Commit 1a85646b authored by Niels Möller's avatar Niels Möller

Reorganize eddsa, based on patch by Daiki Ueno.

* eddsa-internal.h (struct ecc_eddsa): New struct for eddsa
parameters.
* ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct.
* eddsa-expand.c (_eddsa_expand_key): Replace input
struct nettle_hash with struct ecc_eddsa, and generalize for
ed448. Update all callers.
* eddsa-sign.c (_eddsa_sign): Likewise.
* eddsa-verify.c (_eddsa_verify): Likewise.
* eddsa-compress.c (_eddsa_compress): Store sign bit in most
significant bit of last byte, as specified by RFC 8032.
* eddsa-decompress.c (_eddsa_decompress): Corresponding update.
Also generalize to support ed448, and make validity checks
stricter.
* testsuite/eddsa-sign-test.c (test_ed25519_sign): New function.
(test_main): Use it.
* testsuite/eddsa-verify-test.c (test_ed25519): New function.
(test_main): Use it.
parent d1d7d737
2019-12-30 Niels Möller <nisse@lysator.liu.se>
Preparation for ed448, based on patch by Daiki Ueno.
* eddsa-internal.h (struct ecc_eddsa): New struct for eddsa
parameters.
* ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct.
* eddsa-expand.c (_eddsa_expand_key): Replace input
struct nettle_hash with struct ecc_eddsa, and generalize for
ed448. Update all callers.
* eddsa-sign.c (_eddsa_sign): Likewise.
* eddsa-verify.c (_eddsa_verify): Likewise.
* eddsa-compress.c (_eddsa_compress): Store sign bit in most
significant bit of last byte, as specified by RFC 8032.
* eddsa-decompress.c (_eddsa_decompress): Corresponding update.
Also generalize to support ed448, and make validity checks
stricter.
* testsuite/eddsa-sign-test.c (test_ed25519_sign): New function.
(test_main): Use it.
* testsuite/eddsa-verify-test.c (test_ed25519): New function.
(test_main): Use it.
2019-12-28 Niels Möller <nisse@lysator.liu.se> 2019-12-28 Niels Möller <nisse@lysator.liu.se>
* bignum.h: Drop unreleted include of nettle-meta.h. * bignum.h: Drop unreleted include of nettle-meta.h.
......
...@@ -191,7 +191,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \ ...@@ -191,7 +191,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \
eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \
eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \
ed25519-sha512-pubkey.c \ ed25519-sha512.c ed25519-sha512-pubkey.c \
ed25519-sha512-sign.c ed25519-sha512-verify.c ed25519-sha512-sign.c ed25519-sha512-verify.c
OPT_SOURCES = fat-x86_64.c fat-arm.c mini-gmp.c OPT_SOURCES = fat-x86_64.c fat-arm.c mini-gmp.c
......
...@@ -50,8 +50,8 @@ ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv) ...@@ -50,8 +50,8 @@ ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv)
#define k scratch #define k scratch
#define scratch_out (scratch + ecc->q.size) #define scratch_out (scratch + ecc->q.size)
sha512_init (&ctx);
_eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k);
_eddsa_public_key (ecc, k, pub, scratch_out); _eddsa_public_key (ecc, k, pub, scratch_out);
gmp_free_limbs (scratch, itch); gmp_free_limbs (scratch, itch);
......
...@@ -53,11 +53,11 @@ ed25519_sha512_sign (const uint8_t *pub, ...@@ -53,11 +53,11 @@ ed25519_sha512_sign (const uint8_t *pub,
struct sha512_ctx ctx; struct sha512_ctx ctx;
uint8_t digest[SHA512_DIGEST_SIZE]; uint8_t digest[SHA512_DIGEST_SIZE];
#define k1 (digest + ED25519_KEY_SIZE) #define k1 (digest + ED25519_KEY_SIZE)
sha512_init (&ctx);
_eddsa_expand_key (ecc, &nettle_sha512, &ctx, priv, digest, k2); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k2);
sha512_update (&ctx, ED25519_KEY_SIZE, k1); sha512_update (&ctx, ED25519_KEY_SIZE, k1);
_eddsa_sign (ecc, &nettle_sha512, pub, _eddsa_sign (ecc, &_nettle_ed25519_sha512, pub,
&ctx, &ctx,
k2, length, msg, signature, scratch_out); k2, length, msg, signature, scratch_out);
......
...@@ -53,9 +53,11 @@ ed25519_sha512_verify (const uint8_t *pub, ...@@ -53,9 +53,11 @@ ed25519_sha512_verify (const uint8_t *pub,
int res; int res;
#define A scratch #define A scratch
#define scratch_out (scratch + 3*ecc->p.size) #define scratch_out (scratch + 3*ecc->p.size)
sha512_init (&ctx);
res = (_eddsa_decompress (ecc, res = (_eddsa_decompress (ecc,
A, pub, scratch_out) A, pub, scratch_out)
&& _eddsa_verify (ecc, &nettle_sha512, && _eddsa_verify (ecc, &_nettle_ed25519_sha512,
pub, A, &ctx, pub, A, &ctx,
length, msg, signature, length, msg, signature,
scratch_out)); scratch_out));
......
/* ed25519-sha512.c
Copyright (C) 2019 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include "eddsa-internal.h"
#include "nettle-types.h"
#include "sha2.h"
const struct ecc_eddsa _nettle_ed25519_sha512 =
{
(nettle_hash_update_func *) sha512_update,
(nettle_hash_digest_func *) sha512_digest,
~(mp_limb_t) 7,
(mp_limb_t) 1 << (254 % GMP_NUMB_BITS),
};
...@@ -53,11 +53,11 @@ _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, ...@@ -53,11 +53,11 @@ _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p,
#define yp (scratch + ecc->p.size) #define yp (scratch + ecc->p.size)
#define scratch_out (scratch + 2*ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size)
size_t nbytes = 1 + ecc->p.bit_size / 8;
ecc->h_to_a (ecc, 0, xp, p, scratch_out); ecc->h_to_a (ecc, 0, xp, p, scratch_out);
/* Encoding is the y coordinate and an appended "sign" bit, which is /* Encoding is the y coordinate and an appended "sign" bit, which is
the low bit of x. Bit order is not specified explicitly, but for the low bit of x. The sign bit is stored as the most significant
little-endian encoding, it makes most sense to append the bit bit of the last byte. */
after the most significant bit of y. */ mpn_get_base256_le (r, nbytes, yp, ecc->p.size);
mpn_get_base256_le (r, 1 + ecc->p.bit_size / 8, yp, ecc->p.size); r[nbytes - 1] += (xp[0] & 1) << 7;
r[ecc->p.bit_size / 8] += (xp[0] & 1) << (ecc->p.bit_size & 7);
} }
...@@ -33,6 +33,8 @@ ...@@ -33,6 +33,8 @@
# include "config.h" # include "config.h"
#endif #endif
#include <assert.h>
#include "eddsa.h" #include "eddsa.h"
#include "eddsa-internal.h" #include "eddsa-internal.h"
...@@ -51,6 +53,8 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, ...@@ -51,6 +53,8 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p,
mp_limb_t *scratch) mp_limb_t *scratch)
{ {
mp_limb_t sign, cy; mp_limb_t sign, cy;
mp_size_t nlimbs;
size_t nbytes;
int res; int res;
#define xp p #define xp p
...@@ -62,23 +66,46 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, ...@@ -62,23 +66,46 @@ _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p,
#define tp (scratch + 2*ecc->p.size) #define tp (scratch + 2*ecc->p.size)
#define scratch_out (scratch + 4*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size)
sign = cp[ecc->p.bit_size / 8] >> (ecc->p.bit_size & 7); nbytes = 1 + ecc->p.bit_size / 8;
if (sign > 1) /* By RFC 8032, sign bit is always the most significant bit of the
return 0; last byte. */
mpn_set_base256_le (yp, ecc->p.size, cp, 1 + ecc->p.bit_size / 8); sign = cp[nbytes-1] >> 7;
/* Clear out the sign bit (if it fits) */
yp[ecc->p.size - 1] &= ~(mp_limb_t) 0 /* May need an extra limb. */
>> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); nlimbs = (nbytes * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS;
assert (nlimbs <= ecc->p.size + 1);
mpn_set_base256_le (scratch, nlimbs, cp, nbytes);
/* Clear out the sign bit */
scratch[nlimbs - 1] &=
((mp_limb_t) 1 << ((nbytes * 8 - 1) % GMP_NUMB_BITS)) - 1;
mpn_copyi (yp, scratch, ecc->p.size);
/* Check range. */
if (nlimbs > ecc->p.size)
res = (scratch[nlimbs - 1] == 0);
else
res = 1;
/* For a valid input, y < p, so subtraction should underflow. */
res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size);
ecc_modp_sqr (ecc, y2, yp); ecc_modp_sqr (ecc, y2, yp);
ecc_modp_mul (ecc, vp, y2, ecc->b); ecc_modp_mul (ecc, vp, y2, ecc->b);
ecc_modp_sub (ecc, vp, vp, ecc->unit); ecc_modp_sub (ecc, vp, vp, ecc->unit);
ecc_modp_sub (ecc, up, ecc->unit, y2); /* The sign is different between curve25519 and curve448. */
res = ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out); if (ecc->p.bit_size == 255)
ecc_modp_sub (ecc, up, ecc->unit, y2);
else
ecc_modp_sub (ecc, up, y2, ecc->unit);
res &= ecc->p.sqrt (&ecc->p, tp, up, vp, scratch_out);
cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size);
cnd_copy (cy, xp, tp, ecc->p.size); cnd_copy (cy, xp, tp, ecc->p.size);
sign ^= xp[0] & 1; sign ^= xp[0] & 1;
mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size);
cnd_copy (sign, xp, tp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size);
/* Fails if the square root is zero but (original) sign was 1 */
res &= mpn_sub_n (tp, xp, ecc->p.m, ecc->p.size);
return res; return res;
} }
...@@ -41,13 +41,12 @@ ...@@ -41,13 +41,12 @@
#include "ecc.h" #include "ecc.h"
#include "ecc-internal.h" #include "ecc-internal.h"
#include "nettle-meta.h"
/* Expands a private key, generating the secret scalar K2 and leaving /* Expands a private key, generating the secret scalar K2 and leaving
the key K1 for nonce generation, at the end of the digest. */ the key K1 for nonce generation, at the end of the digest. */
void void
_eddsa_expand_key (const struct ecc_curve *ecc, _eddsa_expand_key (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
void *ctx, void *ctx,
const uint8_t *key, const uint8_t *key,
uint8_t *digest, uint8_t *digest,
...@@ -55,19 +54,19 @@ _eddsa_expand_key (const struct ecc_curve *ecc, ...@@ -55,19 +54,19 @@ _eddsa_expand_key (const struct ecc_curve *ecc,
{ {
size_t nbytes = 1 + ecc->p.bit_size / 8; size_t nbytes = 1 + ecc->p.bit_size / 8;
assert (H->digest_size >= 2*nbytes); eddsa->update (ctx, nbytes, key);
eddsa->digest (ctx, 2*nbytes, digest);
H->init (ctx);
H->update (ctx, nbytes, key); /* For ed448, ignores the most significant byte. */
H->digest (ctx, 2*nbytes, digest); mpn_set_base256_le (k2, ecc->p.size, digest, (ecc->p.bit_size + 7) / 8);
mpn_set_base256_le (k2, ecc->p.size, digest, nbytes); /* Clear low c bits */
/* Clear low 3 bits */ k2[0] &= eddsa->low_mask;
k2[0] &= ~(mp_limb_t) 7;
/* Set bit number bit_size - 1 (bit 254 for curve25519) */ /* Clear higher bits. */
k2[(ecc->p.bit_size - 1) / GMP_NUMB_BITS] k2[ecc->p.size - 1] &= eddsa->high_bit - 1;
|= (mp_limb_t) 1 << ((ecc->p.bit_size - 1) % GMP_NUMB_BITS);
/* Clear any higher bits. */ /* Set bit number bit_size - 1 (bit 254 for curve25519, bit 447 for
k2[ecc->p.size - 1] &= ~(mp_limb_t) 0 curve448) */
>> (GMP_NUMB_BITS * ecc->p.size - ecc->p.bit_size); k2[ecc->p.size - 1] |= eddsa->high_bit;
} }
...@@ -33,7 +33,7 @@ ...@@ -33,7 +33,7 @@
#define NETTLE_EDDSA_INTERNAL_H #define NETTLE_EDDSA_INTERNAL_H
#include "nettle-types.h" #include "nettle-types.h"
#include "nettle-meta.h" #include "bignum.h"
#define _eddsa_compress _nettle_eddsa_compress #define _eddsa_compress _nettle_eddsa_compress
#define _eddsa_compress_itch _nettle_eddsa_compress_itch #define _eddsa_compress_itch _nettle_eddsa_compress_itch
...@@ -53,6 +53,18 @@ ...@@ -53,6 +53,18 @@
struct ecc_curve; struct ecc_curve;
struct ecc_modulo; struct ecc_modulo;
struct ecc_eddsa
{
/* Hash function to use */
nettle_hash_update_func *update;
nettle_hash_digest_func *digest;
/* For generating the secret scalar */
mp_limb_t low_mask;
mp_limb_t high_bit;
};
extern const struct ecc_eddsa _nettle_ed25519_sha512;
mp_size_t mp_size_t
_eddsa_compress_itch (const struct ecc_curve *ecc); _eddsa_compress_itch (const struct ecc_curve *ecc);
void void
...@@ -75,7 +87,7 @@ _eddsa_sign_itch (const struct ecc_curve *ecc); ...@@ -75,7 +87,7 @@ _eddsa_sign_itch (const struct ecc_curve *ecc);
void void
_eddsa_sign (const struct ecc_curve *ecc, _eddsa_sign (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
const uint8_t *pub, const uint8_t *pub,
void *ctx, void *ctx,
const mp_limb_t *k2, const mp_limb_t *k2,
...@@ -89,7 +101,7 @@ _eddsa_verify_itch (const struct ecc_curve *ecc); ...@@ -89,7 +101,7 @@ _eddsa_verify_itch (const struct ecc_curve *ecc);
int int
_eddsa_verify (const struct ecc_curve *ecc, _eddsa_verify (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
const uint8_t *pub, const uint8_t *pub,
const mp_limb_t *A, const mp_limb_t *A,
void *ctx, void *ctx,
...@@ -100,7 +112,7 @@ _eddsa_verify (const struct ecc_curve *ecc, ...@@ -100,7 +112,7 @@ _eddsa_verify (const struct ecc_curve *ecc,
void void
_eddsa_expand_key (const struct ecc_curve *ecc, _eddsa_expand_key (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
void *ctx, void *ctx,
const uint8_t *key, const uint8_t *key,
uint8_t *digest, uint8_t *digest,
......
...@@ -50,7 +50,7 @@ _eddsa_sign_itch (const struct ecc_curve *ecc) ...@@ -50,7 +50,7 @@ _eddsa_sign_itch (const struct ecc_curve *ecc)
void void
_eddsa_sign (const struct ecc_curve *ecc, _eddsa_sign (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
const uint8_t *pub, const uint8_t *pub,
void *ctx, void *ctx,
const mp_limb_t *k2, const mp_limb_t *k2,
...@@ -71,18 +71,16 @@ _eddsa_sign (const struct ecc_curve *ecc, ...@@ -71,18 +71,16 @@ _eddsa_sign (const struct ecc_curve *ecc,
size = ecc->p.size; size = ecc->p.size;
nbytes = 1 + ecc->p.bit_size / 8; nbytes = 1 + ecc->p.bit_size / 8;
assert (H->digest_size >= 2 * nbytes); eddsa->update (ctx, length, msg);
eddsa->digest (ctx, 2*nbytes, hash);
H->update (ctx, length, msg);
H->digest (ctx, 2*nbytes, hash);
_eddsa_hash (&ecc->q, rp, hash); _eddsa_hash (&ecc->q, rp, hash);
ecc->mul_g (ecc, P, rp, scratch_out); ecc->mul_g (ecc, P, rp, scratch_out);
_eddsa_compress (ecc, signature, P, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out);
H->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, signature);
H->update (ctx, nbytes, pub); eddsa->update (ctx, nbytes, pub);
H->update (ctx, length, msg); eddsa->update (ctx, length, msg);
H->digest (ctx, 2*nbytes, hash); eddsa->digest (ctx, 2*nbytes, hash);
_eddsa_hash (&ecc->q, hp, hash); _eddsa_hash (&ecc->q, hp, hash);
ecc_modq_mul (ecc, sp, hp, k2); ecc_modq_mul (ecc, sp, hp, k2);
......
...@@ -70,12 +70,13 @@ equal_h (const struct ecc_modulo *p, ...@@ -70,12 +70,13 @@ equal_h (const struct ecc_modulo *p,
mp_size_t mp_size_t
_eddsa_verify_itch (const struct ecc_curve *ecc) _eddsa_verify_itch (const struct ecc_curve *ecc)
{ {
assert (_eddsa_decompress_itch (ecc) <= ecc->mul_itch);
return 8*ecc->p.size + ecc->mul_itch; return 8*ecc->p.size + ecc->mul_itch;
} }
int int
_eddsa_verify (const struct ecc_curve *ecc, _eddsa_verify (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
const uint8_t *pub, const uint8_t *pub,
const mp_limb_t *A, const mp_limb_t *A,
void *ctx, void *ctx,
...@@ -105,11 +106,10 @@ _eddsa_verify (const struct ecc_curve *ecc, ...@@ -105,11 +106,10 @@ _eddsa_verify (const struct ecc_curve *ecc,
if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0)
return 0; return 0;
H->init (ctx); eddsa->update (ctx, nbytes, signature);
H->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, pub);
H->update (ctx, nbytes, pub); eddsa->update (ctx, length, msg);
H->update (ctx, length, msg); eddsa->digest (ctx, 2*nbytes, hash);
H->digest (ctx, 2*nbytes, hash);
_eddsa_hash (&ecc->q, hp, hash); _eddsa_hash (&ecc->q, hp, hash);
/* Compute h A + R - s G, which should be the neutral point */ /* Compute h A + R - s G, which should be the neutral point */
......
...@@ -36,7 +36,8 @@ ...@@ -36,7 +36,8 @@
static void static void
test_eddsa_sign (const struct ecc_curve *ecc, test_eddsa_sign (const struct ecc_curve *ecc,
const struct nettle_hash *H, const struct ecc_eddsa *eddsa,
void *ctx,
const struct tstring *public, const struct tstring *public,
const struct tstring *private, const struct tstring *private,
const struct tstring *msg, const struct tstring *msg,
...@@ -45,7 +46,6 @@ test_eddsa_sign (const struct ecc_curve *ecc, ...@@ -45,7 +46,6 @@ test_eddsa_sign (const struct ecc_curve *ecc,
mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc));
size_t nbytes = 1 + ecc->p.bit_size / 8; size_t nbytes = 1 + ecc->p.bit_size / 8;
uint8_t *signature = xalloc (2*nbytes); uint8_t *signature = xalloc (2*nbytes);
void *ctx = xalloc (H->context_size);
uint8_t *public_out = xalloc (nbytes); uint8_t *public_out = xalloc (nbytes);
uint8_t *digest = xalloc (2*nbytes); uint8_t *digest = xalloc (2*nbytes);
const uint8_t *k1 = digest + nbytes; const uint8_t *k1 = digest + nbytes;
...@@ -55,7 +55,7 @@ test_eddsa_sign (const struct ecc_curve *ecc, ...@@ -55,7 +55,7 @@ test_eddsa_sign (const struct ecc_curve *ecc,
ASSERT (private->length == nbytes); ASSERT (private->length == nbytes);
ASSERT (ref->length == 2*nbytes); ASSERT (ref->length == 2*nbytes);
_eddsa_expand_key (ecc, H, ctx, private->data, _eddsa_expand_key (ecc, eddsa, ctx, private->data,
digest, k2); digest, k2);
_eddsa_public_key (ecc, k2, public_out, scratch); _eddsa_public_key (ecc, k2, public_out, scratch);
...@@ -69,9 +69,9 @@ test_eddsa_sign (const struct ecc_curve *ecc, ...@@ -69,9 +69,9 @@ test_eddsa_sign (const struct ecc_curve *ecc,
fprintf (stderr, "\n"); fprintf (stderr, "\n");
abort (); abort ();
} }
H->update (ctx, nbytes, k1); eddsa->update (ctx, nbytes, k1);
_eddsa_sign (ecc, H, public->data, ctx, k2, _eddsa_sign (ecc, eddsa, public->data, ctx, k2,
msg->length, msg->data, signature, scratch); msg->length, msg->data, signature, scratch);
if (!MEMEQ (2*nbytes, signature, ref->data)) if (!MEMEQ (2*nbytes, signature, ref->data))
...@@ -95,50 +95,60 @@ test_eddsa_sign (const struct ecc_curve *ecc, ...@@ -95,50 +95,60 @@ test_eddsa_sign (const struct ecc_curve *ecc,
free (scratch); free (scratch);
free (signature); free (signature);
free (ctx);
free (digest); free (digest);
free (k2); free (k2);
free (public_out); free (public_out);
} }
void test_main (void) static void
test_ed25519_sign (const struct tstring *public,
const struct tstring *private,
const struct tstring *msg,
const struct tstring *ref)
{
struct sha512_ctx ctx;
sha512_init (&ctx);
test_eddsa_sign (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx,
public, private, msg, ref);
}
void
test_main (void)
{ {
/* Based on a few of the test vectors at /* Based on a few of the test vectors at
http://ed25519.cr.yp.to/python/sign.input */ http://ed25519.cr.yp.to/python/sign.input */
test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, test_ed25519_sign (SHEX("d75a980182b10ab7 d54bfed3c964073a"
SHEX("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"),
"0ee172f3daa62325 af021a68f707511a"), SHEX("9d61b19deffd5a60 ba844af492ec2cc4"
SHEX("9d61b19deffd5a60 ba844af492ec2cc4" "4449c5697b326919 703bac031cae7f60"),
"4449c5697b326919 703bac031cae7f60"), SHEX(""),
SHEX(""), SHEX("e5564300c360ac72 9086e2cc806e828a"
SHEX("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155"
"84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b"
"5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b"));
"d25bf5f0595bbe24 655141438e7a100b")); test_ed25519_sign (SHEX("3d4017c3e843895a 92b70aa74d1b7ebc"
test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, "9c982ccf2ec4968c c0cd55f12af4660c"),
SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" SHEX("4ccd089b28ff96da 9db6c346ec114e0f"
"9c982ccf2ec4968c c0cd55f12af4660c"), "5b8a319f35aba624 da8cf6ed4fb8a6fb"),
SHEX("4ccd089b28ff96da 9db6c346ec114e0f" SHEX("72"),
"5b8a319f35aba624 da8cf6ed4fb8a6fb"), SHEX("92a009a9f0d4cab8 720e820b5f642540"
SHEX("72"), "a2b27b5416503f8f b3762223ebdb69da"
SHEX("92a009a9f0d4cab8 720e820b5f642540" "085ac1e43e15996e 458f3613d0f11d8c"
"a2b27b5416503f8f b3762223ebdb69da" "387b2eaeb4302aee b00d291612bb0c00"));
"085ac1e43e15996e 458f3613d0f11d8c" test_ed25519_sign (SHEX("1ed506485b09a645 0be7c9337d9fe87e"
"387b2eaeb4302aee b00d291612bb0c00")); "f99c96f8bd11cd63 1ca160d0fd73067e"),
test_eddsa_sign (&_nettle_curve25519, &nettle_sha512, SHEX("f215d34fe2d757cf f9cf5c05430994de"
SHEX("1ed506485b09a645 0be7c9337d9fe87e" "587987ce45cb0459 f61ec6c825c62259"),
"f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("fbed2a7df418ec0e 8036312ec239fcee"
SHEX("f215d34fe2d757cf f9cf5c05430994de" "6ef97dc8c2df1f2e 14adee287808b788"
"587987ce45cb0459 f61ec6c825c62259"), "a6072143b851d975 c8e8a0299df846b1"
SHEX("fbed2a7df418ec0e 8036312ec239fcee" "9113e38cee83da71 ea8e9bd6f57bdcd3"
"6ef97dc8c2df1f2e 14adee287808b788" "557523f4feb616ca a595aea01eb0b3d4"
"a6072143b851d975 c8e8a0299df846b1" "90b99b525ea4fbb9 258bc7fbb0deea8f"
"9113e38cee83da71 ea8e9bd6f57bdcd3" "568cb2"),
"557523f4feb616ca a595aea01eb0b3d4" SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c"
"90b99b525ea4fbb9 258bc7fbb0deea8f" "99df1340cce54626 183144ef46887163"
"568cb2"), "4b0a5c0033534108 e1c67c0dc99d3014"
SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" "f01084e98c95e101 4b309b1dbb2e6704"));
"99df1340cce54626 183144ef46887163"
"4b0a5c0033534108 e1c67c0dc99d3014"