summaryrefslogtreecommitdiff
path: root/libs/libaxolotl/src/curve25519/ed25519/additions
diff options
context:
space:
mode:
authorGluzskiy Alexandr <sss@sss.chaoslab.ru>2017-04-22 23:37:33 +0300
committerGluzskiy Alexandr <sss@sss.chaoslab.ru>2017-04-23 00:19:38 +0300
commit5048672e81f3ee9aa864ef9d736a3d74da051754 (patch)
tree8148405d428027ceab0528cf186a9faf3817b196 /libs/libaxolotl/src/curve25519/ed25519/additions
parentdf4c8656be0e85a69a238f3fc3f4d53568c53828 (diff)
libs: libsignal-c: sync with upstream
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519/additions')
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h2
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c2
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c14
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c2
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c30
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c69
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c100
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c62
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c14
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c6
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c6
11 files changed, 28 insertions, 279 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
index da4a1cd07b..9339ddb981 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
@@ -12,11 +12,11 @@ void sc_neg(unsigned char *b, const unsigned char *a);
void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b);
int fe_isequal(const fe f, const fe g);
+int fe_isreduced(const unsigned char* s);
void fe_mont_rhs(fe v2, const fe u);
void fe_montx_to_edy(fe y, const fe u);
void fe_sqrt(fe b, const fe a);
-int ge_is_small_order(const ge_p3 *p);
int ge_isneutral(const ge_p3* q);
void ge_neg(ge_p3* r, const ge_p3 *p);
void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit);
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
index 5294c86669..6feb96bad6 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
@@ -7,8 +7,8 @@
unsigned int legendre_is_nonsquare(fe in)
{
- unsigned char bytes[32];
fe temp;
+ unsigned char bytes[32];
fe_pow22523(temp, in); /* temp = in^((q-5)/8) */
fe_sq(temp, temp); /* in^((q-5)/4) */
fe_sq(temp, temp); /* in^((q-5)/2) */
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c
new file mode 100644
index 0000000000..6fbb3beccd
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c
@@ -0,0 +1,14 @@
+#include "fe.h"
+#include "crypto_verify_32.h"
+
+int fe_isreduced(const unsigned char* s)
+{
+ fe f;
+ unsigned char strict[32];
+
+ fe_frombytes(f, s);
+ fe_tobytes(strict, f);
+ if (crypto_verify_32(strict, s) != 0)
+ return 0;
+ return 1;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
index c62f064e25..a0c9785821 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
@@ -15,7 +15,9 @@ static unsigned char i_bytes[32] = {
void fe_sqrt(fe out, const fe a)
{
fe exp, b, b2, bi, i;
+#ifndef NDEBUG
fe legendre, zero, one;
+#endif
fe_frombytes(i, i_bytes);
fe_pow22523(exp, a); /* b = a^(q-5)/8 */
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c
deleted file mode 100644
index 845941be2a..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include "crypto_additions.h"
-#include "ge.h"
-#include "utility.h"
-#include "stdio.h"
-
-/*
-return 1 if f == g
-return 0 if f != g
-*/
-
-int ge_is_small_order(const ge_p3 *p)
-{
- ge_p1p1 p1p1;
- ge_p2 p2;
- fe zero;
-
- ge_p3_dbl(&p1p1, p);
- ge_p1p1_to_p2(&p2, &p1p1);
-
- ge_p2_dbl(&p1p1, &p2);
- ge_p1p1_to_p2(&p2, &p1p1);
-
- ge_p2_dbl(&p1p1, &p2);
- ge_p1p1_to_p2(&p2, &p1p1);
-
- fe_0(zero);
-
- /* Check if 8*p == neutral element == (0, 1) */
- return (fe_isequal(p2.X, zero) & fe_isequal(p2.Y, p2.Z));
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c
deleted file mode 100644
index d123d03580..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "fe.h"
-#include "ge.h"
-#include "assert.h"
-#include "crypto_additions.h"
-#include "utility.h"
-
-/* sqrt(-(A+2)) */
-static unsigned char A_bytes[32] = {
- 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc,
- 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5,
- 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2,
- 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f
-};
-
-void ge_montx_to_p2(ge_p2* p, const fe u, const unsigned char ed_sign_bit)
-{
- fe x, y, A, v, v2, iv, nx;
-
- fe_frombytes(A, A_bytes);
-
- /* given u, recover edwards y */
- /* given u, recover v */
- /* given u and v, recover edwards x */
-
- fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
-
- fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
- fe_sqrt(v, v2); /* v = sqrt(v^2) */
-
- fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
- fe_invert(iv, v); /* 1/v */
- fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
-
- fe_neg(nx, x); /* negate x to match sign bit */
- fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit);
-
- fe_copy(p->X, x);
- fe_copy(p->Y, y);
- fe_1(p->Z);
-
- /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
- /* -x^2 + y^2 = 1 + dx^2y^2 */
-#ifndef NDEBUG
- {
- fe one, d, x2, y2, x2y2, dx2y2;
-
- unsigned char dbytes[32] = {
- 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
- 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
- 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
- 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
- };
-
- fe_frombytes(d, dbytes);
- fe_1(one);
- fe_sq(x2, p->X); /* x^2 */
- fe_sq(y2, p->Y); /* y^2 */
-
- fe_mul(dx2y2, x2, y2); /* x^2y^2 */
- fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
- fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
-
- fe_neg(x2y2, x2); /* -x^2 */
- fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
-
- assert(fe_isequal(x2y2, dx2y2));
- }
-#endif
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c
deleted file mode 100644
index 537858db6a..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c
+++ /dev/null
@@ -1,100 +0,0 @@
-#include <string.h>
-#include "sc.h"
-#include "ge.h"
-#include "crypto_hash_sha512.h"
-#include "crypto_verify_32.h"
-#include "crypto_additions.h"
-#include "crypto_sign.h"
-
-int crypto_usign_open_modified(
- unsigned char *m,unsigned long long *mlen,
- const unsigned char *sm,unsigned long long smlen,
- const unsigned char *pk, const ge_p3* Bu
-)
-{
- ge_p3 U;
- unsigned char h[64];
- unsigned char s[64];
- unsigned char strict[64];
- ge_p3 A;
- ge_p2 R;
- unsigned char hcheck[64];
- int count;
- // Ru = sBu + h(-U)
- ge_p3 sBu, hU;
- ge_p3 Ru;
-
- if (smlen < 96) goto badsig;
- if (sm[63] & 224) goto badsig; /* strict parsing of h */
- if (sm[95] & 224) goto badsig; /* strict parsing of s */
-
- /* Load -A */
- if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
-
- /* Load -U, h, s */
- ge_frombytes_negate_vartime(&U, sm);
- memset(h, 0, 64);
- memset(s, 0, 64);
- memmove(h, sm + 32, 32);
- memmove(s, sm + 64, 32);
-
- /* Insist that s and h are reduced scalars (strict parsing) */
- memcpy(strict, h, 64);
- sc_reduce(strict);
- if (memcmp(strict, h, 32) != 0)
- goto badsig;
- memcpy(strict, s, 64);
- sc_reduce(strict);
- if (memcmp(strict, s, 32) != 0)
- goto badsig;
-
- /* Reject U (actually -U) if small order */
- if (ge_is_small_order(&U))
- goto badsig;
-
- // R = sB + h(-A)
- ge_double_scalarmult_vartime(&R,h,&A,s);
-
- // sBu
- ge_scalarmult(&sBu, s, Bu);
-
- // h(-U)
- ge_scalarmult(&hU, h, &U);
-
- // Ru = sBu + h(-U)
- {
- ge_p1p1 Rp1p1;
- ge_cached hUcached;
- ge_p3_to_cached(&hUcached, &hU);
- ge_add(&Rp1p1, &sBu, &hUcached);
- ge_p1p1_to_p3(&Ru, &Rp1p1);
- }
-
- // Check h == SHA512(label(4) || A || U || R || Ru || M)
- m[0] = 0xFB;
- for (count = 1; count < 32; count++)
- m[count] = 0xFF;
- memmove(m+32, pk, 32);
- /* undo the negation for U */
- fe_neg(U.X, U.X);
- fe_neg(U.T, U.T);
- ge_p3_tobytes(m+64, &U);
- ge_tobytes(m+96, &R);
- ge_p3_tobytes(m+128, &Ru);
- memmove(m+160, sm+96, smlen - 96);
-
- crypto_hash_sha512(hcheck, m, smlen + 64);
- sc_reduce(hcheck);
-
- if (crypto_verify_32(hcheck, h) == 0) {
- memmove(m,m + 64,smlen - 64);
- memset(m + smlen - 64,0,64);
- *mlen = smlen - 64;
- return 0;
- }
-
-badsig:
- *mlen = -1;
- memset(m,0,smlen);
- return -1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c
deleted file mode 100644
index 3bbd871b7a..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#include <string.h>
-#include "crypto_sign.h"
-#include "crypto_hash_sha512.h"
-#include "ge.h"
-#include "sc.h"
-#include "zeroize.h"
-#include "crypto_additions.h"
-
-/* NEW: Compare to pristine crypto_sign()
- Uses explicit private key for nonce derivation and as scalar,
- instead of deriving both from a master key.
-*/
-int crypto_usign_modified(
- unsigned char *sm,
- const unsigned char *M,unsigned long Mlen,
- const unsigned char *a,
- const unsigned char *A,
- const unsigned char *random,
- const ge_p3 *Bu,
- const unsigned char *U
-)
-{
- unsigned char r[64];
- unsigned char h[64];
- ge_p3 R, Ru;
- int count=0;
-
- /* r = SHA512(label(3) || a || U || random(64)) */
- sm[0] = 0xFC;
- for (count = 1; count < 32; count++)
- sm[count] = 0xFF;
-
- memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */
- memmove(sm + 64, U, 32);
-
- memmove(sm + 96, random, 64); /* Add suffix of random data */
- crypto_hash_sha512(r, sm, 160);
-
- sc_reduce(r);
- ge_scalarmult_base(&R, r);
- ge_scalarmult(&Ru, r, Bu);
-
- /* h = SHA512(label(4) || A || U || R || Ru || M) */
- sm[0] = 0xFB;
- memmove(sm + 32, A, 32);
- memmove(sm + 64, U, 32);
- ge_p3_tobytes(sm+96, &R);
- ge_p3_tobytes(sm+128, &Ru);
- memmove(sm + 160, M, Mlen);
-
- crypto_hash_sha512(h, sm, Mlen + 160);
- sc_reduce(h);
-
- memmove(sm, h, 32); /* Write h */
- sc_muladd(sm + 32, h, a, r); /* Write s */
-
- /* Erase any traces of private scalar or
- nonce left in the stack from sc_muladd. */
- zeroize_stack();
- zeroize(r, 64);
- return 0;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c
index 035ec0e0a3..20b85bb155 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c
@@ -16,10 +16,12 @@ int crypto_vsign_open_modified(
unsigned char h[32];
unsigned char s[32];
ge_p2 R;
- ge_p3 Rv;
unsigned char hcheck[64];
unsigned char vrf_output[64];
int count;
+ ge_p1p1 Rp1p1;
+ ge_p3 Rv;
+ ge_cached h_Vnegcached;
if (smlen < 96) goto badsig;
if (sm[63] & 224) goto badsig; /* strict parsing of h */
@@ -52,13 +54,9 @@ int crypto_vsign_open_modified(
ge_scalarmult(&h_Vneg, h, &Vneg);
// Rv = (sc * Bv) + (hc * (-V))
- {
- ge_p1p1 Rp1p1;
- ge_cached h_Vnegcached;
- ge_p3_to_cached(&h_Vnegcached, &h_Vneg);
- ge_add(&Rp1p1, &s_Bv, &h_Vnegcached);
- ge_p1p1_to_p3(&Rv, &Rp1p1);
- }
+ ge_p3_to_cached(&h_Vnegcached, &h_Vneg);
+ ge_add(&Rp1p1, &s_Bv, &h_Vnegcached);
+ ge_p1p1_to_p3(&Rv, &Rp1p1);
// Check h == SHA512(label(4) || A || V || R || Rv || M)
m[0] = 0xFB; // label 4
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c
index 802a73563d..8f60169bd4 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c
@@ -50,7 +50,6 @@ int vxed25519_verify(unsigned char* vrf_out,
fe u;
fe y;
unsigned char ed_pubkey[32];
- unsigned char strict[32];
unsigned char verifybuf[MAX_MSG_LEN + 160]; /* working buffer */
unsigned char verifybuf2[MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */
ge_p3 Bv;
@@ -65,10 +64,9 @@ int vxed25519_verify(unsigned char* vrf_out,
NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
*/
+ if (!fe_isreduced(curve25519_pubkey))
+ return -1;
fe_frombytes(u, curve25519_pubkey);
- fe_tobytes(strict, u);
- if (crypto_verify_32(strict, curve25519_pubkey) != 0)
- return 0;
fe_montx_to_edy(y, u);
fe_tobytes(ed_pubkey, y);
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
index ee2964a0d5..63b73bf2ed 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
@@ -49,7 +49,6 @@ int xed25519_verify(const unsigned char* signature,
fe u;
fe y;
unsigned char ed_pubkey[32];
- unsigned char strict[32];
unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */
unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */
@@ -63,10 +62,9 @@ int xed25519_verify(const unsigned char* signature,
NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
*/
+ if (!fe_isreduced(curve25519_pubkey))
+ return -1;
fe_frombytes(u, curve25519_pubkey);
- fe_tobytes(strict, u);
- if (crypto_verify_32(strict, curve25519_pubkey) != 0)
- return 0;
fe_montx_to_edy(y, u);
fe_tobytes(ed_pubkey, y);