diff options
author | Matt Caswell <matt@openssl.org> | 2017-12-05 16:37:57 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-02-20 12:59:30 +0000 |
commit | aeeef83cb536216a414287dee1f424265283da88 (patch) | |
tree | 3aef18be0b916ca755bf24c25b32e544ab19a440 /crypto/ec/curve448/eddsa.c | |
parent | 35b7c85a22a214512da9ce374ba7ff737b52f49d (diff) |
Remove references to libdecaf
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5105)
Diffstat (limited to 'crypto/ec/curve448/eddsa.c')
-rw-r--r-- | crypto/ec/curve448/eddsa.c | 187 |
1 files changed, 90 insertions, 97 deletions
diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 7d9ef8e221..d76c15dff1 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -20,45 +20,44 @@ #define COFACTOR 4 -static decaf_error_t oneshot_hash(uint8_t *out, size_t outlen, - const uint8_t *in, size_t inlen) +static c448_error_t oneshot_hash(uint8_t *out, size_t outlen, + const uint8_t *in, size_t inlen) { EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, in, inlen) || !EVP_DigestFinalXOF(hashctx, out, outlen)) { EVP_MD_CTX_free(hashctx); - return DECAF_FAILURE; + return C448_FAILURE; } EVP_MD_CTX_free(hashctx); - return DECAF_SUCCESS; + return C448_SUCCESS; } -static void clamp(uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]) +static void clamp(uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]) { uint8_t hibit = (1 << 0) >> 1; /* Blarg */ secret_scalar_ser[0] &= -COFACTOR; if (hibit == 0) { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] = 0; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80; } else { - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; - secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] &= hibit - 1; + secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES - 1] |= hibit; } } -static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, - uint8_t prehashed, - uint8_t for_prehash, - const uint8_t *context, - size_t context_len) +static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed, + uint8_t for_prehash, + const uint8_t *context, + size_t context_len) { const char *dom_s = "SigEd448"; uint8_t dom[2]; @@ -67,42 +66,41 @@ static decaf_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, dom[1] = (uint8_t)context_len; if (context_len > UINT8_MAX) - return DECAF_FAILURE; + return C448_FAILURE; if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s)) || !EVP_DigestUpdate(hashctx, dom, sizeof(dom)) || !EVP_DigestUpdate(hashctx, context, context_len)) - return DECAF_FAILURE; + return C448_FAILURE; - return DECAF_SUCCESS; + return C448_SUCCESS; } /* In this file because it uses the hash */ -decaf_error_t decaf_ed448_convert_private_key_to_x448( - uint8_t x[DECAF_X448_PRIVATE_BYTES], - const uint8_t ed [DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_convert_private_key_to_x448( + uint8_t x[C448_X448_PRIVATE_BYTES], + const uint8_t ed [C448_EDDSA_448_PRIVATE_BYTES]) { /* pass the private key through oneshot_hash function */ - /* and keep the first DECAF_X448_PRIVATE_BYTES bytes */ - return oneshot_hash(x, - DECAF_X448_PRIVATE_BYTES, - ed, DECAF_EDDSA_448_PRIVATE_BYTES); + /* and keep the first C448_X448_PRIVATE_BYTES bytes */ + return oneshot_hash(x, C448_X448_PRIVATE_BYTES, ed, + C448_EDDSA_448_PRIVATE_BYTES); } -decaf_error_t decaf_ed448_derive_public_key( - uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]) +c448_error_t c448_ed448_derive_public_key( + uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES]) { /* only this much used for keygen */ - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; curve448_scalar_t secret_scalar; unsigned int c; curve448_point_t p; if (!oneshot_hash(secret_scalar_ser, sizeof(secret_scalar_ser), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) - return DECAF_FAILURE; + C448_EDDSA_448_PRIVATE_BYTES)) + return C448_FAILURE; clamp(secret_scalar_ser); @@ -117,7 +115,7 @@ decaf_error_t decaf_ed448_derive_public_key( * converted it effectively picks up a factor of 2 from the isogenies. So * we might start at 2 instead of 1. */ - for (c = 1; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) + for (c = 1; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) curve448_scalar_halve(secret_scalar, secret_scalar); curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); @@ -129,37 +127,37 @@ decaf_error_t decaf_ed448_derive_public_key( curve448_point_destroy(p); OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); - return DECAF_SUCCESS; + return C448_SUCCESS; } -decaf_error_t decaf_ed448_sign( - uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_sign( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t *message, size_t message_len, uint8_t prehashed, const uint8_t *context, size_t context_len) { curve448_scalar_t secret_scalar; EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - decaf_error_t ret = DECAF_FAILURE; + c448_error_t ret = C448_FAILURE; curve448_scalar_t nonce_scalar; - uint8_t nonce_point[DECAF_EDDSA_448_PUBLIC_BYTES] = { 0 }; + uint8_t nonce_point[C448_EDDSA_448_PUBLIC_BYTES] = { 0 }; unsigned int c; curve448_scalar_t challenge_scalar; if (hashctx == NULL) - return DECAF_FAILURE; + return C448_FAILURE; { /* Schedule the secret key */ struct { - uint8_t secret_scalar_ser[DECAF_EDDSA_448_PRIVATE_BYTES]; - uint8_t seed[DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t secret_scalar_ser[C448_EDDSA_448_PRIVATE_BYTES]; + uint8_t seed[C448_EDDSA_448_PRIVATE_BYTES]; } __attribute__ ((packed)) expanded; if (!oneshot_hash((uint8_t *)&expanded, sizeof(expanded), privkey, - DECAF_EDDSA_448_PRIVATE_BYTES)) + C448_EDDSA_448_PRIVATE_BYTES)) goto err; clamp(expanded.secret_scalar_ser); curve448_scalar_decode_long(secret_scalar, expanded.secret_scalar_ser, @@ -177,7 +175,7 @@ decaf_error_t decaf_ed448_sign( /* Decode the nonce */ { - uint8_t nonce[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t nonce[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) goto err; @@ -191,7 +189,7 @@ decaf_error_t decaf_ed448_sign( curve448_point_t p; curve448_scalar_halve(nonce_scalar_2, nonce_scalar); - for (c = 2; c < DECAF_448_EDDSA_ENCODE_RATIO; c <<= 1) { + for (c = 2; c < C448_448_EDDSA_ENCODE_RATIO; c <<= 1) { curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); } @@ -203,12 +201,12 @@ decaf_error_t decaf_ed448_sign( } { - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; /* Compute the challenge */ if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point)) - || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) goto err; @@ -221,73 +219,68 @@ decaf_error_t decaf_ed448_sign( curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); - OPENSSL_cleanse(signature, DECAF_EDDSA_448_SIGNATURE_BYTES); + OPENSSL_cleanse(signature, C448_EDDSA_448_SIGNATURE_BYTES); memcpy(signature, nonce_point, sizeof(nonce_point)); - curve448_scalar_encode(&signature[DECAF_EDDSA_448_PUBLIC_BYTES], + curve448_scalar_encode(&signature[C448_EDDSA_448_PUBLIC_BYTES], challenge_scalar); curve448_scalar_destroy(secret_scalar); curve448_scalar_destroy(nonce_scalar); curve448_scalar_destroy(challenge_scalar); - ret = DECAF_SUCCESS; + ret = C448_SUCCESS; err: EVP_MD_CTX_free(hashctx); return ret; } -decaf_error_t decaf_ed448_sign_prehash(uint8_t - signature - [DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - privkey[DECAF_EDDSA_448_PRIVATE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - size_t context_len) +c448_error_t c448_ed448_sign_prehash( + uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[C448_EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], const uint8_t *context, + size_t context_len) { - return decaf_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, - context_len); + return c448_ed448_sign(signature, privkey, pubkey, hash, 64, 1, context, + context_len); } -decaf_error_t decaf_ed448_verify(const uint8_t - signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t - pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - uint8_t context_len) +c448_error_t c448_ed448_verify( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + uint8_t context_len) { curve448_point_t pk_point, r_point; - decaf_error_t error = + c448_error_t error = curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); curve448_scalar_t challenge_scalar; curve448_scalar_t response_scalar; unsigned int c; - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; error = curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); - if (DECAF_SUCCESS != error) + if (C448_SUCCESS != error) return error; { /* Compute the challenge */ EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); - uint8_t challenge[2 * DECAF_EDDSA_448_PRIVATE_BYTES]; + uint8_t challenge[2 * C448_EDDSA_448_PRIVATE_BYTES]; if (hashctx == NULL || !hash_init_with_dom(hashctx, prehashed, 0, context, context_len) || !EVP_DigestUpdate(hashctx, signature, - DECAF_EDDSA_448_PUBLIC_BYTES) - || !EVP_DigestUpdate(hashctx, pubkey, DECAF_EDDSA_448_PUBLIC_BYTES) + C448_EDDSA_448_PUBLIC_BYTES) + || !EVP_DigestUpdate(hashctx, pubkey, C448_EDDSA_448_PUBLIC_BYTES) || !EVP_DigestUpdate(hashctx, message, message_len) || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) { EVP_MD_CTX_free(hashctx); - return DECAF_FAILURE; + return C448_FAILURE; } EVP_MD_CTX_free(hashctx); @@ -299,29 +292,29 @@ decaf_error_t decaf_ed448_verify(const uint8_t challenge_scalar); curve448_scalar_decode_long(response_scalar, - &signature[DECAF_EDDSA_448_PUBLIC_BYTES], - DECAF_EDDSA_448_PRIVATE_BYTES); + &signature[C448_EDDSA_448_PUBLIC_BYTES], + C448_EDDSA_448_PRIVATE_BYTES); - for (c = 1; c < DECAF_448_EDDSA_DECODE_RATIO; c <<= 1) + for (c = 1; c < C448_448_EDDSA_DECODE_RATIO; c <<= 1) curve448_scalar_add(response_scalar, response_scalar, response_scalar); /* pk_point = -c(x(P)) + (cx + k)G = kG */ curve448_base_double_scalarmul_non_secret(pk_point, response_scalar, pk_point, challenge_scalar); - return decaf_succeed_if(curve448_point_eq(pk_point, r_point)); + return c448_succeed_if(curve448_point_eq(pk_point, r_point)); } -decaf_error_t decaf_ed448_verify_prehash( - const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES], +c448_error_t c448_ed448_verify_prehash( + const uint8_t signature[C448_EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[C448_EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len) { - decaf_error_t ret; + c448_error_t ret; - ret = decaf_ed448_verify(signature, pubkey, hash, 64, 1, context, - context_len); + ret = c448_ed448_verify(signature, pubkey, hash, 64, 1, context, + context_len); return ret; } @@ -331,25 +324,25 @@ int ED448_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, const uint8_t *context, size_t context_len) { - return decaf_ed448_sign(out_sig, private_key, public_key, message, - message_len, 0, context, context_len) - == DECAF_SUCCESS; + return c448_ed448_sign(out_sig, private_key, public_key, message, + message_len, 0, context, context_len) + == C448_SUCCESS; } int ED448_verify(const uint8_t *message, size_t message_len, const uint8_t signature[114], const uint8_t public_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_verify(signature, public_key, message, message_len, 0, - context, context_len) == DECAF_SUCCESS; + return c448_ed448_verify(signature, public_key, message, message_len, 0, + context, context_len) == C448_SUCCESS; } int ED448ph_sign(uint8_t *out_sig, const uint8_t hash[64], const uint8_t public_key[57], const uint8_t private_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_sign_prehash(out_sig, private_key, public_key, hash, - context, context_len) == DECAF_SUCCESS; + return c448_ed448_sign_prehash(out_sig, private_key, public_key, hash, + context, context_len) == C448_SUCCESS; } @@ -357,13 +350,13 @@ int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114], const uint8_t public_key[57], const uint8_t *context, size_t context_len) { - return decaf_ed448_verify_prehash(signature, public_key, hash, context, - context_len) == DECAF_SUCCESS; + return c448_ed448_verify_prehash(signature, public_key, hash, context, + context_len) == C448_SUCCESS; } int ED448_public_from_private(uint8_t out_public_key[57], const uint8_t private_key[57]) { - return decaf_ed448_derive_public_key(out_public_key, private_key) - == DECAF_SUCCESS; + return c448_ed448_derive_public_key(out_public_key, private_key) + == C448_SUCCESS; } |