diff options
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519/additions')
44 files changed, 0 insertions, 2223 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c b/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c deleted file mode 100644 index 8b1e31389f..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c +++ /dev/null @@ -1,44 +0,0 @@ -#include <string.h> -#include "compare.h" - -/* Const-time comparison from SUPERCOP, but here it's only used for - signature verification, so doesn't need to be const-time. But - copied the nacl version anyways. */ -int crypto_verify_32_ref(const unsigned char *x, const unsigned char *y) -{ - unsigned int differentbits = 0; -#define F(i) differentbits |= x[i] ^ y[i]; - F(0) - F(1) - F(2) - F(3) - F(4) - F(5) - F(6) - F(7) - F(8) - F(9) - F(10) - F(11) - F(12) - F(13) - F(14) - F(15) - F(16) - F(17) - F(18) - F(19) - F(20) - F(21) - F(22) - F(23) - F(24) - F(25) - F(26) - F(27) - F(28) - F(29) - F(30) - F(31) - return (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h b/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h deleted file mode 100644 index 5a2fa910d4..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef __COMPARE_H__ -#define __COMPARE_H__ - -int crypto_verify_32_ref(const unsigned char *b1, const unsigned char *b2); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h deleted file mode 100644 index 5c4b8f47bf..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h +++ /dev/null @@ -1,45 +0,0 @@ - -#ifndef __CRYPTO_ADDITIONS__ -#define __CRYPTO_ADDITIONS__ - -#include "crypto_uint32.h" -#include "fe.h" -#include "ge.h" - -#define MAX_MSG_LEN 256 - -void sc_neg(unsigned char *b, const unsigned char *a); -void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b); - -int fe_isequal(const fe f, const fe g); -int fe_isreduced(const unsigned char* s); -void fe_mont_rhs(fe v2, const fe u); -void fe_montx_to_edy(fe y, const fe u); -void fe_sqrt(fe b, const fe a); - -int ge_isneutral(const ge_p3* q); -void ge_neg(ge_p3* r, const ge_p3 *p); -void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit); -void ge_p3_to_montx(fe u, const ge_p3 *p); -void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A); -void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p); - -void elligator(fe u, const fe r); -void hash_to_point(ge_p3* p, const unsigned char* msg, const unsigned long in_len); - -int crypto_sign_modified( - unsigned char *sm, - const unsigned char *m,unsigned long long mlen, - const unsigned char *sk, /* Curve/Ed25519 private key */ - const unsigned char *pk, /* Ed25519 public key */ - const unsigned char *random /* 64 bytes random to hash into nonce */ - ); - -int crypto_sign_open_modified( - unsigned char *m, - const unsigned char *sm,unsigned long long smlen, - const unsigned char *pk - ); - - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h deleted file mode 100644 index a51a190d25..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef crypto_hash_sha512_H -#define crypto_hash_sha512_H - -extern int crypto_hash_sha512(unsigned char *,const unsigned char *,unsigned long long); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c deleted file mode 100644 index 325472427c..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c +++ /dev/null @@ -1,102 +0,0 @@ -#include <stdlib.h> -#include <string.h> -#include "ge.h" -#include "curve_sigs.h" -#include "crypto_sign.h" -#include "crypto_additions.h" - -int curve25519_sign(unsigned char* signature_out, - const unsigned char* curve25519_privkey, - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random) -{ - ge_p3 ed_pubkey_point; /* Ed25519 pubkey point */ - unsigned char ed_pubkey[32]; /* Ed25519 encoded pubkey */ - unsigned char *sigbuf; /* working buffer */ - unsigned char sign_bit = 0; - - if ((sigbuf = malloc(msg_len + 128)) == 0) { - memset(signature_out, 0, 64); - return -1; - } - - /* Convert the Curve25519 privkey to an Ed25519 public key */ - ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey); - ge_p3_tobytes(ed_pubkey, &ed_pubkey_point); - sign_bit = ed_pubkey[31] & 0x80; - - /* Perform an Ed25519 signature with explicit private key */ - crypto_sign_modified(sigbuf, msg, msg_len, curve25519_privkey, - ed_pubkey, random); - memmove(signature_out, sigbuf, 64); - - /* Encode the sign bit into signature (in unused high bit of S) */ - signature_out[63] &= 0x7F; /* bit should be zero already, but just in case */ - signature_out[63] |= sign_bit; - - free(sigbuf); - return 0; -} - -int curve25519_verify(const unsigned char* signature, - const unsigned char* curve25519_pubkey, - const unsigned char* msg, const unsigned long msg_len) -{ - fe u; - fe y; - unsigned char ed_pubkey[32]; - unsigned char *verifybuf = NULL; /* working buffer */ - unsigned char *verifybuf2 = NULL; /* working buffer #2 */ - int result; - - if ((verifybuf = malloc(msg_len + 64)) == 0) { - result = -1; - goto err; - } - - if ((verifybuf2 = malloc(msg_len + 64)) == 0) { - result = -1; - goto err; - } - - /* Convert the Curve25519 public key into an Ed25519 public key. In - particular, convert Curve25519's "montgomery" x-coordinate (u) into an - Ed25519 "edwards" y-coordinate: - - y = (u - 1) / (u + 1) - - NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp - - Then move the sign bit into the pubkey from the signature. - */ - fe_frombytes(u, curve25519_pubkey); - fe_montx_to_edy(y, u); - fe_tobytes(ed_pubkey, y); - - /* Copy the sign bit, and remove it from signature */ - ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */ - ed_pubkey[31] |= (signature[63] & 0x80); - memmove(verifybuf, signature, 64); - verifybuf[63] &= 0x7F; - - memmove(verifybuf+64, msg, msg_len); - - /* Then perform a normal Ed25519 verification, return 0 on success */ - /* The below call has a strange API: */ - /* verifybuf = R || S || message */ - /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets - replaced with pubkey for hashing */ - result = crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey); - - err: - - if (verifybuf != NULL) { - free(verifybuf); - } - - if (verifybuf2 != NULL) { - free(verifybuf2); - } - - return result; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h deleted file mode 100644 index a2d819aef0..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h +++ /dev/null @@ -1,17 +0,0 @@ - -#ifndef __CURVE_SIGS_H__ -#define __CURVE_SIGS_H__ - -/* returns 0 on success */ -int curve25519_sign(unsigned char* signature_out, /* 64 bytes */ - const unsigned char* curve25519_privkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */ - const unsigned char* random); /* 64 bytes */ - -/* returns 0 on success */ -int curve25519_verify(const unsigned char* signature, /* 64 bytes */ - const unsigned char* curve25519_pubkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */ - - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c deleted file mode 100644 index 17b03a71f6..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c +++ /dev/null @@ -1,80 +0,0 @@ -#include <string.h> -#include "fe.h" -#include "ge.h" -#include "crypto_uint32.h" -#include "crypto_hash_sha512.h" -#include "crypto_additions.h" - -unsigned int legendre_is_nonsquare(fe in) -{ - fe temp; - unsigned char bytes[32]; - fe_pow22523(temp, in); /* temp = in^((q-5)/8) */ - fe_sq(temp, temp); /* in^((q-5)/4) */ - fe_sq(temp, temp); /* in^((q-5)/2) */ - fe_mul(temp, temp, in); /* in^((q-3)/2) */ - fe_mul(temp, temp, in); /* in^((q-1)/2) */ - - /* temp is now the Legendre symbol: - * 1 = square - * 0 = input is zero - * -1 = nonsquare - */ - fe_tobytes(bytes, temp); - return 1 & bytes[31]; -} - -void elligator(fe u, const fe r) -{ - /* r = input - * x = -A/(1+2r^2) # 2 is nonsquare - * e = (x^3 + Ax^2 + x)^((q-1)/2) # legendre symbol - * if e == 1 (square) or e == 0 (because x == 0 and 2r^2 + 1 == 0) - * u = x - * if e == -1 (nonsquare) - * u = -x - A - */ - fe A, one, twor2, twor2plus1, twor2plus1inv; - fe x, e, Atemp, uneg; - unsigned int nonsquare; - - fe_1(one); - fe_0(A); - A[0] = 486662; /* A = 486662 */ - - fe_sq2(twor2, r); /* 2r^2 */ - fe_add(twor2plus1, twor2, one); /* 1+2r^2 */ - fe_invert(twor2plus1inv, twor2plus1); /* 1/(1+2r^2) */ - fe_mul(x, twor2plus1inv, A); /* A/(1+2r^2) */ - fe_neg(x, x); /* x = -A/(1+2r^2) */ - - fe_mont_rhs(e, x); /* e = x^3 + Ax^2 + x */ - nonsquare = legendre_is_nonsquare(e); - - fe_0(Atemp); - fe_cmov(Atemp, A, nonsquare); /* 0, or A if nonsquare */ - fe_add(u, x, Atemp); /* x, or x+A if nonsquare */ - fe_neg(uneg, u); /* -x, or -x-A if nonsquare */ - fe_cmov(u, uneg, nonsquare); /* x, or -x-A if nonsquare */ -} - -void hash_to_point(ge_p3* p, const unsigned char* in, const unsigned long in_len) -{ - unsigned char hash[64]; - fe h, u; - unsigned char sign_bit; - ge_p3 p3; - - crypto_hash_sha512(hash, in, in_len); - - /* take the high bit as Edwards sign bit */ - sign_bit = (hash[31] & 0x80) >> 7; - hash[31] &= 0x7F; - fe_frombytes(h, hash); - elligator(u, h); - - ge_montx_to_p3(&p3, u, sign_bit); - ge_scalarmult_cofactor(p, &p3); -} - - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c deleted file mode 100644 index 67c5d33c96..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c +++ /dev/null @@ -1,14 +0,0 @@ -#include "fe.h" -#include "crypto_verify_32.h" - -/* -return 1 if f == g -return 0 if f != g -*/ - -int fe_isequal(const fe f, const fe g) -{ - fe h; - fe_sub(h, f, g); - return 1 ^ (1 & (fe_isnonzero(h) >> 8)); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c deleted file mode 100644 index 6fbb3beccd..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c +++ /dev/null @@ -1,14 +0,0 @@ -#include "fe.h" -#include "crypto_verify_32.h" - -int fe_isreduced(const unsigned char* s) -{ - fe f; - unsigned char strict[32]; - - fe_frombytes(f, s); - fe_tobytes(strict, f); - if (crypto_verify_32(strict, s) != 0) - return 0; - return 1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c deleted file mode 100644 index bc8393620c..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "fe.h" - -void fe_mont_rhs(fe v2, fe u) { - fe A, one; - fe u2, Au, inner; - - fe_1(one); - fe_0(A); - A[0] = 486662; /* A = 486662 */ - - fe_sq(u2, u); /* u^2 */ - fe_mul(Au, A, u); /* Au */ - fe_add(inner, u2, Au); /* u^2 + Au */ - fe_add(inner, inner, one); /* u^2 + Au + 1 */ - fe_mul(v2, u, inner); /* u(u^2 + Au + 1) */ -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c deleted file mode 100644 index b0f8c63276..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c +++ /dev/null @@ -1,19 +0,0 @@ - -#include "fe.h" -#include "crypto_additions.h" - -void fe_montx_to_edy(fe y, const fe u) -{ - /* - y = (u - 1) / (u + 1) - - NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp - */ - fe one, um1, up1; - - fe_1(one); - fe_sub(um1, u, one); - fe_add(up1, u, one); - fe_invert(up1, up1); - fe_mul(y, um1, up1); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c deleted file mode 100644 index a0c9785821..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c +++ /dev/null @@ -1,51 +0,0 @@ -#include <assert.h> -#include "fe.h" -#include "crypto_additions.h" - -/* sqrt(-1) */ -static unsigned char i_bytes[32] = { - 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4, - 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f, - 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b, - 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b -}; - -/* Preconditions: a is square or zero */ - -void fe_sqrt(fe out, const fe a) -{ - fe exp, b, b2, bi, i; -#ifndef NDEBUG - fe legendre, zero, one; -#endif - - fe_frombytes(i, i_bytes); - fe_pow22523(exp, a); /* b = a^(q-5)/8 */ - - /* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */ -#ifndef NDEBUG - fe_sq(legendre, exp); /* in^((q-5)/4) */ - fe_sq(legendre, legendre); /* in^((q-5)/2) */ - fe_mul(legendre, legendre, a); /* in^((q-3)/2) */ - fe_mul(legendre, legendre, a); /* in^((q-1)/2) */ - - fe_0(zero); - fe_1(one); - assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one)); -#endif - - fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */ - fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */ - - /* note b^4 == a^2, so b^2 == a or -a - * if b^2 != a, multiply it by sqrt(-1) */ - fe_mul(bi, b, i); - fe_cmov(b, bi, 1 ^ fe_isequal(b2, a)); - fe_copy(out, b); - - /* PRECONDITION: out^2 == a */ -#ifndef NDEBUG - fe_sq(b2, out); - assert(fe_isequal(a, b2)); -#endif -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c deleted file mode 100644 index d40e443682..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c +++ /dev/null @@ -1,16 +0,0 @@ -#include "crypto_additions.h" -#include "ge.h" - -/* -return 1 if p is the neutral point -return 0 otherwise -*/ - -int ge_isneutral(const ge_p3 *p) -{ - fe zero; - fe_0(zero); - - /* Check if p == neutral element == (0, 1) */ - return (fe_isequal(p->X, zero) & fe_isequal(p->Y, p->Z)); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c deleted file mode 100644 index 7a716c5a72..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c +++ /dev/null @@ -1,70 +0,0 @@ -#include "fe.h" -#include "ge.h" -#include "assert.h" -#include "crypto_additions.h" -#include "utility.h" - -/* sqrt(-(A+2)) */ -static unsigned char A_bytes[32] = { - 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc, - 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5, - 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2, - 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f -}; - -void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit) -{ - fe x, y, A, v, v2, iv, nx; - - fe_frombytes(A, A_bytes); - - /* given u, recover edwards y */ - /* given u, recover v */ - /* given u and v, recover edwards x */ - - fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */ - - fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */ - fe_sqrt(v, v2); /* v = sqrt(v^2) */ - - fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */ - fe_invert(iv, v); /* 1/v */ - fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */ - - fe_neg(nx, x); /* negate x to match sign bit */ - fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit); - - fe_copy(p->X, x); - fe_copy(p->Y, y); - fe_1(p->Z); - fe_mul(p->T, p->X, p->Y); - - /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */ - /* -x^2 + y^2 = 1 + dx^2y^2 */ -#ifndef NDEBUG - { - fe one, d, x2, y2, x2y2, dx2y2; - - unsigned char dbytes[32] = { - 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75, - 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00, - 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c, - 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52 - }; - - fe_frombytes(d, dbytes); - fe_1(one); - fe_sq(x2, p->X); /* x^2 */ - fe_sq(y2, p->Y); /* y^2 */ - - fe_mul(dx2y2, x2, y2); /* x^2y^2 */ - fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */ - fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */ - - fe_neg(x2y2, x2); /* -x^2 */ - fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */ - - assert(fe_isequal(x2y2, dx2y2)); - } -#endif -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c deleted file mode 100644 index d679713fe0..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_additions.h" -#include "ge.h" - -/* -return r = -p -*/ - - -void ge_neg(ge_p3* r, const ge_p3 *p) -{ - fe_neg(r->X, p->X); - fe_copy(r->Y, p->Y); - fe_copy(r->Z, p->Z); - fe_neg(r->T, p->T); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c deleted file mode 100644 index b539b2f17f..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "fe.h" -#include "crypto_additions.h" - -void ge_p3_to_montx(fe u, const ge_p3 *ed) -{ - /* - u = (y + 1) / (1 - y) - or - u = (y + z) / (z - y) - - NOTE: y=1 is converted to u=0 since fe_invert is mod-exp - */ - - fe y_plus_one, one_minus_y, inv_one_minus_y; - - fe_add(y_plus_one, ed->Y, ed->Z); - fe_sub(one_minus_y, ed->Z, ed->Y); - fe_invert(inv_one_minus_y, one_minus_y); - fe_mul(u, y_plus_one, inv_one_minus_y); -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c deleted file mode 100644 index e4f741b8d8..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "crypto_uint32.h" -#include "ge.h" -#include "crypto_additions.h" - -static unsigned char equal(signed char b,signed char c) -{ - unsigned char ub = b; - unsigned char uc = c; - unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ - crypto_uint32 y = x; /* 0: yes; 1..255: no */ - y -= 1; /* 4294967295: yes; 0..254: no */ - y >>= 31; /* 1: yes; 0: no */ - return y; -} - -static unsigned char negative(signed char b) -{ - unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ - x >>= 63; /* 1: yes; 0: no */ - return x; -} - -static void cmov(ge_cached *t,const ge_cached *u,unsigned char b) -{ - fe_cmov(t->YplusX,u->YplusX,b); - fe_cmov(t->YminusX,u->YminusX,b); - fe_cmov(t->Z,u->Z,b); - fe_cmov(t->T2d,u->T2d,b); -} - -static void select(ge_cached *t,const ge_cached *pre, signed char b) -{ - ge_cached minust; - unsigned char bnegative = negative(b); - unsigned char babs = b - (((-bnegative) & b) << 1); - - fe_1(t->YplusX); - fe_1(t->YminusX); - fe_1(t->Z); - fe_0(t->T2d); - - cmov(t,pre+0,equal(babs,1)); - cmov(t,pre+1,equal(babs,2)); - cmov(t,pre+2,equal(babs,3)); - cmov(t,pre+3,equal(babs,4)); - cmov(t,pre+4,equal(babs,5)); - cmov(t,pre+5,equal(babs,6)); - cmov(t,pre+6,equal(babs,7)); - cmov(t,pre+7,equal(babs,8)); - fe_copy(minust.YplusX,t->YminusX); - fe_copy(minust.YminusX,t->YplusX); - fe_copy(minust.Z,t->Z); - fe_neg(minust.T2d,t->T2d); - cmov(t,&minust,bnegative); -} - -/* -h = a * B -where a = a[0]+256*a[1]+...+256^31 a[31] -B is the Ed25519 base point (x,4/5) with x positive. - -Preconditions: - a[31] <= 127 -*/ - -void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A) -{ - signed char e[64]; - signed char carry; - ge_p1p1 r; - ge_p2 s; - ge_p3 t0, t1, t2; - ge_cached t, pre[8]; - int i; - - for (i = 0;i < 32;++i) { - e[2 * i + 0] = (a[i] >> 0) & 15; - e[2 * i + 1] = (a[i] >> 4) & 15; - } - /* each e[i] is between 0 and 15 */ - /* e[63] is between 0 and 7 */ - - carry = 0; - for (i = 0;i < 63;++i) { - e[i] += carry; - carry = e[i] + 8; - carry >>= 4; - e[i] -= carry << 4; - } - e[63] += carry; - /* each e[i] is between -8 and 8 */ - - // Precomputation: - ge_p3_to_cached(pre+0, A); // A - - ge_p3_dbl(&r, A); - ge_p1p1_to_p3(&t0, &r); - ge_p3_to_cached(pre+1, &t0); // 2A - - ge_add(&r, A, pre+1); - ge_p1p1_to_p3(&t1, &r); - ge_p3_to_cached(pre+2, &t1); // 3A - - ge_p3_dbl(&r, &t0); - ge_p1p1_to_p3(&t0, &r); - ge_p3_to_cached(pre+3, &t0); // 4A - - ge_add(&r, A, pre+3); - ge_p1p1_to_p3(&t2, &r); - ge_p3_to_cached(pre+4, &t2); // 5A - - ge_p3_dbl(&r, &t1); - ge_p1p1_to_p3(&t1, &r); - ge_p3_to_cached(pre+5, &t1); // 6A - - ge_add(&r, A, pre+5); - ge_p1p1_to_p3(&t1, &r); - ge_p3_to_cached(pre+6, &t1); // 7A - - ge_p3_dbl(&r, &t0); - ge_p1p1_to_p3(&t0, &r); - ge_p3_to_cached(pre+7, &t0); // 8A - - ge_p3_0(h); - - for (i = 63;i > 0; i--) { - select(&t,pre,e[i]); - ge_add(&r, h, &t); - ge_p1p1_to_p2(&s,&r); - - ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); - - } - select(&t,pre,e[0]); - ge_add(&r, h, &t); - ge_p1p1_to_p3(h,&r); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c deleted file mode 100644 index 6affbb05d5..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_additions.h" -#include "ge.h" - -/* -return 8 * p -*/ - -void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p) -{ - ge_p1p1 p1p1; - ge_p2 p2; - - ge_p3_dbl(&p1p1, p); - ge_p1p1_to_p2(&p2, &p1p1); - - ge_p2_dbl(&p1p1, &p2); - ge_p1p1_to_p2(&p2, &p1p1); - - ge_p2_dbl(&p1p1, &p2); - ge_p1p1_to_p3(q, &p1p1); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c deleted file mode 100644 index 75d9673d01..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "ge.h" - -/* -r = p + q -*/ - -void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q) -{ - ge_cached p_cached; - ge_p1p1 r_p1p1; - - ge_p3_to_cached(&p_cached, p); - ge_add(&r_p1p1, q, &p_cached); - ge_p1p1_to_p3(r, &r_p1p1); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h deleted file mode 100644 index 392a88e57b..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GEN_CONSTANTS_H__ -#define _GEN_CONSTANTS_H__ - -#define LABELSETMAXLEN 512 -#define LABELMAXLEN 128 -#define BUFLEN 1024 -#define BLOCKLEN 128 /* SHA512 */ -#define HASHLEN 64 /* SHA512 */ -#define POINTLEN 32 -#define SCALARLEN 32 -#define RANDLEN 32 -#define SIGNATURELEN 64 -#define VRFSIGNATURELEN 96 -#define VRFOUTPUTLEN 32 -#define MSTART 2048 -#define MSGMAXLEN 1048576 - -#endif - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h deleted file mode 100644 index 569ae26f4d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h +++ /dev/null @@ -1,16 +0,0 @@ - -#ifndef __GEN_CRYPTO_ADDITIONS__ -#define __GEN_CRYPTO_ADDITIONS__ - -#include "crypto_uint32.h" -#include "fe.h" -#include "ge.h" - -int sc_isreduced(const unsigned char* s); - -int point_isreduced(const unsigned char* p); - -void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q); - -#endif - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c deleted file mode 100644 index 9755d28ede..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c +++ /dev/null @@ -1,349 +0,0 @@ -#include <string.h> -#include "gen_eddsa.h" -#include "gen_labelset.h" -#include "gen_constants.h" -#include "gen_crypto_additions.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "zeroize.h" -#include "ge.h" -#include "sc.h" -#include "crypto_additions.h" -#include "utility.h" - -/* B: base point - * R: commitment (point), - r: private nonce (scalar) - K: encoded public key - k: private key (scalar) - Z: 32-bytes random - M: buffer containing message, message starts at M_start, continues for M_len - - r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q) -*/ -int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* K_bytes, const unsigned char* k_scalar, - const unsigned char* Z, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - ge_p3 R_point; - unsigned char hash[HASHLEN]; - unsigned char* bufstart = NULL; - unsigned char* bufptr = NULL; - unsigned char* bufend = NULL; - unsigned long prefix_len = 0; - - if (labelset_validate(labelset, labelset_len) != 0) - goto err; - if (R_bytes == NULL || r_scalar == NULL || - K_bytes == NULL || k_scalar == NULL || - Z == NULL || M_buf == NULL) - goto err; - if (extra == NULL && extra_len != 0) - goto err; - if (extra != NULL && extra_len == 0) - goto err; - if (extra != NULL && labelset_is_empty(labelset, labelset_len)) - goto err; - if (HASHLEN != 64) - goto err; - - prefix_len = 0; - prefix_len += POINTLEN + labelset_len + RANDLEN; - prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN); - prefix_len += SCALARLEN; - prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN); - prefix_len += labelset_len + POINTLEN + extra_len; - if (prefix_len > M_start) - goto err; - - bufstart = M_buf + M_start - prefix_len; - bufptr = bufstart; - bufend = M_buf + M_start; - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, Z, RANDLEN); - bufptr = buffer_pad(bufstart, bufptr, bufend); - bufptr = buffer_add(bufptr, bufend, k_scalar, SCALARLEN); - bufptr = buffer_pad(bufstart, bufptr, bufend); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, extra, extra_len); - if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len) - goto err; - - crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len); - sc_reduce(hash); - ge_scalarmult_base(&R_point, hash); - ge_p3_tobytes(R_bytes, &R_point); - memcpy(r_scalar, hash, SCALARLEN); - - zeroize(hash, HASHLEN); - zeroize(bufstart, prefix_len); - return 0; - -err: - zeroize(hash, HASHLEN); - zeroize(M_buf, M_start); - return -1; -} - -/* if is_labelset_empty(labelset): - return hash(R || K || M) (mod q) - else: - return hash(B || labelset || R || labelset || K || extra || M) (mod q) -*/ -int generalized_challenge(unsigned char* h_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* R_bytes, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - unsigned char hash[HASHLEN]; - unsigned char* bufstart = NULL; - unsigned char* bufptr = NULL; - unsigned char* bufend = NULL; - unsigned long prefix_len = 0; - - if (h_scalar == NULL) - goto err; - memset(h_scalar, 0, SCALARLEN); - - if (labelset_validate(labelset, labelset_len) != 0) - goto err; - if (R_bytes == NULL || K_bytes == NULL || M_buf == NULL) - goto err; - if (extra == NULL && extra_len != 0) - goto err; - if (extra != NULL && extra_len == 0) - goto err; - if (extra != NULL && labelset_is_empty(labelset, labelset_len)) - goto err; - if (HASHLEN != 64) - goto err; - - if (labelset_is_empty(labelset, labelset_len)) { - if (2*POINTLEN > M_start) - goto err; - if (extra != NULL || extra_len != 0) - goto err; - memcpy(M_buf + M_start - (2*POINTLEN), R_bytes, POINTLEN); - memcpy(M_buf + M_start - (1*POINTLEN), K_bytes, POINTLEN); - prefix_len = 2*POINTLEN; - } else { - prefix_len = 3*POINTLEN + 2*labelset_len + extra_len; - if (prefix_len > M_start) - goto err; - - bufstart = M_buf + M_start - prefix_len; - bufptr = bufstart; - bufend = M_buf + M_start; - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, R_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, extra, extra_len); - - if (bufptr == NULL) - goto err; - if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len) - goto err; - } - - crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len); - sc_reduce(hash); - memcpy(h_scalar, hash, SCALARLEN); - return 0; - -err: - return -1; -} - -/* return r + kh (mod q) */ -int generalized_prove(unsigned char* out_scalar, - const unsigned char* r_scalar, const unsigned char* k_scalar, const unsigned char* h_scalar) -{ - sc_muladd(out_scalar, h_scalar, k_scalar, r_scalar); - zeroize_stack(); - return 0; -} - -/* R = s*B - h*K */ -int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out, - const ge_p3* B_point, const unsigned char* s_scalar, - const unsigned char* K_bytes, const unsigned char* h_scalar) -{ - - ge_p3 Kneg_point; - ge_p2 R_calc_point_p2; - - ge_p3 sB; - ge_p3 hK; - ge_p3 R_calc_point_p3; - - if (ge_frombytes_negate_vartime(&Kneg_point, K_bytes) != 0) - return -1; - - if (B_point == NULL) { - ge_double_scalarmult_vartime(&R_calc_point_p2, h_scalar, &Kneg_point, s_scalar); - ge_tobytes(R_bytes_out, &R_calc_point_p2); - } - else { - // s * Bv - ge_scalarmult(&sB, s_scalar, B_point); - - // h * -K - ge_scalarmult(&hK, h_scalar, &Kneg_point); - - // R = sB - hK - ge_p3_add(&R_calc_point_p3, &sB, &hK); - ge_p3_tobytes(R_bytes_out, &R_calc_point_p3); - } - - if (K_point_out) { - ge_neg(K_point_out, &Kneg_point); - } - - return 0; -} - - -int generalized_eddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - unsigned char R_bytes[POINTLEN]; - unsigned char r_scalar[SCALARLEN]; - unsigned char h_scalar[SCALARLEN]; - unsigned char s_scalar[SCALARLEN]; - unsigned char* M_buf = NULL; - - if (signature_out == NULL) - goto err; - memset(signature_out, 0, SIGNATURELEN); - - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (eddsa_25519_privkey_scalar == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) - goto err; - memcpy(M_buf + MSTART, msg, msg_len); - - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0, - customization_label, customization_label_len) != 0) - goto err; - - if (generalized_commit(R_bytes, r_scalar, labelset, labelset_len, NULL, 0, - eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar, - random, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_challenge(h_scalar, labelset, labelset_len, NULL, 0, - R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0) - goto err; - - memcpy(signature_out, R_bytes, POINTLEN); - memcpy(signature_out + POINTLEN, s_scalar, SCALARLEN); - - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return 0; - -err: - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return -1; -} - -int generalized_eddsa_25519_verify( - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - const unsigned char* R_bytes = NULL; - const unsigned char* s_scalar = NULL; - unsigned char h_scalar[SCALARLEN]; - unsigned char* M_buf = NULL; - unsigned char R_calc_bytes[POINTLEN]; - - if (signature == NULL) - goto err; - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) - goto err; - memcpy(M_buf + MSTART, msg, msg_len); - - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0, - customization_label, customization_label_len) != 0) - goto err; - - R_bytes = signature; - s_scalar = signature + POINTLEN; - - if (!point_isreduced(eddsa_25519_pubkey_bytes)) - goto err; - if (!point_isreduced(R_bytes)) - goto err; - if (!sc_isreduced(s_scalar)) - goto err; - - if (generalized_challenge(h_scalar, labelset, labelset_len, - NULL, 0, R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - - if (generalized_solve_commitment(R_calc_bytes, NULL, NULL, - s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0) - goto err; - - if (crypto_verify_32(R_bytes, R_calc_bytes) != 0) - goto err; - - free(M_buf); - return 0; - -err: - free(M_buf); - return -1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h deleted file mode 100644 index 0c281bcac9..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h +++ /dev/null @@ -1,65 +0,0 @@ -#ifndef __GEN_EDDSA_H__ -#define __GEN_EDDSA_H__ - -#include "ge.h" - -/* B: base point - R: commitment (point), - r: private nonce (scalar) - K: encoded public key - k: private key (scalar) - Z: 32-bytes random - M: buffer containing message, message starts at M_start, continues for M_len - - r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q) -*/ -int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* K_bytes, const unsigned char* k_scalar, - const unsigned char* Z, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len); - -/* if is_labelset_empty(labelset): - return hash(R || K || M) (mod q) - else: - return hash(B || labelset || R || labelset || K || extra || M) (mod q) -*/ -int generalized_challenge(unsigned char* h_scalar, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* extra, const unsigned long extra_len, - const unsigned char* R_bytes, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len); - -/* return r + kh (mod q) */ -int generalized_prove(unsigned char* out_scalar, - const unsigned char* r_scalar, - const unsigned char* k_scalar, - const unsigned char* h_scalar); - -/* R = B^s / K^h */ -int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out, - const ge_p3* B_point, const unsigned char* s_scalar, - const unsigned char* K_bytes, const unsigned char* h_scalar); - - -int generalized_eddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_eddsa_25519_verify( - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c deleted file mode 100644 index b181cad5dc..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c +++ /dev/null @@ -1,157 +0,0 @@ -#include <stdlib.h> -#include <string.h> -#include "gen_labelset.h" -#include "gen_constants.h" - -const unsigned char B_bytes[] = { - 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, - 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, -}; - -unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend, - const unsigned char* in, const unsigned long in_len) -{ - unsigned long count = 0; - - if (bufptr == NULL || bufend == NULL || bufptr > bufend) - return NULL; - if (in == NULL && in_len != 0) - return NULL; - if (bufend - bufptr < in_len) - return NULL; - - for (count=0; count < in_len; count++) { - if (bufptr >= bufend) - return NULL; - *bufptr++ = *in++; - } - return bufptr; -} - -unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend) -{ - unsigned long count = 0; - unsigned long pad_len = 0; - - if (buf == NULL || bufptr == NULL || bufend == NULL || bufptr >= bufend || bufptr < buf) - return NULL; - - pad_len = (BLOCKLEN - ((bufptr-buf) % BLOCKLEN)) % BLOCKLEN; - if (bufend - bufptr < pad_len) - return NULL; - - for (count=0; count < pad_len; count++) { - if (bufptr >= bufend) - return NULL; - *bufptr++ = 0; - } - return bufptr; -} - -int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* protocol_name, const unsigned char protocol_name_len, - const unsigned char* customization_label, const unsigned char customization_label_len) -{ - unsigned char* bufptr; - - *labelset_len = 0; - if (labelset == NULL) - return -1; - if (labelset_len == NULL) - return -1; - if (labelset_maxlen > LABELSETMAXLEN) - return -1; - if (labelset_maxlen < 3 + protocol_name_len + customization_label_len) - return -1; - if (protocol_name == NULL && protocol_name_len != 0) - return -1; - if (customization_label == NULL && customization_label_len != 0) - return -1; - if (protocol_name_len > LABELMAXLEN) - return -1; - if (customization_label_len > LABELMAXLEN) - return -1; - - bufptr = labelset; - *bufptr++ = 2; - *bufptr++ = protocol_name_len; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, protocol_name, protocol_name_len); - if (bufptr != NULL && bufptr < labelset + labelset_maxlen) - *bufptr++ = customization_label_len; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, - customization_label, customization_label_len); - - if (bufptr != NULL && bufptr - labelset == 3 + protocol_name_len + customization_label_len) { - *labelset_len = bufptr - labelset; - return 0; - } - return -1; -} - - -int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* label, const unsigned char label_len) -{ - unsigned char* bufptr; - if (labelset_len == NULL) - return -1; - if (*labelset_len > LABELSETMAXLEN || labelset_maxlen > LABELSETMAXLEN) - return -1; - if (*labelset_len >= labelset_maxlen || *labelset_len + label_len + 1 > labelset_maxlen) - return -1; - if (*labelset_len < 3 || labelset_maxlen < 4) - return -1; - if (label_len > LABELMAXLEN) - return -1; - - labelset[0]++; - labelset[*labelset_len] = label_len; - bufptr = labelset + *labelset_len + 1; - bufptr = buffer_add(bufptr, labelset + labelset_maxlen, label, label_len); - if (bufptr == NULL) - return -1; - if (bufptr - labelset >= labelset_maxlen) - return -1; - if (bufptr - labelset != *labelset_len + 1 + label_len) - return -1; - - *labelset_len += (1 + label_len); - return 0; -} - -int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len) -{ - unsigned char num_labels = 0; - unsigned char count = 0; - unsigned long offset = 0; - unsigned char label_len = 0; - - if (labelset == NULL) - return -1; - if (labelset_len < 3 || labelset_len > LABELSETMAXLEN) - return -1; - - num_labels = labelset[0]; - offset = 1; - for (count = 0; count < num_labels; count++) { - label_len = labelset[offset]; - if (label_len > LABELMAXLEN) - return -1; - offset += 1 + label_len; - if (offset > labelset_len) - return -1; - } - if (offset != labelset_len) - return -1; - return 0; -} - -int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len) -{ - if (labelset_len != 3) - return 0; - return 1; -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h deleted file mode 100644 index 6ac40da99d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __GEN_LABELSET_H__ -#define __GEN_LABELSET_H__ - -extern const unsigned char B_bytes[]; - -unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend, - const unsigned char* in, const unsigned long in_len); - -unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend); - - -int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* protocol_name, const unsigned char protocol_name_len, - const unsigned char* customization_label, const unsigned char customization_label_len); - -int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen, - const unsigned char* label, const unsigned char label_len); - -int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len); - -int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c deleted file mode 100644 index 4e79b4859d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c +++ /dev/null @@ -1,312 +0,0 @@ -#include <string.h> -#include "gen_eddsa.h" -#include "gen_veddsa.h" -#include "gen_constants.h" -#include "gen_labelset.h" -#include "gen_crypto_additions.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "crypto_additions.h" -#include "zeroize.h" -#include "ge.h" -#include "sc.h" -#include "utility.h" - -static int generalized_calculate_Bv(ge_p3* Bv_point, - const unsigned char* labelset, const unsigned long labelset_len, - const unsigned char* K_bytes, - unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len) -{ - unsigned char* bufptr; - unsigned long prefix_len = 0; - - if (labelset_validate(labelset, labelset_len) != 0) - return -1; - if (Bv_point == NULL || K_bytes == NULL || M_buf == NULL) - return -1; - - prefix_len = 2*POINTLEN + labelset_len; - if (prefix_len > M_start) - return -1; - - bufptr = M_buf + M_start - prefix_len; - bufptr = buffer_add(bufptr, M_buf + M_start, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, M_buf + M_start, labelset, labelset_len); - bufptr = buffer_add(bufptr, M_buf + M_start, K_bytes, POINTLEN); - if (bufptr == NULL || bufptr != M_buf + M_start) - return -1; - - hash_to_point(Bv_point, M_buf + M_start - prefix_len, prefix_len + M_len); - if (ge_isneutral(Bv_point)) - return -1; - return 0; -} - -static int generalized_calculate_vrf_output(unsigned char* vrf_output, - const unsigned char* labelset, const unsigned long labelset_len, - const ge_p3* cKv_point) -{ - unsigned char buf[BUFLEN]; - unsigned char* bufptr = buf; - unsigned char* bufend = buf + BUFLEN; - unsigned char cKv_bytes[POINTLEN]; - unsigned char hash[HASHLEN]; - - if (vrf_output == NULL) - return -1; - memset(vrf_output, 0, VRFOUTPUTLEN); - - if (labelset_len + 2*POINTLEN > BUFLEN) - return -1; - if (labelset_validate(labelset, labelset_len) != 0) - return -1; - if (cKv_point == NULL) - return -1; - if (VRFOUTPUTLEN > HASHLEN) - return -1; - - ge_p3_tobytes(cKv_bytes, cKv_point); - - bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN); - bufptr = buffer_add(bufptr, bufend, labelset, labelset_len); - bufptr = buffer_add(bufptr, bufend, cKv_bytes, POINTLEN); - if (bufptr == NULL) - return -1; - if (bufptr - buf > BUFLEN) - return -1; - crypto_hash_sha512(hash, buf, bufptr - buf); - memcpy(vrf_output, hash, VRFOUTPUTLEN); - return 0; -} - -int generalized_veddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - ge_p3 Bv_point; - ge_p3 Kv_point; - ge_p3 Rv_point; - unsigned char Bv_bytes[POINTLEN]; - unsigned char Kv_bytes[POINTLEN]; - unsigned char Rv_bytes[POINTLEN]; - unsigned char R_bytes[POINTLEN]; - unsigned char r_scalar[SCALARLEN]; - unsigned char h_scalar[SCALARLEN]; - unsigned char s_scalar[SCALARLEN]; - unsigned char extra[3*POINTLEN]; - unsigned char* M_buf = NULL; - char* protocol_name = "VEdDSA_25519_SHA512_Elligator2"; - - if (signature_out == NULL) - goto err; - memset(signature_out, 0, VRFSIGNATURELEN); - - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (eddsa_25519_privkey_scalar == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) { - goto err; - } - memcpy(M_buf + MSTART, msg, msg_len); - - // labelset = new_labelset(protocol_name, customization_label) - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, - (unsigned char*)protocol_name, strlen(protocol_name), - customization_label, customization_label_len) != 0) - goto err; - - // labelset1 = add_label(labels, "1") - // Bv = hash(hash(labelset1 || K) || M) - // Kv = k * Bv - labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1); - if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len, - eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - ge_scalarmult(&Kv_point, eddsa_25519_privkey_scalar, &Bv_point); - ge_p3_tobytes(Bv_bytes, &Bv_point); - ge_p3_tobytes(Kv_bytes, &Kv_point); - - // labelset2 = add_label(labels, "2") - // R, r = commit(labelset2, (Bv || Kv), (K,k), Z, M) - labelset[labelset_len-1] = (unsigned char)'2'; - memcpy(extra, Bv_bytes, POINTLEN); - memcpy(extra + POINTLEN, Kv_bytes, POINTLEN); - if (generalized_commit(R_bytes, r_scalar, - labelset, labelset_len, - extra, 2*POINTLEN, - eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar, - random, M_buf, MSTART, msg_len) != 0) - goto err; - - // Rv = r * Bv - ge_scalarmult(&Rv_point, r_scalar, &Bv_point); - ge_p3_tobytes(Rv_bytes, &Rv_point); - - // labelset3 = add_label(labels, "3") - // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M) - labelset[labelset_len-1] = (unsigned char)'3'; - memcpy(extra + 2*POINTLEN, Rv_bytes, POINTLEN); - if (generalized_challenge(h_scalar, - labelset, labelset_len, - extra, 3*POINTLEN, - R_bytes, eddsa_25519_pubkey_bytes, - M_buf, MSTART, msg_len) != 0) - goto err; - - // s = prove(r, k, h) - if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0) - goto err; - - // return (Kv || h || s) - memcpy(signature_out, Kv_bytes, POINTLEN); - memcpy(signature_out + POINTLEN, h_scalar, SCALARLEN); - memcpy(signature_out + POINTLEN + SCALARLEN, s_scalar, SCALARLEN); - - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return 0; - -err: - zeroize(r_scalar, SCALARLEN); - zeroize_stack(); - free(M_buf); - return -1; -} - -int generalized_veddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char labelset[LABELSETMAXLEN]; - unsigned long labelset_len = 0; - const unsigned char* Kv_bytes; - const unsigned char* h_scalar; - const unsigned char* s_scalar; - ge_p3 Bv_point, K_point, Kv_point, cK_point, cKv_point; - unsigned char Bv_bytes[POINTLEN]; - unsigned char R_calc_bytes[POINTLEN]; - unsigned char Rv_calc_bytes[POINTLEN]; - unsigned char h_calc_scalar[SCALARLEN]; - unsigned char extra[3*POINTLEN]; - unsigned char* M_buf = NULL; - char* protocol_name = "VEdDSA_25519_SHA512_Elligator2"; - - if (vrf_out == NULL) - goto err; - memset(vrf_out, 0, VRFOUTPUTLEN); - - if (signature == NULL) - goto err; - if (eddsa_25519_pubkey_bytes == NULL) - goto err; - if (msg == NULL) - goto err; - if (customization_label == NULL && customization_label_len != 0) - goto err; - if (customization_label_len > LABELMAXLEN) - goto err; - if (msg_len > MSGMAXLEN) - goto err; - - if ((M_buf = malloc(msg_len + MSTART)) == 0) { - goto err; - } - memcpy(M_buf + MSTART, msg, msg_len); - - Kv_bytes = signature; - h_scalar = signature + POINTLEN; - s_scalar = signature + POINTLEN + SCALARLEN; - - if (!point_isreduced(eddsa_25519_pubkey_bytes)) - goto err; - if (!point_isreduced(Kv_bytes)) - goto err; - if (!sc_isreduced(h_scalar)) - goto err; - if (!sc_isreduced(s_scalar)) - goto err; - - // labelset = new_labelset(protocol_name, customization_label) - if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, - (unsigned char*)protocol_name, strlen(protocol_name), - customization_label, customization_label_len) != 0) - goto err; - - // labelset1 = add_label(labels, "1") - // Bv = hash(hash(labelset1 || K) || M) - labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1); - if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len, - eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0) - goto err; - ge_p3_tobytes(Bv_bytes, &Bv_point); - - // R = solve_commitment(B, s, K, h) - if (generalized_solve_commitment(R_calc_bytes, &K_point, NULL, - s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0) - goto err; - - // Rv = solve_commitment(Bv, s, Kv, h) - if (generalized_solve_commitment(Rv_calc_bytes, &Kv_point, &Bv_point, - s_scalar, Kv_bytes, h_scalar) != 0) - goto err; - - ge_scalarmult_cofactor(&cK_point, &K_point); - ge_scalarmult_cofactor(&cKv_point, &Kv_point); - if (ge_isneutral(&cK_point) || ge_isneutral(&cKv_point) || ge_isneutral(&Bv_point)) - goto err; - - // labelset3 = add_label(labels, "3") - // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M) - labelset[labelset_len-1] = (unsigned char)'3'; - memcpy(extra, Bv_bytes, POINTLEN); - memcpy(extra + POINTLEN, Kv_bytes, POINTLEN); - memcpy(extra + 2*POINTLEN, Rv_calc_bytes, POINTLEN); - if (generalized_challenge(h_calc_scalar, - labelset, labelset_len, - extra, 3*POINTLEN, - R_calc_bytes, eddsa_25519_pubkey_bytes, - M_buf, MSTART, msg_len) != 0) - goto err; - - // if bytes_equal(h, h') - if (crypto_verify_32(h_scalar, h_calc_scalar) != 0) - goto err; - - // labelset4 = add_label(labels, "4") - // v = hash(labelset4 || c*Kv) - labelset[labelset_len-1] = (unsigned char)'4'; - if (generalized_calculate_vrf_output(vrf_out, labelset, labelset_len, &cKv_point) != 0) - goto err; - - free(M_buf); - return 0; - -err: - free(M_buf); - return -1; -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h deleted file mode 100644 index 1bc27a6e2b..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __GEN_VEDDSA_H__ -#define __GEN_VEDDSA_H__ - -int generalized_veddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* eddsa_25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_veddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* eddsa_25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c deleted file mode 100644 index d4df5c1f1f..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c +++ /dev/null @@ -1,131 +0,0 @@ -#include <string.h> -#include "crypto_additions.h" -#include "gen_x.h" -#include "gen_constants.h" -#include "gen_eddsa.h" -#include "gen_veddsa.h" -#include "gen_crypto_additions.h" -#include "zeroize.h" - -static int convert_25519_pubkey(unsigned char* ed_pubkey_bytes, const unsigned char* x25519_pubkey_bytes) { - fe u; - fe y; - - /* Convert the X25519 public key into an Ed25519 public key. - - y = (u - 1) / (u + 1) - - NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp - */ - if (!fe_isreduced(x25519_pubkey_bytes)) - return -1; - fe_frombytes(u, x25519_pubkey_bytes); - fe_montx_to_edy(y, u); - fe_tobytes(ed_pubkey_bytes, y); - return 0; -} - -static int calculate_25519_keypair(unsigned char* K_bytes, unsigned char* k_scalar, - const unsigned char* x25519_privkey_scalar) -{ - unsigned char kneg[SCALARLEN]; - ge_p3 ed_pubkey_point; - unsigned char sign_bit = 0; - - if (SCALARLEN != 32) - return -1; - - /* Convert the Curve25519 privkey to an Ed25519 public key */ - ge_scalarmult_base(&ed_pubkey_point, x25519_privkey_scalar); - ge_p3_tobytes(K_bytes, &ed_pubkey_point); - - /* Force Edwards sign bit to zero */ - sign_bit = (K_bytes[31] & 0x80) >> 7; - memcpy(k_scalar, x25519_privkey_scalar, 32); - sc_neg(kneg, k_scalar); - sc_cmov(k_scalar, kneg, sign_bit); - K_bytes[31] &= 0x7F; - - zeroize(kneg, SCALARLEN); - return 0; -} - -int generalized_xeddsa_25519_sign(unsigned char* signature_out, - const unsigned char* x25519_privkey_scalar, - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - unsigned char k_scalar[SCALARLEN]; - int retval = -1; - - if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0) - return -1; - - retval = generalized_eddsa_25519_sign(signature_out, - K_bytes, k_scalar, - msg, msg_len, random, - customization_label, customization_label_len); - zeroize(k_scalar, SCALARLEN); - return retval; -} - -int generalized_xveddsa_25519_sign( - unsigned char* signature_out, - const unsigned char* x25519_privkey_scalar, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - unsigned char k_scalar[SCALARLEN]; - int retval = -1; - - if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0) - return -1; - - retval = generalized_veddsa_25519_sign(signature_out, K_bytes, k_scalar, - msg, msg_len, random, - customization_label, customization_label_len); - zeroize(k_scalar, SCALARLEN); - return retval; -} - -int generalized_xeddsa_25519_verify( - const unsigned char* signature, - const unsigned char* x25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - - if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0) - return -1; - - return generalized_eddsa_25519_verify(signature, K_bytes, msg, msg_len, - customization_label, customization_label_len); -} - -int generalized_xveddsa_25519_verify( - unsigned char* vrf_out, - const unsigned char* signature, - const unsigned char* x25519_pubkey_bytes, - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len) -{ - unsigned char K_bytes[POINTLEN]; - - if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0) - return -1; - - return generalized_veddsa_25519_verify(vrf_out, signature, K_bytes, msg, msg_len, - customization_label, customization_label_len); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h deleted file mode 100644 index 3c4c04cb6c..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef __GEN_X_H -#define __GEN_X_H - -int generalized_xeddsa_25519_sign(unsigned char* signature_out, /* 64 bytes */ - const unsigned char* x25519_privkey_scalar, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random, /* 32 bytes */ - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xeddsa_25519_verify( - const unsigned char* signature, /* 64 bytes */ - const unsigned char* x25519_pubkey_bytes, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xveddsa_25519_sign( - unsigned char* signature_out, /* 96 bytes */ - const unsigned char* x25519_privkey_scalar, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* random, /* 32 bytes */ - const unsigned char* customization_label, - const unsigned long customization_label_len); - -int generalized_xveddsa_25519_verify( - unsigned char* vrf_out, /* 32 bytes */ - const unsigned char* signature, /* 96 bytes */ - const unsigned char* x25519_pubkey_bytes, /* 32 bytes */ - const unsigned char* msg, - const unsigned long msg_len, - const unsigned char* customization_label, - const unsigned long customization_label_len); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c deleted file mode 100644 index 5541ffebbb..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c +++ /dev/null @@ -1,12 +0,0 @@ -#include<string.h> -#include "fe.h" -#include "crypto_additions.h" - -int point_isreduced(const unsigned char* p) -{ - unsigned char strict[32]; - - memmove(strict, p, 32); - strict[31] &= 0x7F; /* mask off sign bit */ - return fe_isreduced(strict); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c deleted file mode 100644 index 24193808ad..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c +++ /dev/null @@ -1,17 +0,0 @@ -#include <string.h> -#include "fe.h" -#include "sc.h" -#include "crypto_additions.h" -#include "crypto_verify_32.h" - -int sc_isreduced(const unsigned char* s) -{ - unsigned char strict[64]; - - memset(strict, 0, 64); - memmove(strict, s, 32); - sc_reduce(strict); - if (crypto_verify_32(strict, s) != 0) - return 0; - return 1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c deleted file mode 100644 index de7cdcd598..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "ge.h" -#include "keygen.h" -#include "crypto_additions.h" - -void curve25519_keygen(unsigned char* curve25519_pubkey_out, - const unsigned char* curve25519_privkey_in) -{ - /* Perform a fixed-base multiplication of the Edwards base point, - (which is efficient due to precalculated tables), then convert - to the Curve25519 montgomery-format public key. - - NOTE: y=1 is converted to u=0 since fe_invert is mod-exp - */ - - ge_p3 ed; /* Ed25519 pubkey point */ - fe u; - - ge_scalarmult_base(&ed, curve25519_privkey_in); - ge_p3_to_montx(u, &ed); - fe_tobytes(curve25519_pubkey_out, u); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h deleted file mode 100644 index e86e7c5582..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h +++ /dev/null @@ -1,12 +0,0 @@ - -#ifndef __KEYGEN_H__ -#define __KEYGEN_H__ - -/* Sets and clears bits to make a random 32 bytes into a private key */ -void sc_clamp(unsigned char* a); - -/* The private key should be 32 random bytes "clamped" by sc_clamp() */ -void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */ - const unsigned char* curve25519_privkey_in); /* 32 bytes */ - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c deleted file mode 100644 index a156098191..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c +++ /dev/null @@ -1,45 +0,0 @@ -#include <string.h> -#include "crypto_sign.h" -#include "crypto_hash_sha512.h" -#include "crypto_verify_32.h" -#include "ge.h" -#include "sc.h" -#include "crypto_additions.h" - -int crypto_sign_open_modified( - unsigned char *m, - const unsigned char *sm,unsigned long long smlen, - const unsigned char *pk -) -{ - unsigned char pkcopy[32]; - unsigned char rcopy[32]; - unsigned char scopy[32]; - unsigned char h[64]; - unsigned char rcheck[32]; - ge_p3 A; - ge_p2 R; - - if (smlen < 64) goto badsig; - if (sm[63] & 224) goto badsig; /* strict parsing of s */ - if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; - - memmove(pkcopy,pk,32); - memmove(rcopy,sm,32); - memmove(scopy,sm + 32,32); - - memmove(m,sm,smlen); - memmove(m + 32,pkcopy,32); - crypto_hash_sha512(h,m,smlen); - sc_reduce(h); - - ge_double_scalarmult_vartime(&R,h,&A,scopy); - ge_tobytes(rcheck,&R); - - if (crypto_verify_32(rcheck,rcopy) == 0) { - return 0; - } - -badsig: - return -1; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c deleted file mode 100644 index 7788be9071..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c +++ /dev/null @@ -1,8 +0,0 @@ -#include "crypto_additions.h" - -void sc_clamp(unsigned char* a) -{ - a[0] &= 248; - a[31] &= 127; - a[31] |= 64; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c deleted file mode 100644 index 443a5bb71e..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_additions.h" - -/* -Replace (f,g) with (g,g) if b == 1; -replace (f,g) with (f,g) if b == 0. - -Preconditions: b in {0,1}. -*/ - -void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b) -{ - int count=32; - unsigned char x[32]; - for (count=0; count < 32; count++) - x[count] = f[count] ^ g[count]; - b = -b; - for (count=0; count < 32; count++) - x[count] &= b; - for (count=0; count < 32; count++) - f[count] = f[count] ^ x[count]; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c deleted file mode 100644 index ef407d405e..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c +++ /dev/null @@ -1,25 +0,0 @@ -#include <string.h> -#include "crypto_additions.h" -#include "sc.h" - -/* l = order of base point = 2^252 + 27742317777372353535851937790883648493 */ - -/* -static unsigned char l[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, - 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0, 0x10}; -*/ - -static unsigned char lminus1[32] = {0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, - 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; - -/* b = -a (mod l) */ -void sc_neg(unsigned char *b, const unsigned char *a) -{ - unsigned char zero[32]; - memset(zero, 0, 32); - sc_muladd(b, lminus1, a, zero); /* b = (-1)a + 0 (mod l) */ -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c deleted file mode 100644 index b2fb8c20d3..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c +++ /dev/null @@ -1,53 +0,0 @@ -#include <string.h> -#include "crypto_sign.h" -#include "crypto_hash_sha512.h" -#include "ge.h" -#include "sc.h" -#include "zeroize.h" -#include "crypto_additions.h" - -/* NEW: Compare to pristine crypto_sign() - Uses explicit private key for nonce derivation and as scalar, - instead of deriving both from a master key. -*/ -int crypto_sign_modified( - unsigned char *sm, - const unsigned char *m,unsigned long long mlen, - const unsigned char *sk, const unsigned char* pk, - const unsigned char* random -) -{ - unsigned char nonce[64]; - unsigned char hram[64]; - ge_p3 R; - int count=0; - - memmove(sm + 64,m,mlen); - memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */ - - /* NEW : add prefix to separate hash uses - see .h */ - sm[0] = 0xFE; - for (count = 1; count < 32; count++) - sm[count] = 0xFF; - - /* NEW: add suffix of random data */ - memmove(sm + mlen + 64, random, 64); - - crypto_hash_sha512(nonce,sm,mlen + 128); - memmove(sm + 32,pk,32); - - sc_reduce(nonce); - - ge_scalarmult_base(&R,nonce); - ge_p3_tobytes(sm,&R); - - crypto_hash_sha512(hram,sm,mlen + 64); - sc_reduce(hram); - sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */ - - /* Erase any traces of private scalar or - nonce left in the stack from sc_muladd */ - zeroize_stack(); - zeroize(nonce, 64); - return 0; -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c deleted file mode 100644 index c59099a9e3..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c +++ /dev/null @@ -1,29 +0,0 @@ -#include <stdlib.h> -#include <stdio.h> -#include "utility.h" - -void print_vector(const char* name, const unsigned char* v) -{ - int count; - printf("%s = \n", name); - for (count = 0; count < 32; count++) - printf("%02x ", v[count]); - printf("\n"); -} - -void print_bytes(const char* name, const unsigned char* v, int numbytes) -{ - int count; - printf("%s = \n", name); - for (count = 0; count < numbytes; count++) - printf("%02x ", v[count]); - printf("\n"); -} - -void print_fe(const char* name, const fe in) -{ - unsigned char bytes[32]; - fe_tobytes(bytes, in); - print_vector(name, bytes); -} - diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h deleted file mode 100644 index 35348782df..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h +++ /dev/null @@ -1,11 +0,0 @@ - -#ifndef __UTILITY_H__ -#define __UTILITY_H__ - -#include "fe.h" - -void print_vector(const char* name, const unsigned char* v); -void print_bytes(const char* name, const unsigned char* v, int numbytes); -void print_fe(const char* name, const fe in); - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c deleted file mode 100644 index 63b73bf2ed..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c +++ /dev/null @@ -1,80 +0,0 @@ -#include <string.h> -#include "ge.h" -#include "crypto_additions.h" -#include "zeroize.h" -#include "xeddsa.h" -#include "crypto_verify_32.h" - -int xed25519_sign(unsigned char* signature_out, - const unsigned char* curve25519_privkey, - const unsigned char* msg, const unsigned long msg_len, - const unsigned char* random) -{ - unsigned char a[32], aneg[32]; - unsigned char A[32]; - ge_p3 ed_pubkey_point; - unsigned char *sigbuf; /* working buffer */ - unsigned char sign_bit = 0; - - if ((sigbuf = malloc(msg_len + 128)) == 0) { - memset(signature_out, 0, 64); - return -1; - } - - /* Convert the Curve25519 privkey to an Ed25519 public key */ - ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey); - ge_p3_tobytes(A, &ed_pubkey_point); - - /* Force Edwards sign bit to zero */ - sign_bit = (A[31] & 0x80) >> 7; - memcpy(a, curve25519_privkey, 32); - sc_neg(aneg, a); - sc_cmov(a, aneg, sign_bit); - A[31] &= 0x7F; - - /* Perform an Ed25519 signature with explicit private key */ - crypto_sign_modified(sigbuf, msg, msg_len, a, A, random); - memmove(signature_out, sigbuf, 64); - - zeroize(a, 32); - zeroize(aneg, 32); - free(sigbuf); - return 0; -} - -int xed25519_verify(const unsigned char* signature, - const unsigned char* curve25519_pubkey, - const unsigned char* msg, const unsigned long msg_len) -{ - fe u; - fe y; - unsigned char ed_pubkey[32]; - unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */ - unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */ - - if (msg_len > MAX_MSG_LEN) { - return -1; - } - - /* Convert the Curve25519 public key into an Ed25519 public key. - - y = (u - 1) / (u + 1) - - NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp - */ - if (!fe_isreduced(curve25519_pubkey)) - return -1; - fe_frombytes(u, curve25519_pubkey); - fe_montx_to_edy(y, u); - fe_tobytes(ed_pubkey, y); - - memmove(verifybuf, signature, 64); - memmove(verifybuf+64, msg, msg_len); - - /* Then perform a normal Ed25519 verification, return 0 on success */ - /* The below call has a strange API: */ - /* verifybuf = R || S || message */ - /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets - replaced with pubkey for hashing */ - return crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h deleted file mode 100644 index b86d7f0d9d..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h +++ /dev/null @@ -1,16 +0,0 @@ - -#ifndef __XEDDSA_H__ -#define __XEDDSA_H__ - -/* returns 0 on success */ -int xed25519_sign(unsigned char* signature_out, /* 64 bytes */ - const unsigned char* curve25519_privkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */ - const unsigned char* random); /* 64 bytes */ - -/* returns 0 on success */ -int xed25519_verify(const unsigned char* signature, /* 64 bytes */ - const unsigned char* curve25519_pubkey, /* 32 bytes */ - const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */ - -#endif diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c deleted file mode 100644 index 187e725eb5..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c +++ /dev/null @@ -1,16 +0,0 @@ -#include "zeroize.h" - -void zeroize(unsigned char* b, size_t len) -{ - size_t count = 0; - volatile unsigned char *p = b; - - for (count = 0; count < len; count++) - p[count] = 0; -} - -void zeroize_stack() -{ - unsigned char m[ZEROIZE_STACK_SIZE]; - zeroize(m, ZEROIZE_STACK_SIZE); -} diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h deleted file mode 100644 index 0db68bb4c6..0000000000 --- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef __ZEROIZE_H__ -#define __ZEROIZE_H__ - -#include <stdlib.h> - -#define ZEROIZE_STACK_SIZE 1024 - -void zeroize(unsigned char* b, size_t len); - -void zeroize_stack(); - -#endif |