Commit 1e341035 authored by Niels Möller's avatar Niels Möller

Use function pointer to represent eddsa dom prefix.

parent a148ed32
2020-01-02 Niels Möller <nisse@lysator.liu.se> 2020-01-02 Niels Möller <nisse@lysator.liu.se>
* eddsa-internal.h (struct ecc_eddsa): Add magic "dom" string, * eddsa-internal.h (nettle_eddsa_dom_func): New typedef.
(struct ecc_eddsa): Use function pointer to represent eddsa dom
string. To avoid calling sha512_update with empty input for
ed25519.
* ed448-shake256.c (ed448_dom): New function, calling
sha3_256_update with the magic dom prefix.
(_nettle_ed448_shake256): Point to it.
* ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function.
* eddsa-sign.c (_eddsa_sign): Update to use dom function pointer.
* eddsa-verify.c (_eddsa_verify): Likewise.
* eddsa-internal.h (struct ecc_eddsa): Add magic dom string,
needed for ed448. needed for ed448.
* ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string. * ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string.
* ed448-shake256.c (_nettle_ed448_shake256): New file and * ed448-shake256.c (_nettle_ed448_shake256): New file and
......
...@@ -38,11 +38,15 @@ ...@@ -38,11 +38,15 @@
#include "nettle-types.h" #include "nettle-types.h"
#include "sha2.h" #include "sha2.h"
static nettle_eddsa_dom_func ed25519_dom;
static void ed25519_dom(void *ctx UNUSED) {}
const struct ecc_eddsa _nettle_ed25519_sha512 = const struct ecc_eddsa _nettle_ed25519_sha512 =
{ {
(nettle_hash_update_func *) sha512_update, (nettle_hash_update_func *) sha512_update,
(nettle_hash_digest_func *) sha512_digest, (nettle_hash_digest_func *) sha512_digest,
NULL, 0, ed25519_dom,
~(mp_limb_t) 7, ~(mp_limb_t) 7,
(mp_limb_t) 1 << (254 % GMP_NUMB_BITS), (mp_limb_t) 1 << (254 % GMP_NUMB_BITS),
}; };
...@@ -39,14 +39,22 @@ ...@@ -39,14 +39,22 @@
#include "sha3.h" #include "sha3.h"
#define DOM_SIZE 10 #define DOM_SIZE 10
static const uint8_t ed448_dom[DOM_SIZE] =
{ 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0}; static nettle_eddsa_dom_func ed448_dom;
static void
ed448_dom(void *ctx)
{
static const uint8_t dom[DOM_SIZE] =
{ 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0};
sha3_256_update (ctx, DOM_SIZE, dom);
}
const struct ecc_eddsa _nettle_ed448_shake256 = const struct ecc_eddsa _nettle_ed448_shake256 =
{ {
(nettle_hash_update_func *) sha3_256_update, (nettle_hash_update_func *) sha3_256_update,
(nettle_hash_digest_func *) sha3_256_shake, (nettle_hash_digest_func *) sha3_256_shake,
ed448_dom, DOM_SIZE, ed448_dom,
~(mp_limb_t) 3, ~(mp_limb_t) 3,
(mp_limb_t) 1 << (447 % GMP_NUMB_BITS), (mp_limb_t) 1 << (447 % GMP_NUMB_BITS),
}; };
...@@ -53,13 +53,14 @@ ...@@ -53,13 +53,14 @@
struct ecc_curve; struct ecc_curve;
struct ecc_modulo; struct ecc_modulo;
typedef void nettle_eddsa_dom_func(void *ctx);
struct ecc_eddsa struct ecc_eddsa
{ {
/* Hash function to use */ /* Hash function to use */
nettle_hash_update_func *update; nettle_hash_update_func *update;
nettle_hash_digest_func *digest; nettle_hash_digest_func *digest;
const uint8_t *dom; nettle_eddsa_dom_func *dom;
unsigned dom_size;
/* For generating the secret scalar */ /* For generating the secret scalar */
mp_limb_t low_mask; mp_limb_t low_mask;
mp_limb_t high_bit; mp_limb_t high_bit;
......
...@@ -75,7 +75,7 @@ _eddsa_sign (const struct ecc_curve *ecc, ...@@ -75,7 +75,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
size = ecc->p.size; size = ecc->p.size;
nbytes = 1 + ecc->p.bit_size / 8; nbytes = 1 + ecc->p.bit_size / 8;
eddsa->update (ctx, eddsa->dom_size, eddsa->dom); eddsa->dom (ctx);
eddsa->update (ctx, nbytes, k1); eddsa->update (ctx, nbytes, k1);
eddsa->update (ctx, length, msg); eddsa->update (ctx, length, msg);
eddsa->digest (ctx, 2*nbytes, hash); eddsa->digest (ctx, 2*nbytes, hash);
...@@ -84,7 +84,7 @@ _eddsa_sign (const struct ecc_curve *ecc, ...@@ -84,7 +84,7 @@ _eddsa_sign (const struct ecc_curve *ecc,
ecc->mul_g (ecc, P, rp, scratch_out); ecc->mul_g (ecc, P, rp, scratch_out);
_eddsa_compress (ecc, signature, P, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out);
eddsa->update (ctx, eddsa->dom_size, eddsa->dom); eddsa->dom (ctx);
eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, signature);
eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, nbytes, pub);
eddsa->update (ctx, length, msg); eddsa->update (ctx, length, msg);
......
...@@ -106,7 +106,7 @@ _eddsa_verify (const struct ecc_curve *ecc, ...@@ -106,7 +106,7 @@ _eddsa_verify (const struct ecc_curve *ecc,
if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0)
return 0; return 0;
eddsa->update (ctx, eddsa->dom_size, eddsa->dom); eddsa->dom (ctx);
eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, signature);
eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, nbytes, pub);
eddsa->update (ctx, length, msg); eddsa->update (ctx, length, msg);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment