Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
Wim Lewis
nettle
Commits
0d66c601
Commit
0d66c601
authored
Mar 19, 2015
by
Niels Möller
Browse files
EdDSA interface change, use plain strings to represent keys.
parent
7fdb2fec
Changes
9
Hide whitespace changes
Inline
Side-by-side
ChangeLog
View file @
0d66c601
2015-03-18 Niels Möller <nisse@diamant.hack.org>
EdDSA interface change, use plain strings to represent keys.
* eddsa.h (_ED25519_LIMB_SIZE): Deleted constant.
(struct ed25519_private_key, ed25519_public_key): Deleted.
* eddsa-expand.c (_eddsa_expand_key): Don't compute the public
key.
(_eddsa_expand_key_itch): Deleted function.
* eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New
file, new functions.
* ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file
and function.
* ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted
function.
(ed25519_sha512_verify): Use a string to represent the public key.
* ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted
function.
(ed25519_sha512_sign): Use strings for the input key pair.
* Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and
ed25519-sha512-pubkey.c.
* testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to
_eddsa_expand_key changes, and use _eddsa_public_key.
* testsuite/ed25519-test.c (test_one): Test
ed25519_sha512_public_key, and adapt to new ed25519 interface.
2015-03-14 Niels Möller <nisse@diamant.hack.org>
...
...
Makefile.in
View file @
0d66c601
...
...
@@ -180,6 +180,7 @@ hogweed_SOURCES = sexp.c sexp-format.c \
curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c
\
eddsa-compress.c eddsa-decompress.c eddsa-expand.c
\
eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c
\
ed25519-sha512-pubkey.c
\
ed25519-sha512-sign.c ed25519-sha512-verify.c
\
$(OPT_HOGWEED_SOURCES)
...
...
ed25519-sha512-pubkey.c
0 → 100644
View file @
0d66c601
/* ed25519-sha512-pubkey.c
Copyright (C) 2014, 2015 Niels Möller
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include
"eddsa.h"
#include
"ecc-internal.h"
#include
"sha2.h"
void
ed25519_sha512_public_key
(
uint8_t
*
pub
,
const
uint8_t
*
priv
)
{
const
struct
ecc_curve
*
ecc
=
&
nettle_curve25519
;
struct
sha512_ctx
ctx
;
uint8_t
digest
[
ED25519_KEY_SIZE
];
mp_size_t
itch
=
ecc
->
q
.
size
+
_eddsa_public_key_itch
(
ecc
);
mp_limb_t
*
scratch
=
gmp_alloc_limbs
(
itch
);
#define k scratch
#define scratch_out (scratch + ecc->q.size)
_eddsa_expand_key
(
ecc
,
&
nettle_sha512
,
&
ctx
,
priv
,
digest
,
k
);
_eddsa_public_key
(
ecc
,
k
,
pub
,
scratch_out
);
gmp_free_limbs
(
scratch
,
itch
);
#undef k
#undef scratch_out
}
ed25519-sha512-sign.c
View file @
0d66c601
/* ed25519-sha512-sign.c
Copyright (C) 2014 Niels Möller
Copyright (C) 2014
, 2015
Niels Möller
This file is part of GNU Nettle.
...
...
@@ -39,32 +39,29 @@
#include
"sha2.h"
void
ed25519_sha512_set_private_key
(
struct
ed25519_private_key
*
priv
,
const
uint8_t
*
key
)
{
mp_size_t
itch
=
_eddsa_expand_key_itch
(
&
nettle_curve25519
);
mp_limb_t
*
scratch
=
gmp_alloc_limbs
(
itch
);
struct
sha512_ctx
ctx
;
_eddsa_expand_key
(
&
nettle_curve25519
,
&
nettle_sha512
,
&
ctx
,
key
,
priv
->
pub
,
priv
->
k1
,
priv
->
k2
,
scratch
);
gmp_free_limbs
(
scratch
,
itch
);
}
void
ed25519_sha512_sign
(
const
struct
ed25519_private_key
*
priv
,
ed25519_sha512_sign
(
const
uint8_t
*
pub
,
const
uint8_t
*
priv
,
size_t
length
,
const
uint8_t
*
msg
,
uint8_t
*
signature
)
{
mp_size_t
itch
=
_eddsa_sign_itch
(
&
nettle_curve25519
);
const
struct
ecc_curve
*
ecc
=
&
nettle_curve25519
;
mp_size_t
itch
=
ecc
->
q
.
size
+
_eddsa_sign_itch
(
&
nettle_curve25519
);
mp_limb_t
*
scratch
=
gmp_alloc_limbs
(
itch
);
#define k2 scratch
#define scratch_out (scratch + ecc->q.size)
struct
sha512_ctx
ctx
;
uint8_t
digest
[
SHA512_DIGEST_SIZE
];
#define k1 (digest + ED25519_KEY_SIZE)
_eddsa_expand_key
(
ecc
,
&
nettle_sha512
,
&
ctx
,
priv
,
digest
,
k2
);
sha512_init
(
&
ctx
);
sha512_update
(
&
ctx
,
ED25519_KEY_SIZE
,
priv
->
k1
);
_eddsa_sign
(
&
nettle_curve25519
,
&
nettle_sha512
,
priv
->
pub
,
sha512_update
(
&
ctx
,
ED25519_KEY_SIZE
,
k1
);
_eddsa_sign
(
&
nettle_curve25519
,
&
nettle_sha512
,
pub
,
&
ctx
,
priv
->
k2
,
length
,
msg
,
signature
,
scratch
);
k2
,
length
,
msg
,
signature
,
scratch
_out
);
gmp_free_limbs
(
scratch
,
itch
);
#undef k1
#undef k2
#undef scratch_out
}
ed25519-sha512-verify.c
View file @
0d66c601
/* ed25519-sha512-verify.c
Copyright (C) 2014 Niels Möller
Copyright (C) 2014
, 2015
Niels Möller
This file is part of GNU Nettle.
...
...
@@ -41,35 +41,25 @@
#include
"sha2.h"
int
ed25519_sha512_set_public_key
(
struct
ed25519_public_key
*
pub
,
const
uint8_t
*
key
)
{
mp_size_t
itch
=
_eddsa_decompress_itch
(
&
nettle_curve25519
);
mp_limb_t
*
scratch
=
gmp_alloc_limbs
(
itch
);
int
res
;
memcpy
(
pub
->
pub
,
key
,
sizeof
(
pub
->
pub
));
res
=
_eddsa_decompress
(
&
nettle_curve25519
,
pub
->
A
,
key
,
scratch
);
gmp_free_limbs
(
scratch
,
itch
);
return
res
;
}
int
ed25519_sha512_verify
(
const
struct
ed25519_public_key
*
pub
,
ed25519_sha512_verify
(
const
uint8_t
*
pub
,
size_t
length
,
const
uint8_t
*
msg
,
const
uint8_t
*
signature
)
{
mp_size_t
itch
=
_eddsa_verify_itch
(
&
nettle_curve25519
);
const
struct
ecc_curve
*
ecc
=
&
nettle_curve25519
;
mp_size_t
itch
=
3
*
ecc
->
p
.
size
+
_eddsa_verify_itch
(
&
nettle_curve25519
);
mp_limb_t
*
scratch
=
gmp_alloc_limbs
(
itch
);
struct
sha512_ctx
ctx
;
int
res
;
res
=
_eddsa_verify
(
&
nettle_curve25519
,
&
nettle_sha512
,
pub
->
pub
,
pub
->
A
,
&
ctx
,
length
,
msg
,
signature
,
scratch
);
#define A scratch
#define scratch_out (scratch + 3*ecc->p.size)
res
=
(
_eddsa_decompress
(
&
nettle_curve25519
,
A
,
pub
,
scratch_out
)
&&
_eddsa_verify
(
ecc
,
&
nettle_sha512
,
pub
,
A
,
&
ctx
,
length
,
msg
,
signature
,
scratch_out
));
gmp_free_limbs
(
scratch
,
itch
);
return
res
;
#undef A
#undef scratch_out
}
eddsa-expand.c
View file @
0d66c601
...
...
@@ -42,38 +42,23 @@
#include
"ecc-internal.h"
#include
"nettle-meta.h"
mp_size_t
_eddsa_expand_key_itch
(
const
struct
ecc_curve
*
ecc
)
{
assert
(
_eddsa_compress_itch
(
ecc
)
<=
ecc
->
mul_g_itch
);
return
3
*
ecc
->
p
.
size
+
ecc
->
mul_g_itch
;
}
/* Expands a private key, generating the key K1 for nonce generation,
the secret scalar K2, and, if PUB is non-NULL, the corresponding
public key (in compressed form). */
/* Expands a private key, generating the secret scalar K2 and leaving
the key K1 for nonce generation, at the end of the digest. */
void
_eddsa_expand_key
(
const
struct
ecc_curve
*
ecc
,
const
struct
nettle_hash
*
H
,
void
*
ctx
,
const
uint8_t
*
key
,
uint8_t
*
pub
,
uint8_t
*
k1
,
mp_limb_t
*
k2
,
mp_limb_t
*
scratch
)
uint8_t
*
digest
,
mp_limb_t
*
k2
)
{
size_t
nbytes
=
1
+
ecc
->
p
.
bit_size
/
8
;
uint8_t
*
digest
=
(
uint8_t
*
)
scratch
;
#define P scratch
#define scratch_out (scratch + 3*ecc->p.size)
assert
(
H
->
digest_size
>=
2
*
nbytes
);
H
->
init
(
ctx
);
H
->
update
(
ctx
,
nbytes
,
key
);
H
->
digest
(
ctx
,
2
*
nbytes
,
digest
);
memcpy
(
k1
,
digest
+
nbytes
,
nbytes
);
mpn_set_base256_le
(
k2
,
ecc
->
p
.
size
,
digest
,
nbytes
);
/* Clear low 3 bits */
...
...
@@ -84,12 +69,4 @@ _eddsa_expand_key (const struct ecc_curve *ecc,
/* Clear any higher bits. */
k2
[
ecc
->
p
.
size
-
1
]
&=
~
(
mp_limb_t
)
0
>>
(
GMP_NUMB_BITS
*
ecc
->
p
.
size
-
ecc
->
p
.
bit_size
);
if
(
pub
)
{
ecc
->
mul_g
(
ecc
,
P
,
k2
,
scratch_out
);
_eddsa_compress
(
ecc
,
pub
,
P
,
scratch_out
);
}
#undef P
#undef scratch_out
}
eddsa.h
View file @
0d66c601
...
...
@@ -42,8 +42,8 @@ extern "C" {
/* Name mangling */
#define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key
#define ed25519_sha512_public_key nettle_ed25519_sha512_public_key
#define ed25519_sha512_sign nettle_ed25519_sha512_sign
#define ed25519_sha512_set_public_key nettle_ed25519_sha512_set_public_key
#define ed25519_sha512_verify nettle_ed25519_sha512_verify
#define _eddsa_compress _nettle_eddsa_compress
...
...
@@ -51,7 +51,6 @@ extern "C" {
#define _eddsa_decompress _nettle_eddsa_decompress
#define _eddsa_decompress_itch _nettle_eddsa_decompress_itch
#define _eddsa_hash _nettle_eddsa_hash
#define _eddsa_expand_key_itch _nettle_eddsa_expand_key_itch
#define _eddsa_expand_key _nettle_eddsa_expand_key
#define _eddsa_sign _nettle_eddsa_sign
#define _eddsa_sign_itch _nettle_eddsa_sign_itch
...
...
@@ -63,38 +62,17 @@ extern "C" {
#define ED25519_KEY_SIZE 32
#define ED25519_SIGNATURE_SIZE 64
/* Number of limbs needed to represent a point coordinate, or a secret
exponent (note that exponents are 254 bits, larger than q). */
#define _ED25519_LIMB_SIZE ((255 + (GMP_NUMB_BITS - 1)) / GMP_NUMB_BITS)
struct
ed25519_private_key
{
uint8_t
pub
[
ED25519_KEY_SIZE
];
uint8_t
k1
[
ED25519_KEY_SIZE
];
mp_limb_t
k2
[
_ED25519_LIMB_SIZE
];
};
void
ed25519_sha512_set_private_key
(
struct
ed25519_private_key
*
priv
,
const
uint8_t
*
key
);
ed25519_sha512_public_key
(
uint8_t
*
pub
,
const
uint8_t
*
priv
);
void
ed25519_sha512_sign
(
const
struct
ed25519_private_key
*
priv
,
ed25519_sha512_sign
(
const
uint8_t
*
pub
,
const
uint8_t
*
priv
,
size_t
length
,
const
uint8_t
*
msg
,
uint8_t
*
signature
);
struct
ed25519_public_key
{
uint8_t
pub
[
ED25519_KEY_SIZE
];
mp_limb_t
A
[
2
*
_ED25519_LIMB_SIZE
];
};
int
ed25519_sha512_set_public_key
(
struct
ed25519_public_key
*
pub
,
const
uint8_t
*
key
);
int
ed25519_sha512_verify
(
const
struct
ed25519_public_key
*
pub
,
ed25519_sha512_verify
(
const
uint8_t
*
pub
,
size_t
length
,
const
uint8_t
*
msg
,
const
uint8_t
*
signature
);
...
...
@@ -148,18 +126,13 @@ _eddsa_verify (const struct ecc_curve *ecc,
const
uint8_t
*
signature
,
mp_limb_t
*
scratch
);
mp_size_t
_eddsa_expand_key_itch
(
const
struct
ecc_curve
*
ecc
);
void
_eddsa_expand_key
(
const
struct
ecc_curve
*
ecc
,
const
struct
nettle_hash
*
H
,
void
*
ctx
,
const
uint8_t
*
key
,
uint8_t
*
pub
,
uint8_t
*
k1
,
mp_limb_t
*
k2
,
mp_limb_t
*
scratch
);
uint8_t
*
digest
,
mp_limb_t
*
k2
);
mp_size_t
_eddsa_public_key_itch
(
const
struct
ecc_curve
*
ecc
);
...
...
testsuite/ed25519-test.c
View file @
0d66c601
...
...
@@ -63,13 +63,12 @@ test_one (const char *line)
const
char
*
mp
;
uint8_t
sk
[
ED25519_KEY_SIZE
];
uint8_t
pk
[
ED25519_KEY_SIZE
];
uint8_t
t
[
ED25519_KEY_SIZE
];
uint8_t
s
[
ED25519_SIGNATURE_SIZE
];
uint8_t
*
msg
;
size_t
msg_size
;
uint8_t
s2
[
ED25519_SIGNATURE_SIZE
];
struct
ed25519_public_key
pub
;
struct
ed25519_private_key
priv
;
decode_hex
(
ED25519_KEY_SIZE
,
sk
,
line
);
p
=
strchr
(
line
,
':'
);
...
...
@@ -91,28 +90,27 @@ test_one (const char *line)
decode_hex
(
msg_size
,
msg
,
mp
);
ed25519_sha512_
set_private
_key
(
&
priv
,
sk
);
ASSERT
(
MEMEQ
(
ED25519_KEY_SIZE
,
priv
.
pub
,
pk
));
ed25519_sha512_
public
_key
(
t
,
sk
);
ASSERT
(
MEMEQ
(
ED25519_KEY_SIZE
,
t
,
pk
));
ed25519_sha512_sign
(
&
priv
,
msg_size
,
msg
,
s2
);
ed25519_sha512_sign
(
pk
,
sk
,
msg_size
,
msg
,
s2
);
ASSERT
(
MEMEQ
(
ED25519_SIGNATURE_SIZE
,
s
,
s2
));
ASSERT
(
ed25519_sha512_set_public_key
(
&
pub
,
pk
));
ASSERT
(
ed25519_sha512_verify
(
&
pub
,
msg_size
,
msg
,
s
));
ASSERT
(
ed25519_sha512_verify
(
pk
,
msg_size
,
msg
,
s
));
s2
[
ED25519_SIGNATURE_SIZE
/
3
]
^=
0x40
;
ASSERT
(
!
ed25519_sha512_verify
(
&
pub
,
msg_size
,
msg
,
s2
));
ASSERT
(
!
ed25519_sha512_verify
(
pk
,
msg_size
,
msg
,
s2
));
memcpy
(
s2
,
s
,
ED25519_SIGNATURE_SIZE
);
s2
[
2
*
ED25519_SIGNATURE_SIZE
/
3
]
^=
0x40
;
ASSERT
(
!
ed25519_sha512_verify
(
&
pub
,
msg_size
,
msg
,
s2
));
ASSERT
(
!
ed25519_sha512_verify
(
pk
,
msg_size
,
msg
,
s2
));
ASSERT
(
!
ed25519_sha512_verify
(
&
pub
,
msg_size
+
1
,
msg
,
s
));
ASSERT
(
!
ed25519_sha512_verify
(
pk
,
msg_size
+
1
,
msg
,
s
));
if
(
msg_size
>
0
)
{
msg
[
msg_size
-
1
]
^=
0x20
;
ASSERT
(
!
ed25519_sha512_verify
(
&
pub
,
msg_size
,
msg
,
s
));
ASSERT
(
!
ed25519_sha512_verify
(
pk
,
msg_size
,
msg
,
s
));
}
free
(
msg
);
}
...
...
testsuite/eddsa-sign-test.c
View file @
0d66c601
...
...
@@ -46,21 +46,21 @@ test_eddsa_sign (const struct ecc_curve *ecc,
uint8_t
*
signature
=
xalloc
(
2
*
nbytes
);
void
*
ctx
=
xalloc
(
H
->
context_size
);
uint8_t
*
public_out
=
xalloc
(
nbytes
);
uint8_t
*
k1
=
xalloc
(
nbytes
);
uint8_t
*
digest
=
xalloc
(
2
*
nbytes
);
const
uint8_t
*
k1
=
digest
+
nbytes
;
mp_limb_t
*
k2
=
xalloc_limbs
(
ecc
->
p
.
size
);
ASSERT
(
public
->
length
==
nbytes
);
ASSERT
(
private
->
length
==
nbytes
);
ASSERT
(
ref
->
length
==
2
*
nbytes
);
ASSERT
(
_eddsa_expand_key_itch
(
ecc
)
<=
_eddsa_sign_itch
(
ecc
));
_eddsa_expand_key
(
ecc
,
H
,
ctx
,
private
->
data
,
public_out
,
k
1
,
k2
,
scratch
);
digest
,
k2
);
_eddsa_public_key
(
ecc
,
k
2
,
public_out
,
scratch
);
if
(
!
MEMEQ
(
nbytes
,
public_out
,
public
->
data
))
{
fprintf
(
stderr
,
"Bad public key from _eddsa_expand_key.
\n
"
);
fprintf
(
stderr
,
"Bad public key from _eddsa_expand_key
+ _eddsa_public_key
.
\n
"
);
fprintf
(
stderr
,
"got:"
);
print_hex
(
nbytes
,
public_out
);
fprintf
(
stderr
,
"
\n
ref:"
);
...
...
@@ -95,7 +95,7 @@ test_eddsa_sign (const struct ecc_curve *ecc,
free
(
scratch
);
free
(
signature
);
free
(
ctx
);
free
(
k1
);
free
(
digest
);
free
(
k2
);
free
(
public_out
);
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment