diff options
author | Gluzskiy Alexandr <sss@sss.chaoslab.ru> | 2017-04-22 23:37:33 +0300 |
---|---|---|
committer | Gluzskiy Alexandr <sss@sss.chaoslab.ru> | 2017-04-23 00:19:38 +0300 |
commit | 5048672e81f3ee9aa864ef9d736a3d74da051754 (patch) | |
tree | 8148405d428027ceab0528cf186a9faf3817b196 /libs/libaxolotl/src/curve25519/ed25519/additions | |
parent | df4c8656be0e85a69a238f3fc3f4d53568c53828 (diff) |
libs: libsignal-c: sync with upstream
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519/additions')
11 files changed, 28 insertions, 279 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h index da4a1cd07b..9339ddb981 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h @@ -12,11 +12,11 @@ void sc_neg(unsigned char *b, const unsigned char *a); void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b); int fe_isequal(const fe f, const fe g); +int fe_isreduced(const unsigned char* s); void fe_mont_rhs(fe v2, const fe u); void fe_montx_to_edy(fe y, const fe u); void fe_sqrt(fe b, const fe a); -int ge_is_small_order(const ge_p3 *p); int ge_isneutral(const ge_p3* q); void ge_neg(ge_p3* r, const ge_p3 *p); void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit); diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c index 5294c86669..6feb96bad6 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c @@ -7,8 +7,8 @@ unsigned int legendre_is_nonsquare(fe in) { - unsigned char bytes[32]; fe temp; + unsigned char bytes[32]; fe_pow22523(temp, in); /* temp = in^((q-5)/8) */ fe_sq(temp, temp); /* in^((q-5)/4) */ fe_sq(temp, temp); /* in^((q-5)/2) */ diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c new file mode 100644 index 0000000000..6fbb3beccd --- /dev/null +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c @@ -0,0 +1,14 @@ +#include "fe.h" +#include "crypto_verify_32.h" + +int fe_isreduced(const unsigned char* s) +{ + fe f; + unsigned char strict[32]; + + fe_frombytes(f, s); + fe_tobytes(strict, f); + if (crypto_verify_32(strict, s) != 0) + return 0; + return 1; +} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c index c62f064e25..a0c9785821 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c @@ -15,7 +15,9 @@ static unsigned char i_bytes[32] = { void fe_sqrt(fe out, const fe a) { fe exp, b, b2, bi, i; +#ifndef NDEBUG fe legendre, zero, one; +#endif fe_frombytes(i, i_bytes); fe_pow22523(exp, a); /* b = a^(q-5)/8 */ diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c deleted file mode 100644 index 845941be2a..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "crypto_additions.h" -#include "ge.h" -#include "utility.h" -#include "stdio.h" - -/* -return 1 if f == g -return 0 if f != g -*/ - -int ge_is_small_order(const ge_p3 *p) -{ - ge_p1p1 p1p1; - ge_p2 p2; - fe zero; - - ge_p3_dbl(&p1p1, p); - ge_p1p1_to_p2(&p2, &p1p1); - - ge_p2_dbl(&p1p1, &p2); - ge_p1p1_to_p2(&p2, &p1p1); - - ge_p2_dbl(&p1p1, &p2); - ge_p1p1_to_p2(&p2, &p1p1); - - fe_0(zero); - - /* Check if 8*p == neutral element == (0, 1) */ - return (fe_isequal(p2.X, zero) & fe_isequal(p2.Y, p2.Z)); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c deleted file mode 100644 index d123d03580..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c +++ /dev/null @@ -1,69 +0,0 @@ -#include "fe.h" -#include "ge.h" -#include "assert.h" -#include "crypto_additions.h" -#include "utility.h" - -/* sqrt(-(A+2)) */ -static unsigned char A_bytes[32] = { - 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc, - 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5, - 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2, - 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f -}; - -void ge_montx_to_p2(ge_p2* p, const fe u, const unsigned char ed_sign_bit) -{ - fe x, y, A, v, v2, iv, nx; - - fe_frombytes(A, A_bytes); - - /* given u, recover edwards y */ - /* given u, recover v */ - /* given u and v, recover edwards x */ - - fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ - - fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ - fe_sqrt(v, v2); /* v = sqrt(v^2) */ - - fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ - fe_invert(iv, v); /* 1/v */ - fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ - - fe_neg(nx, x); /* negate x to match sign bit */ - fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit); - - fe_copy(p->X, x); - fe_copy(p->Y, y); - fe_1(p->Z); - - /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ - /* -x^2 + y^2 = 1 + dx^2y^2 */ -#ifndef NDEBUG - { - fe one, d, x2, y2, x2y2, dx2y2; - - unsigned char dbytes[32] = { - 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, - 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, - 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, - 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 - }; - - fe_frombytes(d, dbytes); - fe_1(one); - fe_sq(x2, p->X); /* x^2 */ - fe_sq(y2, p->Y); /* y^2 */ - - fe_mul(dx2y2, x2, y2); /* x^2y^2 */ - fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ - fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ - - fe_neg(x2y2, x2); /* -x^2 */ - fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ - - assert(fe_isequal(x2y2, dx2y2)); - } -#endif -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c deleted file mode 100644 index 537858db6a..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c +++ /dev/null @@ -1,100 +0,0 @@ -#include <string.h> -#include "sc.h" -#include "ge.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "crypto_additions.h" -#include "crypto_sign.h" - -int crypto_usign_open_modified( - unsigned char *m,unsigned long long *mlen, - const unsigned char *sm,unsigned long long smlen, - const unsigned char *pk, const ge_p3* Bu -) -{ - ge_p3 U; - unsigned char h[64]; - unsigned char s[64]; - unsigned char strict[64]; - ge_p3 A; - ge_p2 R; - unsigned char hcheck[64]; - int count; - // Ru = sBu + h(-U) - ge_p3 sBu, hU; - ge_p3 Ru; - - if (smlen < 96) goto badsig; - if (sm[63] & 224) goto badsig; /* strict parsing of h */ - if (sm[95] & 224) goto badsig; /* strict parsing of s */ - - /* Load -A */ - if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; - - /* Load -U, h, s */ - ge_frombytes_negate_vartime(&U, sm); - memset(h, 0, 64); - memset(s, 0, 64); - memmove(h, sm + 32, 32); - memmove(s, sm + 64, 32); - - /* Insist that s and h are reduced scalars (strict parsing) */ - memcpy(strict, h, 64); - sc_reduce(strict); - if (memcmp(strict, h, 32) != 0) - goto badsig; - memcpy(strict, s, 64); - sc_reduce(strict); - if (memcmp(strict, s, 32) != 0) - goto badsig; - - /* Reject U (actually -U) if small order */ - if (ge_is_small_order(&U)) - goto badsig; - - // R = sB + h(-A) - ge_double_scalarmult_vartime(&R,h,&A,s); - - // sBu - ge_scalarmult(&sBu, s, Bu); - - // h(-U) - ge_scalarmult(&hU, h, &U); - - // Ru = sBu + h(-U) - { - ge_p1p1 Rp1p1; - ge_cached hUcached; - ge_p3_to_cached(&hUcached, &hU); - ge_add(&Rp1p1, &sBu, &hUcached); - ge_p1p1_to_p3(&Ru, &Rp1p1); - } - - // Check h == SHA512(label(4) || A || U || R || Ru || M) - m[0] = 0xFB; - for (count = 1; count < 32; count++) - m[count] = 0xFF; - memmove(m+32, pk, 32); - /* undo the negation for U */ - fe_neg(U.X, U.X); - fe_neg(U.T, U.T); - ge_p3_tobytes(m+64, &U); - ge_tobytes(m+96, &R); - ge_p3_tobytes(m+128, &Ru); - memmove(m+160, sm+96, smlen - 96); - - crypto_hash_sha512(hcheck, m, smlen + 64); - sc_reduce(hcheck); - - if (crypto_verify_32(hcheck, h) == 0) { - memmove(m,m + 64,smlen - 64); - memset(m + smlen - 64,0,64); - *mlen = smlen - 64; - return 0; - } - -badsig: - *mlen = -1; - memset(m,0,smlen); - return -1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c deleted file mode 100644 index 3bbd871b7a..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c +++ /dev/null @@ -1,62 +0,0 @@ -#include <string.h> -#include "crypto_sign.h" -#include "crypto_hash_sha512.h" -#include "ge.h" -#include "sc.h" -#include "zeroize.h" -#include "crypto_additions.h" - -/* NEW: Compare to pristine crypto_sign() - Uses explicit private key for nonce derivation and as scalar, - instead of deriving both from a master key. -*/ -int crypto_usign_modified( - unsigned char *sm, - const unsigned char *M,unsigned long Mlen, - const unsigned char *a, - const unsigned char *A, - const unsigned char *random, - const ge_p3 *Bu, - const unsigned char *U -) -{ - unsigned char r[64]; - unsigned char h[64]; - ge_p3 R, Ru; - int count=0; - - /* r = SHA512(label(3) || a || U || random(64)) */ - sm[0] = 0xFC; - for (count = 1; count < 32; count++) - sm[count] = 0xFF; - - memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */ - memmove(sm + 64, U, 32); - - memmove(sm + 96, random, 64); /* Add suffix of random data */ - crypto_hash_sha512(r, sm, 160); - - sc_reduce(r); - ge_scalarmult_base(&R, r); - ge_scalarmult(&Ru, r, Bu); - - /* h = SHA512(label(4) || A || U || R || Ru || M) */ - sm[0] = 0xFB; - memmove(sm + 32, A, 32); - memmove(sm + 64, U, 32); - ge_p3_tobytes(sm+96, &R); - ge_p3_tobytes(sm+128, &Ru); - memmove(sm + 160, M, Mlen); - - crypto_hash_sha512(h, sm, Mlen + 160); - sc_reduce(h); - - memmove(sm, h, 32); /* Write h */ - sc_muladd(sm + 32, h, a, r); /* Write s */ - - /* Erase any traces of private scalar or - nonce left in the stack from sc_muladd. */ - zeroize_stack(); - zeroize(r, 64); - return 0; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c index 035ec0e0a3..20b85bb155 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c @@ -16,10 +16,12 @@ int crypto_vsign_open_modified( unsigned char h[32]; unsigned char s[32]; ge_p2 R; - ge_p3 Rv; unsigned char hcheck[64]; unsigned char vrf_output[64]; int count; + ge_p1p1 Rp1p1; + ge_p3 Rv; + ge_cached h_Vnegcached; if (smlen < 96) goto badsig; if (sm[63] & 224) goto badsig; /* strict parsing of h */ @@ -52,13 +54,9 @@ int crypto_vsign_open_modified( ge_scalarmult(&h_Vneg, h, &Vneg); // Rv = (sc * Bv) + (hc * (-V)) - { - ge_p1p1 Rp1p1; - ge_cached h_Vnegcached; - ge_p3_to_cached(&h_Vnegcached, &h_Vneg); - ge_add(&Rp1p1, &s_Bv, &h_Vnegcached); - ge_p1p1_to_p3(&Rv, &Rp1p1); - } + ge_p3_to_cached(&h_Vnegcached, &h_Vneg); + ge_add(&Rp1p1, &s_Bv, &h_Vnegcached); + ge_p1p1_to_p3(&Rv, &Rp1p1); // Check h == SHA512(label(4) || A || V || R || Rv || M) m[0] = 0xFB; // label 4 diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c index 802a73563d..8f60169bd4 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c @@ -50,7 +50,6 @@ int vxed25519_verify(unsigned char* vrf_out, fe u; fe y; unsigned char ed_pubkey[32]; - unsigned char strict[32]; unsigned char verifybuf[MAX_MSG_LEN + 160]; /* working buffer */ unsigned char verifybuf2[MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */ ge_p3 Bv; @@ -65,10 +64,9 @@ int vxed25519_verify(unsigned char* vrf_out, NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ + if (!fe_isreduced(curve25519_pubkey)) + return -1; fe_frombytes(u, curve25519_pubkey); - fe_tobytes(strict, u); - if (crypto_verify_32(strict, curve25519_pubkey) != 0) - return 0; fe_montx_to_edy(y, u); fe_tobytes(ed_pubkey, y); diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c index ee2964a0d5..63b73bf2ed 100644 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c +++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c @@ -49,7 +49,6 @@ int xed25519_verify(const unsigned char* signature, fe u; fe y; unsigned char ed_pubkey[32]; - unsigned char strict[32]; unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */ unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */ @@ -63,10 +62,9 @@ int xed25519_verify(const unsigned char* signature, NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp */ + if (!fe_isreduced(curve25519_pubkey)) + return -1; fe_frombytes(u, curve25519_pubkey); - fe_tobytes(strict, u); - if (crypto_verify_32(strict, curve25519_pubkey) != 0) - return 0; fe_montx_to_edy(y, u); fe_tobytes(ed_pubkey, y); |