wait_timeout (&led_event, LED_TIMEOUT_STOP);
-	  led_inverted = 0;
-	  set_led (0);
-	  if (m)
-	    goto got_it;
+	  display_status_code ();
 	  break;
 	case LED_FATAL:
 	  display_fatal_code ();
 	  break;
+	case LED_SYNC:
+	  set_led (led_inverted);
+	  break;
+	case LED_GNUK_EXEC:
+	  goto exec;
+	case LED_WAIT_FOR_BUTTON:
+	  wait_for_ack ^= 1;
+	  /* fall through */
 	default:
-	  if ((m = emit_led (LED_TIMEOUT_ZERO, LED_TIMEOUT_STOP)))
-	    goto got_it;
+	  emit_led (LED_TIMEOUT_ZERO, LED_TIMEOUT_ZERO);
 	  break;
 	}
-
-#ifdef DEBUG_MORE
-      if (stdout.connected && (count % 10) == 0)
-	{
-	  DEBUG_SHORT (count / 10);
-	  _write ("\r\nThis is Gnuk on STM32F103.\r\n"
-		  "Testing USB driver.\n\n"
-		  "Hello world\r\n\r\n", 30+21+15);
-	}
-#endif
     }
 
+ exec:
   random_fini ();
 
   set_led (1);
@@ -413,28 +501,15 @@ main (int argc, char *argv[])
   /* Finish application.  */
   chopstx_join (ccid_thd, NULL);
 
-  chopstx_cancel (usb_thd);
-  chopstx_join (usb_thd, NULL);
-
+#ifdef FLASH_UPGRADE_SUPPORT
   /* Set vector */
-  SCB->VTOR = (uint32_t)&_regnual_start;
-  entry = calculate_regnual_entry_address (&_regnual_start);
+  SCB->VTOR = (uintptr_t)_regnual_start;
+  entry = calculate_regnual_entry_address (_regnual_start);
 #ifdef DFU_SUPPORT
-#define FLASH_SYS_START_ADDR 0x08000000
-#define FLASH_SYS_END_ADDR (0x08000000+0x1000)
   {
-    extern uint8_t _sys;
-    uint32_t addr;
-    handler *new_vector = (handler *)FLASH_SYS_START_ADDR;
-    void (*func) (void (*)(void)) = (void (*)(void (*)(void)))new_vector[9];
-
-    /* Kill DFU */
-    for (addr = FLASH_SYS_START_ADDR; addr < FLASH_SYS_END_ADDR;
-	 addr += FLASH_PAGE_SIZE)
-      flash_erase_page (addr);
-
-    /* copy system service routines */
-    flash_write (FLASH_SYS_START_ADDR, &_sys, 0x1000);
+    /* Use SYS at ORIGIN_REAL instead of the one at ORIGIN */
+    handler *new_vector = (handler *)ORIGIN_REAL;
+    void (*func) (void (*)(void)) = (void (*)(void (*)(void))) new_vector[9];
 
     /* Leave Gnuk to exec reGNUal */
     (*func) ((void (*)(void))entry);
@@ -444,6 +519,9 @@ main (int argc, char *argv[])
   /* Leave Gnuk to exec reGNUal */
   flash_erase_all_and_exec ((void (*)(void))entry);
 #endif
+#else
+  exit (0);
+#endif
 
   /* Never reached */
   return 0;
@@ -452,6 +530,8 @@ main (int argc, char *argv[])
 void
 fatal (uint8_t code)
 {
+  extern void _write (const char *s, int len);
+
   fatal_code = code;
   eventflag_signal (&led_event, LED_FATAL);
   _write ("fatal\r\n", 7);
@@ -472,39 +552,55 @@ fatal (uint8_t code)
  * reclaimed to system.
  */
 
+#ifdef GNU_LINUX_EMULATION
+#define HEAP_SIZE (32*1024)
+uint8_t __heap_base__[HEAP_SIZE];
+
+#define HEAP_START __heap_base__
+#define HEAP_END (__heap_base__ + HEAP_SIZE)
+#define HEAP_ALIGNMENT 32
+#else
 extern uint8_t __heap_base__[];
 extern uint8_t __heap_end__[];
 
-#define MEMORY_END (__heap_end__)
-#define MEMORY_ALIGNMENT 16
-#define MEMORY_ALIGN(n) (((n) + MEMORY_ALIGNMENT - 1) & ~(MEMORY_ALIGNMENT - 1))
+#define HEAP_START __heap_base__
+#define HEAP_END (__heap_end__)
+#define HEAP_ALIGNMENT 16
+#define HEAP_SIZE ((uintptr_t)__heap_end__ -  (uintptr_t)__heap_base__)
+#endif
+
+#define HEAP_ALIGN(n) (((n) + HEAP_ALIGNMENT - 1) & ~(HEAP_ALIGNMENT - 1))
 
 static uint8_t *heap_p;
 static chopstx_mutex_t malloc_mtx;
 
 struct mem_head {
-  uint32_t size;
+  uintptr_t size;
   /**/
   struct mem_head *next, *prev;	/* free list chain */
   struct mem_head *neighbor;	/* backlink to neighbor */
 };
 
+#define MEM_HEAD_IS_CORRUPT(x) \
+    ((x)->size != HEAP_ALIGN((x)->size) || (x)->size > HEAP_SIZE)
+#define MEM_HEAD_CHECK(x) if (MEM_HEAD_IS_CORRUPT(x)) fatal (FATAL_HEAP)
+
 static struct mem_head *free_list;
 
 static void
 gnuk_malloc_init (void)
 {
   chopstx_mutex_init (&malloc_mtx);
-  heap_p = __heap_base__;
+  heap_p = HEAP_START;
   free_list = NULL;
 }
 
 static void *
-sbrk (size_t size)
+gnuk_sbrk (intptr_t size)
 {
   void *p = (void *)heap_p;
 
-  if ((size_t)(MEMORY_END - heap_p) < size)
+  if ((HEAP_END - heap_p) < size)
     return NULL;
 
   heap_p += size;
@@ -529,7 +625,7 @@ gnuk_malloc (size_t size)
   struct mem_head *m;
   struct mem_head *m0;
 
-  size = MEMORY_ALIGN (size + sizeof (uint32_t));
+  size = HEAP_ALIGN (size + sizeof (uintptr_t));
 
   chopstx_mutex_lock (&malloc_mtx);
   DEBUG_INFO ("malloc: ");
@@ -540,12 +636,12 @@ gnuk_malloc (size_t size)
     {
       if (m == NULL)
 	{
-	  m = (struct mem_head *)sbrk (size);
+	  m = (struct mem_head *)gnuk_sbrk (size);
 	  if (m)
 	    m->size = size;
 	  break;
 	}
-
+      MEM_HEAD_CHECK (m);
       if (m->size == size)
 	{
 	  remove_from_free_list (m);
@@ -569,8 +665,8 @@ gnuk_malloc (size_t size)
     }
   else
     {
-      DEBUG_WORD ((uint32_t)m + sizeof (uint32_t));
-      return (void *)m + sizeof (uint32_t);
+      DEBUG_WORD ((uintptr_t)m + sizeof (uintptr_t));
+      return (void *)m + sizeof (uintptr_t);
     }
 }
 
@@ -578,18 +674,23 @@ gnuk_malloc (size_t size)
 void
 gnuk_free (void *p)
 {
-  struct mem_head *m = (struct mem_head *)((void *)p - sizeof (uint32_t));
+  struct mem_head *m = (struct mem_head *)((void *)p - sizeof (uintptr_t));
   struct mem_head *m0;
 
+  if (p == NULL)
+    return;
+
   chopstx_mutex_lock (&malloc_mtx);
   m0 = free_list;
   DEBUG_INFO ("free: ");
   DEBUG_SHORT (m->size);
-  DEBUG_WORD ((uint32_t)p);
+  DEBUG_WORD ((uintptr_t)p);
 
+  MEM_HEAD_CHECK (m);
   m->neighbor = NULL;
   while (m0)
     {
+      MEM_HEAD_CHECK (m0);
       if ((void *)m + m->size == (void *)m0)
 	m0->neighbor = m;
       else if ((void *)m0 + m0->size == (void *)m)
@@ -605,6 +706,7 @@ gnuk_free (void *p)
       heap_p -= m->size;
       while (mn)
 	{
+	  MEM_HEAD_CHECK (mn);
 	  heap_p -= mn->size;
 	  remove_from_free_list (mn);
 	  mn = mn->neighbor;

src/mcu-stm32f103.c

@@ -0,0 +1,32 @@
+/*
+ * mcu-stm32f103.c - STM32F103 specific routines
+ *
+ * Copyright (C) 2017
+ *               Free Software Initiative of Japan
+ * Author: NIIBE Yutaka <gniibe@fsij.org>
+ *
+ * This file is a part of Gnuk, a GnuPG USB Token implementation.
+ *
+ * Gnuk is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Gnuk is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <stdint.h>
+#include "mcu/stm32f103.h"
+
+uint8_t *
+sram_address (uint32_t offset)
+{
+  return ((uint8_t *)0x20000000) + offset;
+}

src/mod.c

@@ -27,7 +27,7 @@
 
 /**
  * @brief X = A mod B (using MU=(1<<(256)+MU_lower)) (Barret reduction)
- * 
+ *
  */
 void
 mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
@@ -36,7 +36,6 @@ mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
   bn512 q_big[1], tmp[1];
   uint32_t carry;
 #define borrow carry
-  uint32_t borrow_next;
 
   memset (q, 0, sizeof (bn256));
   q->word[0] = A->word[15];
@@ -110,9 +109,7 @@ mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
     = tmp->word[11] = tmp->word[10] = tmp->word[9] = 0;
 
   borrow = bn256_sub (X, (bn256 *)&q_big->word[0], (bn256 *)&tmp->word[0]);
-  borrow_next = (q_big->word[8] < borrow);
   q_big->word[8] -= borrow;
-  borrow_next += (q_big->word[8] < tmp->word[8]);
   q_big->word[8] -= tmp->word[8];
 
   carry = q_big->word[8];
@@ -122,7 +119,7 @@ mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
     bn256_sub (q, X, B);
 
   if (carry)
-    carry -= bn256_sub (X, X, B);
+    bn256_sub (X, X, B);
   else
     bn256_sub (q, X, B);
 
@@ -145,9 +142,9 @@ mod_reduce (bn256 *X, const bn512 *A, const bn256 *B, const bn256 *MU_lower)
 
 /**
  * @brief C = X^(-1) mod N
- * 
+ *
  * Assume X and N are co-prime (or N is prime).
- * If N==0, return 0.
+ * NOTE: If X==0, it return 0.
  *
  */
 void
@@ -159,6 +156,7 @@ mod_inv (bn256 *C, const bn256 *X, const bn256 *N)
 #define borrow carry
   int n = MAX_GCD_STEPS_BN256;
 
+  memset (tmp, 0, sizeof (bn256));
   memset (C, 0, sizeof (bn256));
   memcpy (u, X, sizeof (bn256));
   memcpy (v, N, sizeof (bn256));

src/mod25638.c

@@ -44,23 +44,23 @@
 
 #if ASM_IMPLEMENTATION
 #include "muladd_256.h"
-#define ADDWORD_256(d_,w_,c_)                    \
- asm ( "ldmia  %[d], { r4, r5, r6, r7 } \n\t"    \
-       "adds   r4, r4, %[w]             \n\t"    \
-       "adcs   r5, r5, #0               \n\t"    \
-       "adcs   r6, r6, #0               \n\t"    \
-       "adcs   r7, r7, #0               \n\t"    \
-       "stmia  %[d]!, { r4, r5, r6, r7 }\n\t"    \
-       "ldmia  %[d], { r4, r5, r6, r7 } \n\t"    \
-       "adcs   r4, r4, #0               \n\t"    \
-       "adcs   r5, r5, #0               \n\t"    \
-       "adcs   r6, r6, #0               \n\t"    \
-       "adcs   r7, r7, #0               \n\t"    \
-       "stmia  %[d]!, { r4, r5, r6, r7 }\n\t"    \
-       "mov    %[c], #0                 \n\t"    \
-       "adc    %[c], %[c], #0"                   \
-       : [d] "=&r" (d_), [c] "=&r" (c_)          \
-       : "[d]" (d_), [w] "r" (w_)                \
+#define ADDWORD_256(d_,s_,w_,c_)		        \
+ asm ( "ldmia  %[s]!, { r4, r5, r6, r7 } \n\t"          \
+       "adds   r4, r4, %[w]             \n\t"           \
+       "adcs   r5, r5, #0               \n\t"           \
+       "adcs   r6, r6, #0               \n\t"           \
+       "adcs   r7, r7, #0               \n\t"           \
+       "stmia  %[d]!, { r4, r5, r6, r7 }\n\t"           \
+       "ldmia  %[s]!, { r4, r5, r6, r7 } \n\t"          \
+       "adcs   r4, r4, #0               \n\t"           \
+       "adcs   r5, r5, #0               \n\t"           \
+       "adcs   r6, r6, #0               \n\t"           \
+       "adcs   r7, r7, #0               \n\t"           \
+       "stmia  %[d]!, { r4, r5, r6, r7 }\n\t"           \
+       "mov    %[c], #0                 \n\t"           \
+       "adc    %[c], %[c], #0"                          \
+       : [s] "=&r" (s_), [d] "=&r" (d_), [c] "=&r" (c_)	\
+       : "[s]" (s_), "[d]" (d_), [w] "r" (w_)		\
        : "r4", "r5", "r6", "r7", "memory", "cc" )
 #endif
 
@@ -68,17 +68,13 @@
 256      224      192      160      128       96       64       32        0
 2^256
   1 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-2^256 - 32
-  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffe0
-2^256 - 32 - 4
-  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffdc
-2^256 - 32 - 4 - 2
-  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffda
+2^256 - 16
+  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffff0
+2^256 - 16 - 2
+  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffee
+2^256 - 16 - 2 - 1
+  0 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed
 */
-const bn256 n25638[1] = {
-  {{0xffffffda, 0xffffffff, 0xffffffff, 0xffffffff,
-    0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff }} };
-
 const bn256 p25519[1] = {
   {{ 0xffffffed, 0xffffffff, 0xffffffff, 0xffffffff,
      0xffffffff, 0xffffffff, 0xffffffff, 0x7fffffff }} };
@@ -93,6 +89,7 @@ const bn256 p25519[1] = {
  * 256-bit.
  */
 
+
 /**
  * @brief  X = (A + B) mod 2^256-38
  */
@@ -100,13 +97,10 @@ void
 mod25638_add (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t carry;
-  bn256 tmp[1];
 
   carry = bn256_add (X, A, B);
-  if (carry)
-    bn256_sub (X, X, n25638);
-  else
-    bn256_sub (tmp, X, n25638);
+  carry = bn256_add_uint (X, X, carry*38);
+  X->word[0] += carry * 38;
 }
 
 /**
@@ -116,13 +110,10 @@ void
 mod25638_sub (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t borrow;
-  bn256 tmp[1];
 
   borrow = bn256_sub (X, A, B);
-  if (borrow)
-    bn256_add (X, X, n25638);
-  else
-    bn256_add (tmp, X, n25638);
+  borrow = bn256_sub_uint (X, X, borrow*38);
+  X->word[0] -= borrow * 38;
 }
 
 
@@ -147,10 +138,10 @@ mod25638_reduce (bn256 *X, bn512 *A)
 
   s = &A->word[8]; d = &A->word[0]; w = 38; MULADD_256 (s, d, w, c);
   c0 = A->word[8] * 38;
+  d = &X->word[0];
   s = &A->word[0];
-  ADDWORD_256 (s, c0, c);
-  A->word[0] += c * 38;
-  memcpy (X, A, sizeof (bn256));
+  ADDWORD_256 (d, s, c0, c);
+  X->word[0] += c * 38;
 #else
   s = &A->word[8]; d = &A->word[0]; w = 38;
   {
@@ -173,13 +164,10 @@ mod25638_reduce (bn256 *X, bn512 *A)
 	d[i] = (uint32_t)r;
 	r = ((r >> 32) | ((uint64_t)carry << 32));
       }
-    d[i] = (uint32_t)r;
 
-    carry = bn256_add_uint ((bn256 *)A, (bn256 *)A, A->word[8] * 38);
-    A->word[0] += carry * 38;
+    carry = bn256_add_uint (X, (bn256 *)A, r * 38);
+    X->word[0] += carry * 38;
   }
-
-  memcpy (X, A, sizeof (bn256));
 #endif
 }
 
@@ -233,19 +221,6 @@ mod25638_shift (bn256 *X, const bn256 *A, int shift)
   mod25638_add (X, X, tmp);
 }
 
-static void
-add19 (bn256 *r, bn256 *x)
-{
-  uint32_t v;
-  int i;
-
-  v = 19;
-  for (i = 0; i < BN256_WORDS; i++)
-    {
-      r->word[i] = x->word[i] + v;
-      v = (r->word[i] < v);
-    }
-}
 
 /*
  * @brief  X = A mod 2^255-19
@@ -264,12 +239,12 @@ mod25519_reduce (bn256 *X)
   r0->word[7] &= 0x7fffffff;
   if (q)
     {
-      add19 (r0, r0);
+      bn256_add_uint (r0, r0, 19);
       q = (r0->word[7] >> 31);
       r0->word[7] &= 0x7fffffff;
       if (q)
 	{
-	  add19 (r1, r0);
+	  bn256_add_uint (r1, r0, 19);
 	  q = (r1->word[7] >> 31);
 	  r1->word[7] &= 0x7fffffff;
 	  flag = 0;
@@ -279,7 +254,7 @@ mod25519_reduce (bn256 *X)
     }
   else
     {
-      add19 (r1, r0);		 /* dummy */
+      bn256_add_uint (r1, r0, 19);
       q = (r1->word[7] >> 31);	 /* dummy */
       r1->word[7] &= 0x7fffffff; /* dummy */
       if (q)
@@ -290,7 +265,7 @@ mod25519_reduce (bn256 *X)
 
   if (flag)
     {
-      add19 (r1, r0);
+      bn256_add_uint (r1, r0, 19);
       q = (r1->word[7] >> 31);
       r1->word[7] &= 0x7fffffff;
       if (q)

src/mod25638.h

@@ -1,4 +1,3 @@
-extern const bn256 n25638[1];
 extern const bn256 p25519[1];
 
 void mod25638_add (bn256 *X, const bn256 *A, const bn256 *B);

src/modp256k1.c

@@ -1,7 +1,7 @@
 /*
  * modp256k1.c -- modulo arithmetic for p256k1
  *
- * Copyright (C) 2014 Free Software Initiative of Japan
+ * Copyright (C) 2014, 2016, 2020 Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -55,12 +55,12 @@ const bn256 p256k1 = { {0xfffffc2f, 0xfffffffe, 0xffffffff, 0xffffffff,
 /*
  * Implementation Note.
  *
- * It's not always modulo p256k1.  The representation is redundant
- * during computation.  For example, when we add the prime - 1 and 1,
- * it won't overflow to 2^256, and the result is represented within
- * 256-bit.
+ * It's always modulo p256k1.
+ *
+ * Once, I tried redundant representation which caused wrong
+ * calculation.  Implementation could be correct with redundant
+ * representation, but it found that it's more expensive.
  *
- * It is guaranteed that modp256k1_reduce reduces to modulo p256k1.
  */
 
 /**
@@ -69,14 +69,14 @@ const bn256 p256k1 = { {0xfffffc2f, 0xfffffffe, 0xffffffff, 0xffffffff,
 void
 modp256k1_add (bn256 *X, const bn256 *A, const bn256 *B)
 {
-  uint32_t carry;
+  uint32_t cond;
   bn256 tmp[1];
+  bn256 dummy[1];
 
-  carry = bn256_add (X, A, B);
-  if (carry)
-    bn256_sub (X, X, P256K1);
-  else
-    bn256_sub (tmp, X, P256K1);
+  cond = (bn256_add (X, A, B) == 0);
+  cond &= bn256_sub (tmp, X, P256K1);
+  memcpy (cond?dummy:X, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**
@@ -87,12 +87,12 @@ modp256k1_sub (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t borrow;
   bn256 tmp[1];
+  bn256 dummy[1];
 
   borrow = bn256_sub (X, A, B);
-  if (borrow)
-    bn256_add (X, X, P256K1);
-  else
-    bn256_add (tmp, X, P256K1);
+  bn256_add (tmp, X, P256K1);
+  memcpy (borrow?X:dummy, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**
@@ -181,12 +181,12 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
    */
   S->word[7] = S->word[6] = S->word[5] = S->word[4] = S->word[3] = 0;
 
-  /* (S02, S01, S00) = (S1, S0) + (S1, S0)*2^32 */ 
+  /* (S02, S01, S00) = (S1, S0) + (S1, S0)*2^32 */
   s00 = s0;
   s01 = s0 + s1;
   s02 = s1 + ((s01 < s0)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^9 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^9 */
   carry = (s0 >> 23) + s01;
   s02 += (s1 >> 23) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 9) + carry;
@@ -196,7 +196,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^8 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^8 */
   carry = (s0 >> 24) + s01;
   s02 += (s1 >> 24) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 8) + carry;
@@ -206,7 +206,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^7 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^7 */
   carry = (s0 >> 25) + s01;
   s02 += (s1 >> 25) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 7) + carry;
@@ -216,7 +216,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^6 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^6 */
   carry = (s0 >> 26) + s01;
   s02 += (s1 >> 26) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 6) + carry;
@@ -226,7 +226,7 @@ modp256k1_reduce (bn256 *X, const bn512 *A)
   s01 += carry;
   s02 += ((s01 < carry)? 1 : 0);
 
-  /* (S02, S01, S00) += (S1, S0)*2^4 */ 
+  /* (S02, S01, S00) += (S1, S0)*2^4 */
   carry = (s0 >> 28) + s01;
   s02 += (s1 >> 28) + ((carry < s01)? 1 : 0);
   s01 = (s1 << 4) + carry;

src/modp256r1.c

@@ -1,7 +1,8 @@
 /*
  * modp256r1.c -- modulo arithmetic for p256r1
  *
- * Copyright (C) 2011, 2013, 2014 Free Software Initiative of Japan
+ * Copyright (C) 2011, 2013, 2014, 2016, 2020
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -49,12 +50,12 @@ const bn256 p256r1 = { {0xffffffff, 0xffffffff, 0xffffffff, 0x00000000,
 /*
  * Implementation Note.
  *
- * It's not always modulo p256r1.  The representation is redundant
- * during computation.  For example, when we add the prime - 1 and 1,
- * it won't overflow to 2^256, and the result is represented within
- * 256-bit.
+ * It's always modulo p256r1.
+ *
+ * Once, I tried redundant representation which caused wrong
+ * calculation.  Implementation could be correct with redundant
+ * representation, but it found that it's more expensive.
  *
- * It is guaranteed that modp256r1_reduce reduces to modulo p256r1.
  */
 
 /**
@@ -63,14 +64,14 @@ const bn256 p256r1 = { {0xffffffff, 0xffffffff, 0xffffffff, 0x00000000,
 void
 modp256r1_add (bn256 *X, const bn256 *A, const bn256 *B)
 {
-  uint32_t carry;
+  uint32_t cond;
   bn256 tmp[1];
+  bn256 dummy[1];
 
-  carry = bn256_add (X, A, B);
-  if (carry)
-    bn256_sub (X, X, P256R1);
-  else
-    bn256_sub (tmp, X, P256R1);
+  cond = (bn256_add (X, A, B) == 0);
+  cond &= bn256_sub (tmp, X, P256R1);
+  memcpy (cond?dummy:X, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**
@@ -81,12 +82,12 @@ modp256r1_sub (bn256 *X, const bn256 *A, const bn256 *B)
 {
   uint32_t borrow;
   bn256 tmp[1];
+  bn256 dummy[1];
 
   borrow = bn256_sub (X, A, B);
-  if (borrow)
-    bn256_add (X, X, P256R1);
-  else
-    bn256_add (tmp, X, P256R1);
+  bn256_add (tmp, X, P256R1);
+  memcpy (borrow?X:dummy, tmp, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
 }
 
 /**
@@ -95,7 +96,8 @@ modp256r1_sub (bn256 *X, const bn256 *A, const bn256 *B)
 void
 modp256r1_reduce (bn256 *X, const bn512 *A)
 {
-  bn256 tmp[1];
+  bn256 tmp[1], tmp0[1];
+  bn256 dummy[1];
   uint32_t borrow;
 
 #define S1 X
@@ -116,6 +118,9 @@ modp256r1_reduce (bn256 *X, const bn512 *A)
   S1->word[2] = A->word[2];
   S1->word[1] = A->word[1];
   S1->word[0] = A->word[0];
+  borrow = bn256_sub (tmp0, S1, P256R1);
+  memcpy (borrow?dummy:S1, tmp0, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
   /* X = S1 */
 
   S2->word[7] = A->word[15];
@@ -155,6 +160,9 @@ modp256r1_reduce (bn256 *X, const bn512 *A)
   S5->word[2] = A->word[11];
   S5->word[1] = A->word[10];
   S5->word[0] = A->word[9];
+  borrow = bn256_sub (tmp0, S5, P256R1);
+  memcpy (borrow?dummy:S5, tmp0, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
   /* X += S5 */
   modp256r1_add (X, X, S5);
 
@@ -164,6 +172,9 @@ modp256r1_reduce (bn256 *X, const bn512 *A)
   S6->word[2] = A->word[13];
   S6->word[1] = A->word[12];
   S6->word[0] = A->word[11];
+  borrow = bn256_sub (tmp0, S6, P256R1);
+  memcpy (borrow?dummy:S6, tmp0, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
   /* X -= S6 */
   modp256r1_sub (X, X, S6);
 
@@ -174,6 +185,9 @@ modp256r1_reduce (bn256 *X, const bn512 *A)
   S7->word[2] = A->word[14];
   S7->word[1] = A->word[13];
   S7->word[0] = A->word[12];
+  borrow = bn256_sub (tmp0, S7, P256R1);
+  memcpy (borrow?dummy:S7, tmp0, sizeof (bn256));
+  asm ("" : "=m" (dummy) : "m" (dummy) : "memory");
   /* X -= S7 */
   modp256r1_sub (X, X, S7);
 

src/muladd_256.h

@@ -1,4 +1,4 @@
-#define MULADD_256(s_,d_,w_,c_)   do {                   \
+#define MULADD_256_ASM(s_,d_,w_,c_)                      \
  asm ( "ldmia  %[s]!, { r8, r9, r10 } \n\t"              \
        "ldmia  %[d], { r5, r6, r7 }   \n\t"              \
        "umull  r4, r8, %[w], r8       \n\t"              \
@@ -42,6 +42,9 @@
        : [s] "=&r" (s_), [d] "=&r" (d_), [c] "=&r" (c_)  \
        : "[s]" (s_), "[d]" (d_), [w] "r" (w_)            \
        : "r4", "r5", "r6", "r7", "r8", "r9", "r10",      \
-         "memory", "cc" );                               \
-  *d_ = c_;                                              \
+         "memory", "cc" )
+
+#define MULADD_256(s__,d__,w__,c__) do { \
+  MULADD_256_ASM(s__,d__,w__,c__);	 \
+  *d__ = c__;                            \
 } while (0)

src/neug.c

@@ -1,7 +1,8 @@
 /*
  * neug.c - true random number generation
  *
- * Copyright (C) 2011, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2011, 2012, 2013, 2016, 2017, 2018
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of NeuG, a True Random Number Generator
@@ -28,19 +29,136 @@
 
 #include "sys.h"
 #include "neug.h"
-#include "stm32f103.h"
+#ifndef GNU_LINUX_EMULATION
+#include "mcu/stm32f103.h"
+#endif
 #include "adc.h"
 #include "sha256.h"
 
+#ifdef GNU_LINUX_EMULATION
+static const uint32_t crc32_rv_table[256] = {
+  0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9, 0x130476dc, 0x17c56b6b,
+  0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6, 0x2b4bcb61,
+  0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd, 0x4c11db70, 0x48d0c6c7,
+  0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75,
+  0x6a1936c8, 0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3,
+  0x709f7b7a, 0x745e66cd, 0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039,
+  0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52, 0x8664e6e5, 0xbe2b5b58, 0xbaea46ef,
+  0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033, 0xa4ad16ea, 0xa06c0b5d,
+  0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c, 0xc3f706fb,
+  0xceb42022, 0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1,
+  0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077, 0x30476dc0,
+  0x3d044b19, 0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072,
+  0x128e9dcf, 0x164f8078, 0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4,
+  0x0808d07d, 0x0cc9cdca, 0x7897ab07, 0x7c56b6b0, 0x71159069, 0x75d48dde,
+  0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02, 0x5e9f46bf, 0x5a5e5b08,
+  0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d, 0x40d816ba,
+  0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc,
+  0xb6238b25, 0xb2e29692, 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6,
+  0x99a95df3, 0x9d684044, 0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050,
+  0xe9362689, 0xedf73b3e, 0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2,
+  0xc6bcf05f, 0xc27dede8, 0xcf3ecb31, 0xcbffd686, 0xd5b88683, 0xd1799b34,
+  0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59, 0x608edb80, 0x644fc637,
+  0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb, 0x4f040d56, 0x4bc510e1,
+  0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
+  0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5,
+  0x3f9b762c, 0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff,
+  0x1011a0fa, 0x14d0bd4d, 0x19939b94, 0x1d528623, 0xf12f560e, 0xf5ee4bb9,
+  0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2, 0xe6ea3d65, 0xeba91bbc, 0xef68060b,
+  0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f, 0xc423cd6a, 0xc0e2d0dd,
+  0xcda1f604, 0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610, 0xb07daba7,
+  0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6, 0x9ff77d71,
+  0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3,
+  0x5d8a9099, 0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2,
+  0x470cdd2b, 0x43cdc09c, 0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8,
+  0x68860bfd, 0x6c47164a, 0x61043093, 0x65c52d24, 0x119b4be9, 0x155a565e,
+  0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082, 0x0b1d065b, 0x0fdc1bec,
+  0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d, 0x2056cd3a,
+  0x2d15ebe3, 0x29d4f654, 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0,
+  0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676,
+  0xea23f0af, 0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4,
+  0x89b8fd09, 0x8d79e0be, 0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662,
+  0x933eb0bb, 0x97ffad0c, 0xafb010b1, 0xab710d06, 0xa6322bdf, 0xa2f33668,
+  0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4
+};
+
+static uint32_t crc;
+
+void
+crc32_rv_reset (void)
+{
+  crc = 0xffffffff;
+}
+
+void
+crc32_rv_step (uint32_t v)
+{
+  crc = crc32_rv_table[(crc ^ (v << 0))  >> 24] ^ (crc << 8);
+  crc = crc32_rv_table[(crc ^ (v << 8))  >> 24] ^ (crc << 8);
+  crc = crc32_rv_table[(crc ^ (v << 16)) >> 24] ^ (crc << 8);
+  crc = crc32_rv_table[(crc ^ (v << 24)) >> 24] ^ (crc << 8);
+}
+
+uint32_t
+crc32_rv_get (void)
+{
+  return crc;
+}
+
+uint32_t
+rbit (uint32_t v)
+{
+  v = ((v >> 1) & 0x55555555) | ((v & 0x55555555) << 1);
+  v = ((v >> 2) & 0x33333333) | ((v & 0x33333333) << 2);
+  v = ((v >> 4) & 0x0F0F0F0F) | ((v & 0x0F0F0F0F) << 4);
+  v = ((v >> 8) & 0x00FF00FF) | ((v & 0x00FF00FF) << 8);
+  v = ( v >> 16             ) | ( v               << 16);
+  return v;
+}
+
+void
+crc32_rv_stop (void)
+{
+}
+#else
+void
+crc32_rv_reset (void)
+{
+  RCC->AHBENR |= RCC_AHBENR_CRCEN;
+  CRC->CR = CRC_CR_RESET;
+}
+
+void
+crc32_rv_step (uint32_t v)
+{
+  CRC->DR = v;
+}
+
+uint32_t
+crc32_rv_get (void)
+{
+  return CRC->DR;
+}
+
+uint32_t
+rbit (uint32_t v)
+{
+  uint32_t r;
+
+  asm ("rbit	%0, %1" : "=r" (r) : "r" (v));
+  return r;
+}
+
+void
+crc32_rv_stop (void)
+{
+  RCC->AHBENR &= ~RCC_AHBENR_CRCEN;
+}
+#endif
+
 static chopstx_mutex_t mode_mtx;
 static chopstx_cond_t  mode_cond;
 
-/*
- * ADC finish interrupt
- */
-#define INTR_REQ_DMA1_Channel1 11
-
-
 static sha256_context sha256_ctx_data;
 static uint32_t sha256_output[SHA256_DIGEST_SIZE/sizeof (uint32_t)];
 
@@ -99,11 +217,11 @@ static void noise_source_continuous_test_word (uint8_t b0, uint8_t b1,
  *  Then, three-byte from noise source follows.
  *
  *  One-byte was used in the previous turn, and we have three bytes in
- *  CRC->DR.
+ *  CRC32.
  */
 static void ep_fill_initial_string (void)
 {
-  uint32_t v = CRC->DR;
+  uint32_t v = crc32_rv_get ();
   uint8_t b1, b2, b3;
 
   b3 = v >> 24;
@@ -169,11 +287,11 @@ static int ep_process (int mode)
       sha256_ctx_data.wbuf[1] = adc_buf[1];
       for (i = 0; i < EP_ROUND_0_INPUTS / 4; i++)
 	{
-	  CRC->DR = adc_buf[i*4 + 2];
-	  CRC->DR = adc_buf[i*4 + 3];
-	  CRC->DR = adc_buf[i*4 + 4];
-	  CRC->DR = adc_buf[i*4 + 5];
-	  v = CRC->DR;
+	  crc32_rv_step (adc_buf[i*4 + 2]);
+	  crc32_rv_step (adc_buf[i*4 + 3]);
+	  crc32_rv_step (adc_buf[i*4 + 4]);
+	  crc32_rv_step (adc_buf[i*4 + 5]);
+	  v = crc32_rv_get ();
 	  ep_fill_wbuf_v (i+2, 1, v);
 	}
 
@@ -186,11 +304,11 @@ static int ep_process (int mode)
     {
       for (i = 0; i < EP_ROUND_1_INPUTS / 4; i++)
 	{
-	  CRC->DR = adc_buf[i*4];
-	  CRC->DR = adc_buf[i*4 + 1];
-	  CRC->DR = adc_buf[i*4 + 2];
-	  CRC->DR = adc_buf[i*4 + 3];
-	  v = CRC->DR;
+	  crc32_rv_step (adc_buf[i*4]);
+	  crc32_rv_step (adc_buf[i*4 + 1]);
+	  crc32_rv_step (adc_buf[i*4 + 2]);
+	  crc32_rv_step (adc_buf[i*4 + 3]);
+	  v = crc32_rv_get ();
 	  ep_fill_wbuf_v (i, 1, v);
 	}
 
@@ -203,23 +321,23 @@ static int ep_process (int mode)
     {
       for (i = 0; i < EP_ROUND_2_INPUTS / 4; i++)
 	{
-	  CRC->DR = adc_buf[i*4];
-	  CRC->DR = adc_buf[i*4 + 1];
-	  CRC->DR = adc_buf[i*4 + 2];
-	  CRC->DR = adc_buf[i*4 + 3];
-	  v = CRC->DR;
+	  crc32_rv_step (adc_buf[i*4]);
+	  crc32_rv_step (adc_buf[i*4 + 1]);
+	  crc32_rv_step (adc_buf[i*4 + 2]);
+	  crc32_rv_step (adc_buf[i*4 + 3]);
+	  v = crc32_rv_get ();
 	  ep_fill_wbuf_v (i, 1, v);
 	}
 
-      CRC->DR = adc_buf[i*4];
-      CRC->DR = adc_buf[i*4 + 1];
-      CRC->DR = adc_buf[i*4 + 2];
-      CRC->DR = adc_buf[i*4 + 3];
-      v = CRC->DR & 0xff;
+      crc32_rv_step (adc_buf[i*4]);
+      crc32_rv_step (adc_buf[i*4 + 1]);
+      crc32_rv_step (adc_buf[i*4 + 2]);
+      crc32_rv_step (adc_buf[i*4 + 3]);
+      v = crc32_rv_get () & 0xff;   /* First byte of CRC32 is used here.  */
       noise_source_continuous_test (v);
       sha256_ctx_data.wbuf[i] = v;
       ep_init (NEUG_MODE_CONDITIONED); /* The rest three-byte of
-					  CRC->DR is used here.  */
+					  CRC32 is used here.  */
       n = SHA256_DIGEST_SIZE / 2;
       memcpy (((uint8_t *)sha256_ctx_data.wbuf) + EP_ROUND_2_INPUTS,
 	      sha256_output, n);
@@ -231,11 +349,11 @@ static int ep_process (int mode)
     {
       for (i = 0; i < EP_ROUND_RAW_INPUTS / 4; i++)
 	{
-	  CRC->DR = adc_buf[i*4];
-	  CRC->DR = adc_buf[i*4 + 1];
-	  CRC->DR = adc_buf[i*4 + 2];
-	  CRC->DR = adc_buf[i*4 + 3];
-	  v = CRC->DR;
+	  crc32_rv_step (adc_buf[i*4]);
+	  crc32_rv_step (adc_buf[i*4 + 1]);
+	  crc32_rv_step (adc_buf[i*4 + 2]);
+	  crc32_rv_step (adc_buf[i*4 + 3]);
+	  v = crc32_rv_get ();
 	  ep_fill_wbuf_v (i, 1, v);
 	}
 
@@ -280,8 +398,6 @@ uint16_t neug_rc_max;
 uint16_t neug_p64_max;
 uint16_t neug_p4k_max;
 
-#include "board.h"
-
 static void noise_source_cnt_max_reset (void)
 {
   neug_err_cnt = neug_err_cnt_rc = neug_err_cnt_p64 = neug_err_cnt_p4k = 0;
@@ -576,7 +692,6 @@ static void *
 rng (void *arg)
 {
   struct rng_rb *rb = (struct rng_rb *)arg;
-  chopstx_intr_t adc_intr;
   int mode = neug_mode;
 
   rng_should_terminate = 0;
@@ -585,7 +700,6 @@ rng (void *arg)
 
   /* Enable ADCs */
   adc_start ();
-  chopstx_claim_irq (&adc_intr, INTR_REQ_DMA1_Channel1);
 
   ep_init (mode);
   while (!rng_should_terminate)
@@ -593,7 +707,7 @@ rng (void *arg)
       int err;
       int n;
 
-      err = adc_wait_completion (&adc_intr);
+      err = adc_wait_completion ();
 
       chopstx_mutex_lock (&mode_mtx);
       if (err || mode != neug_mode)
@@ -643,16 +757,17 @@ rng (void *arg)
     }
 
   adc_stop ();
-  chopstx_release_irq (&adc_intr);
 
   return NULL;
 }
 
 static struct rng_rb the_ring_buffer;
 
-extern uint8_t __process2_stack_base__, __process2_stack_size__;
-const uint32_t __stackaddr_rng = (uint32_t)&__process2_stack_base__;
-const size_t __stacksize_rng = (size_t)&__process2_stack_size__;
+#define STACK_PROCESS_2
+#include "stack-def.h"
+#define STACK_ADDR_RNG ((uintptr_t)process2_base)
+#define STACK_SIZE_RNG (sizeof process2_base)
+
 #define PRIO_RNG 2
 
 /**
@@ -665,20 +780,19 @@ neug_init (uint32_t *buf, uint8_t size)
   struct rng_rb *rb = &the_ring_buffer;
   int i;
 
-  RCC->AHBENR |= RCC_AHBENR_CRCEN;
-  CRC->CR = CRC_CR_RESET;
+  crc32_rv_reset ();
 
   /*
    * This initialization ensures that it generates different sequence
    * even if all physical conditions are same.
    */
   for (i = 0; i < 3; i++)
-    CRC->DR = *u++;
+    crc32_rv_step (*u++);
 
   neug_mode = NEUG_MODE_CONDITIONED;
   rb_init (rb, buf, size);
 
-  rng_thread = chopstx_create (PRIO_RNG, __stackaddr_rng, __stacksize_rng,
+  rng_thread = chopstx_create (PRIO_RNG, STACK_ADDR_RNG, STACK_SIZE_RNG,
 			       rng, rb);
 }
 
@@ -791,6 +905,7 @@ neug_fini (void)
   rng_should_terminate = 1;
   neug_get (1);
   chopstx_join (rng_thread, NULL);
+  crc32_rv_stop ();
 }
 
 void

src/neug.h

@@ -3,9 +3,9 @@
 
 #define NEUG_PRE_LOOP 32
 
-#define NEUG_MODE_CONDITIONED 0
-#define NEUG_MODE_RAW         1
-#define NEUG_MODE_RAW_DATA    2
+#define NEUG_MODE_CONDITIONED 0	/* Conditioned data.             */
+#define NEUG_MODE_RAW         1	/* CRC-32 filtered sample data.  */
+#define NEUG_MODE_RAW_DATA    2	/* Sample data directly.         */
 
 extern uint8_t neug_mode;
 extern uint16_t neug_err_cnt;
@@ -26,3 +26,8 @@ void neug_fini (void);
 void neug_mode_select (uint8_t mode);
 
 int neug_consume_random (void (*proc) (uint32_t, int));
+
+void crc32_rv_reset (void);
+void crc32_rv_step (uint32_t v);
+uint32_t crc32_rv_get (void);
+uint32_t rbit (uint32_t v);

src/pin-cir.c

@@ -28,7 +28,7 @@
 #include "config.h"
 #include "board.h"
 #include "gnuk.h"
-#include "stm32f103.h"
+#include "mcu/stm32f103.h"
 
 #ifdef DEBUG
 #define DEBUG_CIR 1
@@ -40,21 +40,20 @@ cir_ext_disable (void)
   int rcvd = (EXTI->PR & EXTI_PR) != 0;
 
   EXTI->IMR &= ~EXTI_IMR;
-  EXTI->PR = EXTI_PR;
+  EXTI->PR |= EXTI_PR;
   return rcvd;
 }
 
 static void
 cir_ext_enable (void)
 {
-  EXTI->PR = EXTI_PR;
+  EXTI->PR |= EXTI_PR;
   EXTI->IMR |= EXTI_IMR;
 }
 
-
-static chopstx_t pin_thread;
-static uint32_t wait_usec;
-static uint8_t notification;
+static chopstx_mutex_t cir_input_mtx;
+static chopstx_cond_t cir_input_cnd;
+static int input_avail;
 
 uint8_t pin_input_buffer[MAX_PIN_CHARS];
 uint8_t pin_input_len;
@@ -500,9 +499,18 @@ hex (int x)
     return (x - 10) + 'a';
 }
 
+static int
+check_input (void *arg)
+{
+  (void)arg;
+  return input_avail;
+}
+
 static int
 cir_getchar (uint32_t timeout)
 {
+  chopstx_poll_cond_t poll_desc;
+  struct chx_poll_head *pd_array[1] = { (struct chx_poll_head *)&poll_desc };
   uint16_t cir_addr;
 #if defined(DEBUG_CIR)
   uint16_t *p;
@@ -514,10 +522,15 @@ cir_getchar (uint32_t timeout)
 
   cir_ll_init ();
 
-  notification = 0;
-  wait_usec = timeout;
-  chopstx_usec_wait_var (&wait_usec);
-  if (notification == 0)
+  poll_desc.type = CHOPSTX_POLL_COND;
+  poll_desc.ready = 0;
+  poll_desc.cond = &cir_input_cnd;
+  poll_desc.mutex = &cir_input_mtx;
+  poll_desc.check = check_input;
+  poll_desc.arg = NULL;
+
+  input_avail = 0;
+  if (chopstx_poll (&timeout, 1, pd_array) == 0)
     return -1;
 
   /* Sleep 200ms to avoid detecting chatter inputs.  */
@@ -631,13 +644,10 @@ cir_getchar (uint32_t timeout)
 int
 pinpad_getline (int msg_code, uint32_t timeout)
 {
-  extern chopstx_t openpgp_card_thd;
-
   (void)msg_code;
 
   DEBUG_INFO (">>>\r\n");
 
-  pin_thread = openpgp_card_thd;
   pin_input_len = 0;
   while (1)
     {
@@ -663,7 +673,6 @@ pinpad_getline (int msg_code, uint32_t timeout)
     }
 
   cir_ext_disable ();
-  pin_thread = NULL;
 
   return pin_input_len;
 }
@@ -932,13 +941,12 @@ cir_timer_interrupt (void)
 	    {
 	      /*
 	       * Notify the thread, when it's waiting the input.
-	       * If else, throw away the input.
+	       * If else, the input is thrown away.
 	       */
-	      if (pin_thread)
-		{
-		  notification = 1;
-		  chopstx_wakeup_usec_wait (pin_thread);
-		}
+	      chopstx_mutex_lock (&cir_input_mtx);
+	      input_avail = 1;
+	      chopstx_cond_signal (&cir_input_cnd);
+	      chopstx_mutex_unlock (&cir_input_mtx);
 	    }
 
 #if defined(DEBUG_CIR)
@@ -956,9 +964,14 @@ cir_timer_interrupt (void)
 }
 
 
-extern uint8_t __process6_stack_base__, __process6_stack_size__;
-const uint32_t __stackaddr_tim = (uint32_t)&__process6_stack_base__;
-const size_t __stacksize_tim = (size_t)&__process6_stack_size__;
+#define STACK_PROCESS_6
+#define STACK_PROCESS_7
+#include "stack-def.h"
+#define STACK_ADDR_TIM ((uintptr_t)process6_base)
+#define STACK_SIZE_TIM (sizeof process6_base)
+#define STACK_ADDR_EXT ((uintptr_t)process7_base)
+#define STACK_SIZE_EXT (sizeof process7_base)
+
 #define PRIO_TIM 4
 
 static void *
@@ -973,14 +986,13 @@ tim_main (void *arg)
     {
       chopstx_intr_wait (&interrupt);
       cir_timer_interrupt ();
+      chopstx_intr_done (&interrupt);
     }
 
   return NULL;
 }
 
-extern uint8_t __process7_stack_base__, __process7_stack_size__;
-const uint32_t __stackaddr_ext = (uint32_t)&__process7_stack_base__;
-const size_t __stacksize_ext = (size_t)&__process7_stack_size__;
+
 #define PRIO_EXT 4
 
 static void *
@@ -995,6 +1007,7 @@ ext_main (void *arg)
     {
       chopstx_intr_wait (&interrupt);
       cir_ext_interrupt ();
+      chopstx_intr_done (&interrupt);
     }
 
   return NULL;
@@ -1004,6 +1017,9 @@ ext_main (void *arg)
 void
 cir_init (void)
 {
+  chopstx_mutex_init (&cir_input_mtx);
+  chopstx_cond_init (&cir_input_cnd);
+
   /*
    * We use XOR function for three signals: TIMx_CH1, TIMx_CH2, and TIMx_CH3.
    *
@@ -1019,8 +1035,8 @@ cir_init (void)
 
   /* EXTIx <= Py */
   AFIO->EXTICR[AFIO_EXTICR_INDEX] = AFIO_EXTICR1_EXTIx_Py;
-  EXTI->IMR = 0;
-  EXTI->FTSR = EXTI_FTSR_TR;
+  EXTI->IMR &= ~EXTI_IMR;
+  EXTI->FTSR |= EXTI_FTSR_TR;
 
   /* TIM */
 #ifdef ENABLE_RCC_APB1
@@ -1044,8 +1060,8 @@ cir_init (void)
   TIMx->PSC = 72 - 1;		/* 1 MHz */
   TIMx->ARR = 18000;		/* 18 ms */
   /* Generate UEV to upload PSC and ARR */
-  TIMx->EGR = TIM_EGR_UG;	
+  TIMx->EGR = TIM_EGR_UG;
 
-  chopstx_create (PRIO_TIM, __stackaddr_tim, __stacksize_tim, tim_main, NULL);
-  chopstx_create (PRIO_EXT, __stackaddr_ext, __stacksize_ext, ext_main, NULL);
+  chopstx_create (PRIO_TIM, STACK_ADDR_TIM, STACK_SIZE_TIM, tim_main, NULL);
+  chopstx_create (PRIO_EXT, STACK_ADDR_EXT, STACK_SIZE_EXT, ext_main, NULL);
 }

src/random.c

@@ -1,7 +1,8 @@
 /*
  * random.c -- get random bytes
  *
- * Copyright (C) 2010, 2011, 2012, 2013 Free Software Initiative of Japan
+ * Copyright (C) 2010, 2011, 2012, 2013, 2015
+ *               Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
  *
  * This file is a part of Gnuk, a GnuPG USB Token implementation.
@@ -24,8 +25,6 @@
 #include <stdint.h>
 #include <string.h>
 
-#include "config.h"
-
 #include "gnuk.h"
 #include "neug.h"
 
@@ -85,7 +84,6 @@ random_get_salt (uint8_t *p)
 }
 
 
-#ifdef KEYGEN_SUPPORT
 /*
  * Random byte iterator
  */
@@ -120,4 +118,3 @@ random_gen (void *arg, unsigned char *out, size_t out_len)
 
   return 0;
 }
-#endif

src/sha256.c

@@ -47,7 +47,6 @@
 
 #include <string.h>
 #include <stdint.h>
-#include <stdlib.h>
 #include "sha256.h"
 
 #define SHA256_MASK (SHA256_BLOCK_SIZE - 1)

src/sha512.c

@@ -1,7 +1,7 @@
 /*
  * sha512.c -- Compute SHA-512 hash (for little endian architecture).
  *
- * This module is written by gniibe, following the API of sha256.c. 
+ * This module is written by gniibe, following the API of sha256.c.
  *
  * Copyright (C) 2014 Free Software Initiative of Japan
  * Author: NIIBE Yutaka <gniibe@fsij.org>
@@ -32,7 +32,6 @@
 
 #include <string.h>
 #include <stdint.h>
-#include <stdlib.h>
 #include "sha512.h"
 
 #define SHA512_MASK (SHA512_BLOCK_SIZE - 1)

src/stack-def.h

@@ -0,0 +1,65 @@
+#ifdef GNU_LINUX_EMULATION
+#define SIZE_1 4096
+#define SIZE_2 4096
+#define SIZE_3 (5 * 4096)
+#else
+#define SIZE_0 0x0160 /* Main         */
+#define SIZE_1 0x01a0 /* CCID         */
+#define SIZE_2 0x0180 /* RNG          */
+#if MEMORY_SIZE >= 32
+#define SIZE_3 0x4640 /* openpgp-card */
+#elif MEMORY_SIZE >= 24
+#define SIZE_3 0x2640 /* openpgp-card */
+#else
+#define SIZE_3 0x1640 /* openpgp-card */
+#endif
+#define SIZE_4 0x0000 /* ---          */
+#define SIZE_5 0x0200 /* msc          */
+#define SIZE_6 0x00c0 /* timer (cir)  */
+#define SIZE_7 0x00c0 /* ext   (cir)  */
+#endif
+
+#if defined(STACK_MAIN) && !defined(GNU_LINUX_EMULATION) 
+/* Idle+Exception handlers */
+char __main_stack_end__[0] __attribute__ ((section(".main_stack")));
+char main_base[0x0080] __attribute__ ((section(".main_stack")));
+
+/* Main program            */
+char __process0_stack_end__[0] __attribute__ ((section(".process_stack.0")));
+char process0_base[SIZE_0] __attribute__ ((section(".process_stack.0")));
+#endif
+
+/* First thread program    */
+#if defined(STACK_PROCESS_1)
+char process1_base[SIZE_1] __attribute__ ((section(".process_stack.1"))); 
+#endif
+
+/* Second thread program   */
+#if defined(STACK_PROCESS_2)
+char process2_base[SIZE_2] __attribute__ ((section(".process_stack.2")));
+#endif
+
+/* Third thread program    */
+#if defined(STACK_PROCESS_3)
+char process3_base[SIZE_3] __attribute__ ((section(".process_stack.3")));
+#endif
+
+/* Fourth thread program    */
+#if defined(STACK_PROCESS_4)
+char process4_base[SIZE_4] __attribute__ ((section(".process_stack.4")));
+#endif
+
+/* Fifth thread program    */
+#if defined(STACK_PROCESS_5)
+char process5_base[SIZE_5] __attribute__ ((section(".process_stack.5")));
+#endif
+
+/* Sixth thread program    */
+#if defined(STACK_PROCESS_6)
+char process6_base[SIZE_6] __attribute__ ((section(".process_stack.6")));
+#endif
+
+/* Seventh thread program    */
+#if defined(STACK_PROCESS_7)
+char process7_base[SIZE_7] __attribute__ ((section(".process_stack.7")));
+#endif

src/status-code.h

@@ -1,4 +1,6 @@
+#define GPG_APPLICATION_TERMINATED()	set_res_sw (0x62, 0x85)
 #define GPG_MEMORY_FAILURE()		set_res_sw (0x65, 0x81)
+#define GPG_WRONG_LENGTH()		set_res_sw (0x67, 0x00)
 #define GPG_SECURITY_FAILURE()		set_res_sw (0x69, 0x82)
 #define GPG_SECURITY_AUTH_BLOCKED()	set_res_sw (0x69, 0x83)
 #define GPG_CONDITION_NOT_SATISFIED()	set_res_sw (0x69, 0x85)