diff options
Diffstat (limited to 'src/libsodium/crypto_sign')
6 files changed, 81 insertions, 105 deletions
diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index 7955647..2268cd6 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -2,8 +2,11 @@ #include <string.h> #include "api.h" -#include "randombytes.h" #include "crypto_hash_sha512.h" +#include "crypto_scalarmult_curve25519.h" +#include "randombytes.h" +#include "utils.h" +#include "fe.h" #include "ge.h" int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk, @@ -27,7 +30,47 @@ int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk, int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { unsigned char seed[32]; + int ret; + + randombytes_buf(seed, sizeof seed); + ret = crypto_sign_seed_keypair(pk, sk, seed); + sodium_memzero(seed, sizeof seed); + + return ret; +} + +int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, + const unsigned char *ed25519_pk) +{ + ge_p3 A; + fe x; + fe one_minus_y; - randombytes(seed,32); - return crypto_sign_seed_keypair(pk,sk,seed); + ge_frombytes_negate_vartime(&A, ed25519_pk); + fe_1(one_minus_y); + fe_sub(one_minus_y, one_minus_y, A.Y); + fe_invert(one_minus_y, one_minus_y); + fe_1(x); + fe_add(x, x, A.Y); + fe_mul(x, x, one_minus_y); + fe_tobytes(curve25519_pk, x); + + return 0; +} + +int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, + const unsigned char *ed25519_sk) +{ + unsigned char h[crypto_hash_sha512_BYTES]; + + crypto_hash_sha512(h, ed25519_sk, + crypto_sign_ed25519_SECRETKEYBYTES - + crypto_sign_ed25519_PUBLICKEYBYTES); + h[0] &= 248; + h[31] &= 127; + h[31] |= 64; + memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES); + sodium_memzero(h, sizeof h); + + return 0; } diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c index 36eb084..488333e 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -43,16 +43,8 @@ crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m, ge_double_scalarmult_vartime(&R, h, &A, sig + 32); ge_tobytes(rcheck, &R); - if (crypto_verify_32(rcheck, sig) != 0) { - return -1; - } - if (sig == rcheck) { - return -1; - } - if (sodium_memcmp(sig, rcheck, 32) != 0) { - return -1; - } - return 0; + return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) | + sodium_memcmp(sig, rcheck, 32); } int diff --git a/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/src/libsodium/crypto_sign/ed25519/ref10/sign.c index 88f4710..1ee5d6c 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/sign.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/sign.c @@ -5,6 +5,7 @@ #include "crypto_hash_sha512.h" #include "ge.h" #include "sc.h" +#include "utils.h" int crypto_sign_detached(unsigned char *sig, unsigned long long *siglen, @@ -44,6 +45,9 @@ crypto_sign_detached(unsigned char *sig, unsigned long long *siglen, sc_reduce(hram); sc_muladd(sig + 32, hram, az, nonce); + sodium_memzero(az, sizeof az); + sodium_memzero(nonce, sizeof nonce); + if (siglen != NULL) { *siglen = 64U; } @@ -57,13 +61,19 @@ crypto_sign(unsigned char *sm, unsigned long long *smlen, { unsigned long long siglen; - if (crypto_sign_detached(sm, &siglen, m, mlen, sk) != 0 || - siglen > crypto_sign_ed25519_BYTES) { - *smlen = 0; + memmove(sm + crypto_sign_ed25519_BYTES, m, mlen); +/* LCOV_EXCL_START */ + if (crypto_sign_detached(sm, &siglen, sm + crypto_sign_ed25519_BYTES, + mlen, sk) != 0 || + siglen != crypto_sign_ed25519_BYTES) { + if (smlen != NULL) { + *smlen = 0; + } memset(sm, 0, mlen + crypto_sign_ed25519_BYTES); return -1; } - memmove(sm + siglen, m, mlen); +/* LCOV_EXCL_STOP */ + if (smlen != NULL) { *smlen = mlen + siglen; } diff --git a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c index 9f999d2..7ba6b4c 100644 --- a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c +++ b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c @@ -1,3 +1,6 @@ + +#include <string.h> + #include "crypto_sign_ed25519.h" size_t @@ -19,3 +22,18 @@ size_t crypto_sign_ed25519_secretkeybytes(void) { return crypto_sign_ed25519_SECRETKEYBYTES; } + +int +crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk) +{ + memmove(seed, sk, crypto_sign_ed25519_SEEDBYTES); + return 0; +} + +int +crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk) +{ + memmove(pk, sk + crypto_sign_ed25519_SEEDBYTES, + crypto_sign_ed25519_PUBLICKEYBYTES); + return 0; +} diff --git a/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c b/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c index 885d7b1..9c548dc 100644 --- a/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c +++ b/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c @@ -13,7 +13,7 @@ int crypto_sign_keypair( sc25519 scsk; ge25519 gepk; - randombytes(sk, 32); + randombytes_buf(sk, 32); crypto_hash_sha512(sk, sk, 32); sk[0] &= 248; sk[31] &= 127; diff --git a/src/libsodium/crypto_sign/try.c b/src/libsodium/crypto_sign/try.c deleted file mode 100644 index 8ea81b6..0000000 --- a/src/libsodium/crypto_sign/try.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * crypto_sign/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "randombytes.h" -#include "crypto_sign.h" -#include "windows/windows-quirks.h" - -#define MAXTEST_BYTES 10000 -#define TUNE_BYTES 1536 - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_sign_IMPLEMENTATION; - -static unsigned char *pk; -static unsigned char *sk; -static unsigned char *m; unsigned long long mlen; -static unsigned char *sm; unsigned long long smlen; -static unsigned char *t; unsigned long long tlen; - -void preallocate(void) -{ -#ifdef RAND_R_PRNG_NOT_SEEDED - RAND_status(); -#endif -} - -void allocate(void) -{ - pk = alignedcalloc(crypto_sign_PUBLICKEYBYTES); - sk = alignedcalloc(crypto_sign_SECRETKEYBYTES); - m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); - sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); - t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); -} - -void predoit(void) -{ - crypto_sign_keypair(pk,sk); - mlen = TUNE_BYTES; - smlen = 0; - randombytes(m,mlen); - crypto_sign(sm,&smlen,m,mlen,sk); -} - -void doit(void) -{ - crypto_sign_open(t,&tlen,sm,smlen,pk); -} - -char checksum[crypto_sign_BYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long mlen; - long long i; - long long j; - - if (crypto_sign_keypair(pk,sk) != 0) return "crypto_sign_keypair returns nonzero"; - for (mlen = 0;mlen < MAXTEST_BYTES;mlen += 1 + (mlen / 16)) { - if (crypto_sign(sm,&smlen,m,mlen,sk) != 0) return "crypto_sign returns nonzero"; - if (crypto_sign_open(t,&tlen,sm,smlen,pk) != 0) return "crypto_sign_open returns nonzero"; - if (tlen != mlen) return "crypto_sign_open does not match length"; - for (i = 0;i < tlen;++i) - if (t[i] != m[i]) - return "crypto_sign_open does not match contents"; - - j = rand() % smlen; - sm[j] ^= 1; - if (crypto_sign_open(t,&tlen,sm,smlen,pk) == 0) { - if (tlen != mlen) return "crypto_sign_open allows trivial forgery of length"; - for (i = 0;i < tlen;++i) - if (t[i] != m[i]) - return "crypto_sign_open allows trivial forgery of contents"; - } - sm[j] ^= 1; - - } - - /* do some long-term checksum */ - checksum[0] = 0; - return 0; -} |