diff options
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519/additions/generalized')
13 files changed, 0 insertions, 1176 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c deleted file mode 100644 index 75d9673d01..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "ge.h" - -/* -r = p + q -*/ - -void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q) -{ - ge_cached p_cached; - ge_p1p1 r_p1p1; - - ge_p3_to_cached(&p_cached, p); - ge_add(&r_p1p1, q, &p_cached); - ge_p1p1_to_p3(r, &r_p1p1); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h deleted file mode 100644 index 392a88e57b..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GEN_CONSTANTS_H__ -#define _GEN_CONSTANTS_H__ - -#define LABELSETMAXLEN 512 -#define LABELMAXLEN 128 -#define BUFLEN 1024 -#define BLOCKLEN 128 /* SHA512 */ -#define HASHLEN 64 /* SHA512 */ -#define POINTLEN 32 -#define SCALARLEN 32 -#define RANDLEN 32 -#define SIGNATURELEN 64 -#define VRFSIGNATURELEN 96 -#define VRFOUTPUTLEN 32 -#define MSTART 2048 -#define MSGMAXLEN 1048576 - -#endif - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h deleted file mode 100644 index 569ae26f4d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h +++ /dev/null @@ -1,16 +0,0 @@ - -#ifndef __GEN_CRYPTO_ADDITIONS__ -#define __GEN_CRYPTO_ADDITIONS__ - -#include "crypto_uint32.h" -#include "fe.h" -#include "ge.h" - -int sc_isreduced(const unsigned char* s); - -int point_isreduced(const unsigned char* p); - -void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q); - -#endif - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c deleted file mode 100644 index 9755d28ede..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c +++ /dev/null @@ -1,349 +0,0 @@ -#include <string.h> -#include "gen_eddsa.h" -#include "gen_labelset.h" -#include "gen_constants.h" -#include "gen_crypto_additions.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "zeroize.h" -#include "ge.h" -#include "sc.h" -#include "crypto_additions.h" -#include "utility.h" - -/* B: base point - * R: commitment (point), - r: private nonce (scalar) - K: encoded public key - k: private key (scalar) - Z: 32-bytes random - M: buffer containing message, message starts at M_start, continues for M_len - - r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q) -*/ -int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* K_bytes, const unsigned char* k_scalar, - const unsigned char* Z, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - ge_p3 R_point; - unsigned char hash[HASHLEN]; - unsigned char* bufstart = NULL; - unsigned char* bufptr = NULL; - unsigned char* bufend = NULL; - unsigned long prefix_len = 0; - - if (labelset_validate(labelset, labelset_len) != 0) - goto err; - if (R_bytes == NULL || r_scalar == NULL || - K_bytes == NULL || k_scalar == NULL || - Z == NULL || M_buf == NULL) - goto err; - if (extra == NULL && extra_len != 0) - goto err; - if (extra != NULL && extra_len == 0) - goto err; - if (extra != NULL && labelset_is_empty(labelset, labelset_len)) - goto err; - if (HASHLEN != 64) - goto err; - - prefix_len = 0; - prefix_len += POINTLEN + labelset_len + RANDLEN; - prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN); - prefix_len += SCALARLEN; - prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN); - prefix_len += labelset_len + POINTLEN + extra_len; - if (prefix_len > M_start) - goto err; - - bufstart = M_buf + M_start - prefix_len; - bufptr = bufstart; - bufend = M_buf + M_start; - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, Z, RANDLEN); - bufptr = buffer_pad(bufstart, bufptr, bufend); - bufptr = buffer_add(bufptr, bufend, k_scalar, SCALARLEN); - bufptr = buffer_pad(bufstart, bufptr, bufend); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, extra, extra_len); - if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len) - goto err; - - crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len); - sc_reduce(hash); - ge_scalarmult_base(&R_point, hash); - ge_p3_tobytes(R_bytes, &R_point); - memcpy(r_scalar, hash, SCALARLEN); - - zeroize(hash, HASHLEN); - zeroize(bufstart, prefix_len); - return 0; - -err: - zeroize(hash, HASHLEN); - zeroize(M_buf, M_start); - return -1; -} - -/* if is_labelset_empty(labelset): - return hash(R || K || M) (mod q) - else: - return hash(B || labelset || R || labelset || K || extra || M) (mod q) -*/ -int generalized_challenge(unsigned char* h_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* R_bytes, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - unsigned char hash[HASHLEN]; - unsigned char* bufstart = NULL; - unsigned char* bufptr = NULL; - unsigned char* bufend = NULL; - unsigned long prefix_len = 0; - - if (h_scalar == NULL) - goto err; - memset(h_scalar, 0, SCALARLEN); - - if (labelset_validate(labelset, labelset_len) != 0) - goto err; - if (R_bytes == NULL || K_bytes == NULL || M_buf == NULL) - goto err; - if (extra == NULL && extra_len != 0) - goto err; - if (extra != NULL && extra_len == 0) - goto err; - if (extra != NULL && labelset_is_empty(labelset, labelset_len)) - goto err; - if (HASHLEN != 64) - goto err; - - if (labelset_is_empty(labelset, labelset_len)) { - if (2*POINTLEN > M_start) - goto err; - if (extra != NULL || extra_len != 0) - goto err; - memcpy(M_buf + M_start - (2*POINTLEN), R_bytes, POINTLEN); - memcpy(M_buf + M_start - (1*POINTLEN), K_bytes, POINTLEN); - prefix_len = 2*POINTLEN; - } else { - prefix_len = 3*POINTLEN + 2*labelset_len + extra_len; - if (prefix_len > M_start) - goto err; - - bufstart = M_buf + M_start - prefix_len; - bufptr = bufstart; - bufend = M_buf + M_start; - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, R_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, extra, extra_len); - - if (bufptr == NULL) - goto err; - if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len) - goto err; - } - - crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len); - sc_reduce(hash); - memcpy(h_scalar, hash, SCALARLEN); - return 0; - -err: - return -1; -} - -/* return r + kh (mod q) */ -int generalized_prove(unsigned char* out_scalar, - const unsigned char* r_scalar, const unsigned char* k_scalar, const unsigned char* h_scalar) -{ - sc_muladd(out_scalar, h_scalar, k_scalar, r_scalar); - zeroize_stack(); - return 0; -} - -/* R = s*B - h*K */ -int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out, - const ge_p3* B_point, const unsigned char* s_scalar, - const unsigned char* K_bytes, const unsigned char* h_scalar) -{ - - ge_p3 Kneg_point; - ge_p2 R_calc_point_p2; - - ge_p3 sB; - ge_p3 hK; - ge_p3 R_calc_point_p3; - - if (ge_frombytes_negate_vartime(&Kneg_point, K_bytes) != 0) - return -1; - - if (B_point == NULL) { - ge_double_scalarmult_vartime(&R_calc_point_p2, h_scalar, &Kneg_point, s_scalar); - ge_tobytes(R_bytes_out, &R_calc_point_p2); - } - else { - // s * Bv - ge_scalarmult(&sB, s_scalar, B_point); - - // h * -K - ge_scalarmult(&hK, h_scalar, &Kneg_point); - - // R = sB - hK - ge_p3_add(&R_calc_point_p3, &sB, &hK); - ge_p3_tobytes(R_bytes_out, &R_calc_point_p3); - } - - if (K_point_out) { - ge_neg(K_point_out, &Kneg_point); - } - - return 0; -} - - -int generalized_eddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - unsigned char R_bytes[POINTLEN]; - unsigned char r_scalar[SCALARLEN]; - unsigned char h_scalar[SCALARLEN]; - unsigned char s_scalar[SCALARLEN]; - unsigned char* M_buf = NULL; - - if (signature_out == NULL) - goto err; - memset(signature_out, 0, SIGNATURELEN); - - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (eddsa_25519_privkey_scalar == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) - goto err; - memcpy(M_buf + MSTART, msg, msg_len); - - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0, - customization_label, customization_label_len) != 0) - goto err; - - if (generalized_commit(R_bytes, r_scalar, labelset, labelset_len, NULL, 0, - eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar, - random, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_challenge(h_scalar, labelset, labelset_len, NULL, 0, - R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0) - goto err; - - memcpy(signature_out, R_bytes, POINTLEN); - memcpy(signature_out + POINTLEN, s_scalar, SCALARLEN); - - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return 0; - -err: - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return -1; -} - -int generalized_eddsa_25519_verify( - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - const unsigned char* R_bytes = NULL; - const unsigned char* s_scalar = NULL; - unsigned char h_scalar[SCALARLEN]; - unsigned char* M_buf = NULL; - unsigned char R_calc_bytes[POINTLEN]; - - if (signature == NULL) - goto err; - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) - goto err; - memcpy(M_buf + MSTART, msg, msg_len); - - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0, - customization_label, customization_label_len) != 0) - goto err; - - R_bytes = signature; - s_scalar = signature + POINTLEN; - - if (!point_isreduced(eddsa_25519_pubkey_bytes)) - goto err; - if (!point_isreduced(R_bytes)) - goto err; - if (!sc_isreduced(s_scalar)) - goto err; - - if (generalized_challenge(h_scalar, labelset, labelset_len, - NULL, 0, R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_solve_commitment(R_calc_bytes, NULL, NULL, - s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0) - goto err; - - if (crypto_verify_32(R_bytes, R_calc_bytes) != 0) - goto err; - - free(M_buf); - return 0; - -err: - free(M_buf); - return -1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h deleted file mode 100644 index 0c281bcac9..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h +++ /dev/null @@ -1,65 +0,0 @@ -#ifndef __GEN_EDDSA_H__ -#define __GEN_EDDSA_H__ - -#include "ge.h" - -/* B: base point - R: commitment (point), - r: private nonce (scalar) - K: encoded public key - k: private key (scalar) - Z: 32-bytes random - M: buffer containing message, message starts at M_start, continues for M_len - - r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q) -*/ -int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* K_bytes, const unsigned char* k_scalar, - const unsigned char* Z, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len); - -/* if is_labelset_empty(labelset): - return hash(R || K || M) (mod q) - else: - return hash(B || labelset || R || labelset || K || extra || M) (mod q) -*/ -int generalized_challenge(unsigned char* h_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* R_bytes, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len); - -/* return r + kh (mod q) */ -int generalized_prove(unsigned char* out_scalar, - const unsigned char* r_scalar, - const unsigned char* k_scalar, - const unsigned char* h_scalar); - -/* R = B^s / K^h */ -int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out, - const ge_p3* B_point, const unsigned char* s_scalar, - const unsigned char* K_bytes, const unsigned char* h_scalar); - - -int generalized_eddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_eddsa_25519_verify( - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c deleted file mode 100644 index b181cad5dc..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c +++ /dev/null @@ -1,157 +0,0 @@ -#include <stdlib.h> -#include <string.h> -#include "gen_labelset.h" -#include "gen_constants.h" - -const unsigned char B_bytes[] = { - 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, -}; - -unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend, - const unsigned char* in, const unsigned long in_len) -{ - unsigned long count = 0; - - if (bufptr == NULL || bufend == NULL || bufptr > bufend) - return NULL; - if (in == NULL && in_len != 0) - return NULL; - if (bufend - bufptr < in_len) - return NULL; - - for (count=0; count < in_len; count++) { - if (bufptr >= bufend) - return NULL; - *bufptr++ = *in++; - } - return bufptr; -} - -unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend) -{ - unsigned long count = 0; - unsigned long pad_len = 0; - - if (buf == NULL || bufptr == NULL || bufend == NULL || bufptr >= bufend || bufptr < buf) - return NULL; - - pad_len = (BLOCKLEN - ((bufptr-buf) % BLOCKLEN)) % BLOCKLEN; - if (bufend - bufptr < pad_len) - return NULL; - - for (count=0; count < pad_len; count++) { - if (bufptr >= bufend) - return NULL; - *bufptr++ = 0; - } - return bufptr; -} - -int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* protocol_name, const unsigned char protocol_name_len, - const unsigned char* customization_label, const unsigned char customization_label_len) -{ - unsigned char* bufptr; - - *labelset_len = 0; - if (labelset == NULL) - return -1; - if (labelset_len == NULL) - return -1; - if (labelset_maxlen > LABELSETMAXLEN) - return -1; - if (labelset_maxlen < 3 + protocol_name_len + customization_label_len) - return -1; - if (protocol_name == NULL && protocol_name_len != 0) - return -1; - if (customization_label == NULL && customization_label_len != 0) - return -1; - if (protocol_name_len > LABELMAXLEN) - return -1; - if (customization_label_len > LABELMAXLEN) - return -1; - - bufptr = labelset; - *bufptr++ = 2; - *bufptr++ = protocol_name_len; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, protocol_name, protocol_name_len); - if (bufptr != NULL && bufptr < labelset + labelset_maxlen) - *bufptr++ = customization_label_len; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, - customization_label, customization_label_len); - - if (bufptr != NULL && bufptr - labelset == 3 + protocol_name_len + customization_label_len) { - *labelset_len = bufptr - labelset; - return 0; - } - return -1; -} - - -int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* label, const unsigned char label_len) -{ - unsigned char* bufptr; - if (labelset_len == NULL) - return -1; - if (*labelset_len > LABELSETMAXLEN || labelset_maxlen > LABELSETMAXLEN) - return -1; - if (*labelset_len >= labelset_maxlen || *labelset_len + label_len + 1 > labelset_maxlen) - return -1; - if (*labelset_len < 3 || labelset_maxlen < 4) - return -1; - if (label_len > LABELMAXLEN) - return -1; - - labelset[0]++; - labelset[*labelset_len] = label_len; - bufptr = labelset + *labelset_len + 1; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, label, label_len); - if (bufptr == NULL) - return -1; - if (bufptr - labelset >= labelset_maxlen) - return -1; - if (bufptr - labelset != *labelset_len + 1 + label_len) - return -1; - - *labelset_len += (1 + label_len); - return 0; -} - -int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len) -{ - unsigned char num_labels = 0; - unsigned char count = 0; - unsigned long offset = 0; - unsigned char label_len = 0; - - if (labelset == NULL) - return -1; - if (labelset_len < 3 || labelset_len > LABELSETMAXLEN) - return -1; - - num_labels = labelset[0]; - offset = 1; - for (count = 0; count < num_labels; count++) { - label_len = labelset[offset]; - if (label_len > LABELMAXLEN) - return -1; - offset += 1 + label_len; - if (offset > labelset_len) - return -1; - } - if (offset != labelset_len) - return -1; - return 0; -} - -int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len) -{ - if (labelset_len != 3) - return 0; - return 1; -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h deleted file mode 100644 index 6ac40da99d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __GEN_LABELSET_H__ -#define __GEN_LABELSET_H__ - -extern const unsigned char B_bytes[]; - -unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend, - const unsigned char* in, const unsigned long in_len); - -unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend); - - -int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* protocol_name, const unsigned char protocol_name_len, - const unsigned char* customization_label, const unsigned char customization_label_len); - -int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* label, const unsigned char label_len); - -int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len); - -int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c deleted file mode 100644 index 4e79b4859d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c +++ /dev/null @@ -1,312 +0,0 @@ -#include <string.h> -#include "gen_eddsa.h" -#include "gen_veddsa.h" -#include "gen_constants.h" -#include "gen_labelset.h" -#include "gen_crypto_additions.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "crypto_additions.h" -#include "zeroize.h" -#include "ge.h" -#include "sc.h" -#include "utility.h" - -static int generalized_calculate_Bv(ge_p3* Bv_point, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - unsigned char* bufptr; - unsigned long prefix_len = 0; - - if (labelset_validate(labelset, labelset_len) != 0) - return -1; - if (Bv_point == NULL || K_bytes == NULL || M_buf == NULL) - return -1; - - prefix_len = 2*POINTLEN + labelset_len; - if (prefix_len > M_start) - return -1; - - bufptr = M_buf + M_start - prefix_len; - bufptr = buffer_add(bufptr, M_buf + M_start, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, M_buf + M_start, labelset, labelset_len); - bufptr = buffer_add(bufptr, M_buf + M_start, K_bytes, POINTLEN); - if (bufptr == NULL || bufptr != M_buf + M_start) - return -1; - - hash_to_point(Bv_point, M_buf + M_start - prefix_len, prefix_len + M_len); - if (ge_isneutral(Bv_point)) - return -1; - return 0; -} - -static int generalized_calculate_vrf_output(unsigned char* vrf_output, - const unsigned char* labelset, const unsigned long labelset_len, - const ge_p3* cKv_point) -{ - unsigned char buf[BUFLEN]; - unsigned char* bufptr = buf; - unsigned char* bufend = buf + BUFLEN; - unsigned char cKv_bytes[POINTLEN]; - unsigned char hash[HASHLEN]; - - if (vrf_output == NULL) - return -1; - memset(vrf_output, 0, VRFOUTPUTLEN); - - if (labelset_len + 2*POINTLEN > BUFLEN) - return -1; - if (labelset_validate(labelset, labelset_len) != 0) - return -1; - if (cKv_point == NULL) - return -1; - if (VRFOUTPUTLEN > HASHLEN) - return -1; - - ge_p3_tobytes(cKv_bytes, cKv_point); - - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, cKv_bytes, POINTLEN); - if (bufptr == NULL) - return -1; - if (bufptr - buf > BUFLEN) - return -1; - crypto_hash_sha512(hash, buf, bufptr - buf); - memcpy(vrf_output, hash, VRFOUTPUTLEN); - return 0; -} - -int generalized_veddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - ge_p3 Bv_point; - ge_p3 Kv_point; - ge_p3 Rv_point; - unsigned char Bv_bytes[POINTLEN]; - unsigned char Kv_bytes[POINTLEN]; - unsigned char Rv_bytes[POINTLEN]; - unsigned char R_bytes[POINTLEN]; - unsigned char r_scalar[SCALARLEN]; - unsigned char h_scalar[SCALARLEN]; - unsigned char s_scalar[SCALARLEN]; - unsigned char extra[3*POINTLEN]; - unsigned char* M_buf = NULL; - char* protocol_name = "VEdDSA_25519_SHA512_Elligator2"; - - if (signature_out == NULL) - goto err; - memset(signature_out, 0, VRFSIGNATURELEN); - - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (eddsa_25519_privkey_scalar == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) { - goto err; - } - memcpy(M_buf + MSTART, msg, msg_len); - - // labelset = new_labelset(protocol_name, customization_label) - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, - (unsigned char*)protocol_name, strlen(protocol_name), - customization_label, customization_label_len) != 0) - goto err; - - // labelset1 = add_label(labels, "1") - // Bv = hash(hash(labelset1 || K) || M) - // Kv = k * Bv - labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1); - if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len, - eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - ge_scalarmult(&Kv_point, eddsa_25519_privkey_scalar, &Bv_point); - ge_p3_tobytes(Bv_bytes, &Bv_point); - ge_p3_tobytes(Kv_bytes, &Kv_point); - - // labelset2 = add_label(labels, "2") - // R, r = commit(labelset2, (Bv || Kv), (K,k), Z, M) - labelset[labelset_len-1] = (unsigned char)'2'; - memcpy(extra, Bv_bytes, POINTLEN); - memcpy(extra + POINTLEN, Kv_bytes, POINTLEN); - if (generalized_commit(R_bytes, r_scalar, - labelset, labelset_len, - extra, 2*POINTLEN, - eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar, - random, M_buf, MSTART, msg_len) != 0) - goto err; - - // Rv = r * Bv - ge_scalarmult(&Rv_point, r_scalar, &Bv_point); - ge_p3_tobytes(Rv_bytes, &Rv_point); - - // labelset3 = add_label(labels, "3") - // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M) - labelset[labelset_len-1] = (unsigned char)'3'; - memcpy(extra + 2*POINTLEN, Rv_bytes, POINTLEN); - if (generalized_challenge(h_scalar, - labelset, labelset_len, - extra, 3*POINTLEN, - R_bytes, eddsa_25519_pubkey_bytes, - M_buf, MSTART, msg_len) != 0) - goto err; - - // s = prove(r, k, h) - if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0) - goto err; - - // return (Kv || h || s) - memcpy(signature_out, Kv_bytes, POINTLEN); - memcpy(signature_out + POINTLEN, h_scalar, SCALARLEN); - memcpy(signature_out + POINTLEN + SCALARLEN, s_scalar, SCALARLEN); - - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return 0; - -err: - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return -1; -} - -int generalized_veddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - const unsigned char* Kv_bytes; - const unsigned char* h_scalar; - const unsigned char* s_scalar; - ge_p3 Bv_point, K_point, Kv_point, cK_point, cKv_point; - unsigned char Bv_bytes[POINTLEN]; - unsigned char R_calc_bytes[POINTLEN]; - unsigned char Rv_calc_bytes[POINTLEN]; - unsigned char h_calc_scalar[SCALARLEN]; - unsigned char extra[3*POINTLEN]; - unsigned char* M_buf = NULL; - char* protocol_name = "VEdDSA_25519_SHA512_Elligator2"; - - if (vrf_out == NULL) - goto err; - memset(vrf_out, 0, VRFOUTPUTLEN); - - if (signature == NULL) - goto err; - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) { - goto err; - } - memcpy(M_buf + MSTART, msg, msg_len); - - Kv_bytes = signature; - h_scalar = signature + POINTLEN; - s_scalar = signature + POINTLEN + SCALARLEN; - - if (!point_isreduced(eddsa_25519_pubkey_bytes)) - goto err; - if (!point_isreduced(Kv_bytes)) - goto err; - if (!sc_isreduced(h_scalar)) - goto err; - if (!sc_isreduced(s_scalar)) - goto err; - - // labelset = new_labelset(protocol_name, customization_label) - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, - (unsigned char*)protocol_name, strlen(protocol_name), - customization_label, customization_label_len) != 0) - goto err; - - // labelset1 = add_label(labels, "1") - // Bv = hash(hash(labelset1 || K) || M) - labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1); - if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len, - eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - ge_p3_tobytes(Bv_bytes, &Bv_point); - - // R = solve_commitment(B, s, K, h) - if (generalized_solve_commitment(R_calc_bytes, &K_point, NULL, - s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0) - goto err; - - // Rv = solve_commitment(Bv, s, Kv, h) - if (generalized_solve_commitment(Rv_calc_bytes, &Kv_point, &Bv_point, - s_scalar, Kv_bytes, h_scalar) != 0) - goto err; - - ge_scalarmult_cofactor(&cK_point, &K_point); - ge_scalarmult_cofactor(&cKv_point, &Kv_point); - if (ge_isneutral(&cK_point) || ge_isneutral(&cKv_point) || ge_isneutral(&Bv_point)) - goto err; - - // labelset3 = add_label(labels, "3") - // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M) - labelset[labelset_len-1] = (unsigned char)'3'; - memcpy(extra, Bv_bytes, POINTLEN); - memcpy(extra + POINTLEN, Kv_bytes, POINTLEN); - memcpy(extra + 2*POINTLEN, Rv_calc_bytes, POINTLEN); - if (generalized_challenge(h_calc_scalar, - labelset, labelset_len, - extra, 3*POINTLEN, - R_calc_bytes, eddsa_25519_pubkey_bytes, - M_buf, MSTART, msg_len) != 0) - goto err; - - // if bytes_equal(h, h') - if (crypto_verify_32(h_scalar, h_calc_scalar) != 0) - goto err; - - // labelset4 = add_label(labels, "4") - // v = hash(labelset4 || c*Kv) - labelset[labelset_len-1] = (unsigned char)'4'; - if (generalized_calculate_vrf_output(vrf_out, labelset, labelset_len, &cKv_point) != 0) - goto err; - - free(M_buf); - return 0; - -err: - free(M_buf); - return -1; -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h deleted file mode 100644 index 1bc27a6e2b..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __GEN_VEDDSA_H__ -#define __GEN_VEDDSA_H__ - -int generalized_veddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_veddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c deleted file mode 100644 index d4df5c1f1f..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c +++ /dev/null @@ -1,131 +0,0 @@ -#include <string.h> -#include "crypto_additions.h" -#include "gen_x.h" -#include "gen_constants.h" -#include "gen_eddsa.h" -#include "gen_veddsa.h" -#include "gen_crypto_additions.h" -#include "zeroize.h" - -static int convert_25519_pubkey(unsigned char* ed_pubkey_bytes, const unsigned char* x25519_pubkey_bytes) { - fe u; - fe y; - - /* Convert the X25519 public key into an Ed25519 public key. - - y = (u - 1) / (u + 1) - - NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp - */ - if (!fe_isreduced(x25519_pubkey_bytes)) - return -1; - fe_frombytes(u, x25519_pubkey_bytes); - fe_montx_to_edy(y, u); - fe_tobytes(ed_pubkey_bytes, y); - return 0; -} - -static int calculate_25519_keypair(unsigned char* K_bytes, unsigned char* k_scalar, - const unsigned char* x25519_privkey_scalar) -{ - unsigned char kneg[SCALARLEN]; - ge_p3 ed_pubkey_point; - unsigned char sign_bit = 0; - - if (SCALARLEN != 32) - return -1; - - /* Convert the Curve25519 privkey to an Ed25519 public key */ - ge_scalarmult_base(&ed_pubkey_point, x25519_privkey_scalar); - ge_p3_tobytes(K_bytes, &ed_pubkey_point); - - /* Force Edwards sign bit to zero */ - sign_bit = (K_bytes[31] & 0x80) >> 7; - memcpy(k_scalar, x25519_privkey_scalar, 32); - sc_neg(kneg, k_scalar); - sc_cmov(k_scalar, kneg, sign_bit); - K_bytes[31] &= 0x7F; - - zeroize(kneg, SCALARLEN); - return 0; -} - -int generalized_xeddsa_25519_sign(unsigned char* signature_out, - const unsigned char* x25519_privkey_scalar, - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - unsigned char k_scalar[SCALARLEN]; - int retval = -1; - - if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0) - return -1; - - retval = generalized_eddsa_25519_sign(signature_out, - K_bytes, k_scalar, - msg, msg_len, random, - customization_label, customization_label_len); - zeroize(k_scalar, SCALARLEN); - return retval; -} - -int generalized_xveddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* x25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - unsigned char k_scalar[SCALARLEN]; - int retval = -1; - - if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0) - return -1; - - retval = generalized_veddsa_25519_sign(signature_out, K_bytes, k_scalar, - msg, msg_len, random, - customization_label, customization_label_len); - zeroize(k_scalar, SCALARLEN); - return retval; -} - -int generalized_xeddsa_25519_verify( - const unsigned char* signature, - const unsigned char* x25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - - if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0) - return -1; - - return generalized_eddsa_25519_verify(signature, K_bytes, msg, msg_len, - customization_label, customization_label_len); -} - -int generalized_xveddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* x25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - - if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0) - return -1; - - return generalized_veddsa_25519_verify(vrf_out, signature, K_bytes, msg, msg_len, - customization_label, customization_label_len); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h deleted file mode 100644 index 3c4c04cb6c..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef __GEN_X_H -#define __GEN_X_H - -int generalized_xeddsa_25519_sign(unsigned char* signature_out, /* 64 bytes */ - const unsigned char* x25519_privkey_scalar, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random, /* 32 bytes */ - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xeddsa_25519_verify( - const unsigned char* signature, /* 64 bytes */ - const unsigned char* x25519_pubkey_bytes, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xveddsa_25519_sign( - unsigned char* signature_out, /* 96 bytes */ - const unsigned char* x25519_privkey_scalar, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, /* 32 bytes */ - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xveddsa_25519_verify( - unsigned char* vrf_out, /* 32 bytes */ - const unsigned char* signature, /* 96 bytes */ - const unsigned char* x25519_pubkey_bytes, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c deleted file mode 100644 index 5541ffebbb..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c +++ /dev/null @@ -1,12 +0,0 @@ -#include<string.h> -#include "fe.h" -#include "crypto_additions.h" - -int point_isreduced(const unsigned char* p) -{ - unsigned char strict[32]; - - memmove(strict, p, 32); - strict[31] &= 0x7F; /* mask off sign bit */ - return fe_isreduced(strict); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c deleted file mode 100644 index 24193808ad..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c +++ /dev/null @@ -1,17 +0,0 @@ -#include <string.h> -#include "fe.h" -#include "sc.h" -#include "crypto_additions.h" -#include "crypto_verify_32.h" - -int sc_isreduced(const unsigned char* s) -{ - unsigned char strict[64]; - - memset(strict, 0, 64); - memmove(strict, s, 32); - sc_reduce(strict); - if (crypto_verify_32(strict, s) != 0) - return 0; - return 1; -} |