diff options
-rw-r--r-- | crypto/ec/curve25519.c | 28 | ||||
-rw-r--r-- | crypto/ec/curve448/curve448.c | 88 | ||||
-rw-r--r-- | crypto/ec/curve448/curve448_local.h | 15 | ||||
-rw-r--r-- | crypto/ec/curve448/curve448_tables.c | 4 | ||||
-rw-r--r-- | crypto/ec/curve448/ed448.h | 100 | ||||
-rw-r--r-- | crypto/ec/curve448/eddsa.c | 181 | ||||
-rw-r--r-- | crypto/ec/curve448/point_448.h | 67 | ||||
-rw-r--r-- | crypto/ec/curve448/scalar.c | 47 | ||||
-rw-r--r-- | crypto/ec/ecx_backend.c | 12 | ||||
-rw-r--r-- | crypto/ec/ecx_meth.c | 20 | ||||
-rw-r--r-- | include/crypto/ecx.h | 65 | ||||
-rw-r--r-- | providers/implementations/exchange/ecx_exch.c | 6 | ||||
-rw-r--r-- | providers/implementations/keymgmt/ecx_kmgmt.c | 24 | ||||
-rw-r--r-- | providers/implementations/signature/eddsa.c | 16 | ||||
-rw-r--r-- | test/curve448_internal_test.c | 56 |
15 files changed, 400 insertions, 329 deletions
diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index d939003043..3f24215047 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -5437,9 +5437,10 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s[31] = (uint8_t) (s11 >> 17); } -int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, - const uint8_t public_key[32], const uint8_t private_key[32], - OSSL_LIB_CTX *libctx, const char *propq) +int +ossl_ed25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, + const uint8_t public_key[32], const uint8_t private_key[32], + OSSL_LIB_CTX *libctx, const char *propq) { uint8_t az[SHA512_DIGEST_LENGTH]; uint8_t nonce[SHA512_DIGEST_LENGTH]; @@ -5493,9 +5494,10 @@ err: static const char allzeroes[15]; -int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[64], const uint8_t public_key[32], - OSSL_LIB_CTX *libctx, const char *propq) +int +ossl_ed25519_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[64], const uint8_t public_key[32], + OSSL_LIB_CTX *libctx, const char *propq) { int i; ge_p3 A; @@ -5577,8 +5579,10 @@ err: return res; } -int ED25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32], - const uint8_t private_key[32], const char *propq) +int +ossl_ed25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32], + const uint8_t private_key[32], + const char *propq) { uint8_t az[SHA512_DIGEST_LENGTH]; ge_p3 A; @@ -5606,8 +5610,9 @@ int ED25519_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[32], return 1; } -int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], - const uint8_t peer_public_value[32]) +int +ossl_x25519(uint8_t out_shared_key[32], const uint8_t private_key[32], + const uint8_t peer_public_value[32]) { static const uint8_t kZeros[32] = {0}; x25519_scalar_mult(out_shared_key, private_key, peer_public_value); @@ -5615,7 +5620,8 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0; } -void X25519_public_from_private(uint8_t out_public_value[32], +void +ossl_x25519_public_from_private(uint8_t out_public_value[32], const uint8_t private_key[32]) { uint8_t e[32]; diff --git a/crypto/ec/curve448/curve448.c b/crypto/ec/curve448/curve448.c index b03218283e..b624692713 100644 --- a/crypto/ec/curve448/curve448.c +++ b/crypto/ec/curve448/curve448.c @@ -55,7 +55,7 @@ static void gf_invert(gf y, const gf x, int assert_nonzero) } /** identity = (0,1) */ -const curve448_point_t curve448_point_identity = +const curve448_point_t ossl_curve448_point_identity = { {{{{0}}}, {{{1}}}, {{{1}}}, {{{0}}}} }; static void point_double_internal(curve448_point_t p, const curve448_point_t q, @@ -82,7 +82,7 @@ static void point_double_internal(curve448_point_t p, const curve448_point_t q, gf_mul(p->t, b, d); } -void curve448_point_double(curve448_point_t p, const curve448_point_t q) +void ossl_curve448_point_double(curve448_point_t p, const curve448_point_t q) { point_double_internal(p, q, 0); } @@ -184,8 +184,9 @@ static void sub_pniels_from_pt(curve448_point_t p, const pniels_t pn, sub_niels_from_pt(p, pn->n, before_double); } -c448_bool_t curve448_point_eq(const curve448_point_t p, - const curve448_point_t q) +c448_bool_t +ossl_curve448_point_eq(const curve448_point_t p, + const curve448_point_t q) { mask_t succ; gf a, b; @@ -198,7 +199,8 @@ c448_bool_t curve448_point_eq(const curve448_point_t p, return mask_to_bool(succ); } -c448_bool_t curve448_point_valid(const curve448_point_t p) +c448_bool_t +ossl_curve448_point_valid(const curve448_point_t p) { mask_t out; gf a, b, c; @@ -225,7 +227,8 @@ static ossl_inline void constant_time_lookup_niels(niels_s * RESTRICT ni, constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx); } -void curve448_precomputed_scalarmul(curve448_point_t out, +void +ossl_curve448_precomputed_scalarmul(curve448_point_t out, const curve448_precomputed_s * table, const curve448_scalar_t scalar) { @@ -234,8 +237,8 @@ void curve448_precomputed_scalarmul(curve448_point_t out, niels_t ni; curve448_scalar_t scalar1x; - curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment); - curve448_scalar_halve(scalar1x, scalar1x); + ossl_curve448_scalar_add(scalar1x, scalar, precomputed_scalarmul_adjustment); + ossl_curve448_scalar_halve(scalar1x, scalar1x); for (i = s; i > 0; i--) { if (i != s) @@ -272,7 +275,8 @@ void curve448_precomputed_scalarmul(curve448_point_t out, OPENSSL_cleanse(scalar1x, sizeof(scalar1x)); } -void curve448_point_mul_by_ratio_and_encode_like_eddsa( +void +ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa( uint8_t enc[EDDSA_448_PUBLIC_BYTES], const curve448_point_t p) { @@ -316,10 +320,11 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( OPENSSL_cleanse(y, sizeof(y)); OPENSSL_cleanse(z, sizeof(z)); OPENSSL_cleanse(t, sizeof(t)); - curve448_point_destroy(q); + ossl_curve448_point_destroy(q); } -c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t +ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, const uint8_t enc[EDDSA_448_PUBLIC_BYTES]) { @@ -372,14 +377,15 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( } OPENSSL_cleanse(enc2, sizeof(enc2)); - assert(curve448_point_valid(p) || ~succ); + assert(ossl_curve448_point_valid(p) || ~succ); return c448_succeed_if(mask_to_bool(succ)); } -c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES], - const uint8_t base[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +c448_error_t +ossl_x448_int(uint8_t out[X_PUBLIC_BYTES], + const uint8_t base[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { gf x1, x2, z2, x3, z3, t1, t2; int t; @@ -456,7 +462,8 @@ c448_error_t x448_int(uint8_t out[X_PUBLIC_BYTES], return c448_succeed_if(mask_to_bool(nz)); } -void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t +void +ossl_curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t out[X_PUBLIC_BYTES], const curve448_point_t p) { @@ -467,11 +474,11 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(uint8_t gf_mul(q->z, q->t, q->y); /* y/x */ gf_sqr(q->y, q->z); /* (y/x)^2 */ gf_serialize(out, q->y, 1); - curve448_point_destroy(q); + ossl_curve448_point_destroy(q); } -void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], - const uint8_t scalar[X_PRIVATE_BYTES]) +void ossl_x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], + const uint8_t scalar[X_PRIVATE_BYTES]) { /* Scalar conditioning */ uint8_t scalar2[X_PRIVATE_BYTES]; @@ -485,15 +492,16 @@ void x448_derive_public_key(uint8_t out[X_PUBLIC_BYTES], scalar2[X_PRIVATE_BYTES - 1] &= ~((0u - 1u) << ((X_PRIVATE_BITS + 7) % 8)); scalar2[X_PRIVATE_BYTES - 1] |= 1 << ((X_PRIVATE_BITS + 7) % 8); - curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); + ossl_curve448_scalar_decode_long(the_scalar, scalar2, sizeof(scalar2)); /* Compensate for the encoding ratio */ for (i = 1; i < X448_ENCODE_RATIO; i <<= 1) - curve448_scalar_halve(the_scalar, the_scalar); + ossl_curve448_scalar_halve(the_scalar, the_scalar); - curve448_precomputed_scalarmul(p, curve448_precomputed_base, the_scalar); - curve448_point_mul_by_ratio_and_encode_like_x448(out, p); - curve448_point_destroy(p); + ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base, + the_scalar); + ossl_curve448_point_mul_by_ratio_and_encode_like_x448(out, p); + ossl_curve448_point_destroy(p); } /* Control for variable-time scalar multiply algorithms. */ @@ -610,7 +618,7 @@ static void prepare_wnaf_table(pniels_t * output, if (tbits == 0) return; - curve448_point_double(tmp, working); + ossl_curve448_point_double(tmp, working); pt_to_pniels(twop, tmp); add_pniels_to_pt(tmp, output[0], 0); @@ -621,11 +629,12 @@ static void prepare_wnaf_table(pniels_t * output, pt_to_pniels(output[i], tmp); } - curve448_point_destroy(tmp); + ossl_curve448_point_destroy(tmp); OPENSSL_cleanse(twop, sizeof(twop)); } -void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, +void +ossl_curve448_base_double_scalarmul_non_secret(curve448_point_t combo, const curve448_scalar_t scalar1, const curve448_point_t base2, const curve448_scalar_t scalar2) @@ -645,7 +654,7 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, i = control_var[0].power; if (i < 0) { - curve448_point_copy(combo, curve448_point_identity); + curve448_point_copy(combo, ossl_curve448_point_identity); return; } if (i > control_pre[0].power) { @@ -653,13 +662,14 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, contv++; } else if (i == control_pre[0].power && i >= 0) { pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]); - add_niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1], + add_niels_to_pt(combo, + ossl_curve448_wnaf_base[control_pre[0].addend >> 1], i); contv++; contp++; } else { i = control_pre[0].power; - niels_to_pt(combo, curve448_wnaf_base[control_pre[0].addend >> 1]); + niels_to_pt(combo, ossl_curve448_wnaf_base[control_pre[0].addend >> 1]); contp++; } @@ -688,11 +698,11 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, if (control_pre[contp].addend > 0) add_niels_to_pt(combo, - curve448_wnaf_base[control_pre[contp].addend + ossl_curve448_wnaf_base[control_pre[contp].addend >> 1], i); else sub_niels_from_pt(combo, - curve448_wnaf_base[(-control_pre + ossl_curve448_wnaf_base[(-control_pre [contp].addend) >> 1], i); contp++; } @@ -709,20 +719,20 @@ void curve448_base_double_scalarmul_non_secret(curve448_point_t combo, (void)ncb_pre; } -void curve448_point_destroy(curve448_point_t point) +void ossl_curve448_point_destroy(curve448_point_t point) { OPENSSL_cleanse(point, sizeof(curve448_point_t)); } -int X448(uint8_t out_shared_key[56], const uint8_t private_key[56], - const uint8_t peer_public_value[56]) +int ossl_x448(uint8_t out_shared_key[56], const uint8_t private_key[56], + const uint8_t peer_public_value[56]) { - return x448_int(out_shared_key, peer_public_value, private_key) + return ossl_x448_int(out_shared_key, peer_public_value, private_key) == C448_SUCCESS; } -void X448_public_from_private(uint8_t out_public_value[56], - const uint8_t private_key[56]) +void ossl_x448_public_from_private(uint8_t out_public_value[56], + const uint8_t private_key[56]) { - x448_derive_public_key(out_public_value, private_key); + ossl_x448_derive_public_key(out_public_value, private_key); } diff --git a/crypto/ec/curve448/curve448_local.h b/crypto/ec/curve448/curve448_local.h index c5ffa75f6b..39534a7237 100644 --- a/crypto/ec/curve448/curve448_local.h +++ b/crypto/ec/curve448/curve448_local.h @@ -10,12 +10,15 @@ # define OSSL_CRYPTO_EC_CURVE448_LOCAL_H # include "curve448utils.h" -int ED448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], - const uint8_t public_key[57], const uint8_t private_key[57], - const uint8_t *context, size_t context_len, const char *propq); +int +ossl_ed448ph_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t hash[64], + const uint8_t public_key[57], const uint8_t private_key[57], + const uint8_t *context, size_t context_len, const char *propq); -int ED448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq); +int +ossl_ed448ph_verify(OSSL_LIB_CTX *ctx, const uint8_t hash[64], + const uint8_t signature[114], const uint8_t public_key[57], + const uint8_t *context, size_t context_len, + const char *propq); #endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */ diff --git a/crypto/ec/curve448/curve448_tables.c b/crypto/ec/curve448/curve448_tables.c index ec8ffcc36b..fe0d373f84 100644 --- a/crypto/ec/curve448/curve448_tables.c +++ b/crypto/ec/curve448/curve448_tables.c @@ -1058,7 +1058,7 @@ static const curve448_precomputed_s curve448_precomputed_base_table = { }} } }; -const struct curve448_precomputed_s *curve448_precomputed_base +const struct curve448_precomputed_s *ossl_curve448_precomputed_base = &curve448_precomputed_base_table; static const niels_t curve448_wnaf_base_table[32] = { @@ -1480,4 +1480,4 @@ static const niels_t curve448_wnaf_base_table[32] = { 0x001979c0df237316ULL, 0x00501e953a919b87ULL)}, }} }; -const niels_t *curve448_wnaf_base = curve448_wnaf_base_table; +const niels_t *ossl_curve448_wnaf_base = curve448_wnaf_base_table; diff --git a/crypto/ec/curve448/ed448.h b/crypto/ec/curve448/ed448.h index 3a1a9b46d6..fad21a0273 100644 --- a/crypto/ec/curve448/ed448.h +++ b/crypto/ec/curve448/ed448.h @@ -37,11 +37,12 @@ * pubkey (out): The public key. * privkey (in): The private key. */ -c448_error_t c448_ed448_derive_public_key( - OSSL_LIB_CTX *ctx, - uint8_t pubkey [EDDSA_448_PUBLIC_BYTES], - const uint8_t privkey [EDDSA_448_PRIVATE_BYTES], - const char *propq); +c448_error_t +ossl_c448_ed448_derive_public_key( + OSSL_LIB_CTX *ctx, + uint8_t pubkey [EDDSA_448_PUBLIC_BYTES], + const uint8_t privkey [EDDSA_448_PRIVATE_BYTES], + const char *propq); /* * EdDSA signing. @@ -60,15 +61,15 @@ c448_error_t c448_ed448_derive_public_key( * non-prehashed messages, at least without some very careful protocol-level * disambiguation. For Ed448 it is safe. */ -c448_error_t c448_ed448_sign( - OSSL_LIB_CTX *ctx, - uint8_t signature[EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - size_t context_len, - const char *propq); +c448_error_t +ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx, + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + size_t context_len, + const char *propq); /* * EdDSA signing with prehash. @@ -86,15 +87,15 @@ c448_error_t c448_ed448_sign( * non-prehashed messages, at least without some very careful protocol-level * disambiguation. For Ed448 it is safe. */ -c448_error_t c448_ed448_sign_prehash( - OSSL_LIB_CTX *ctx, - uint8_t signature[EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - size_t context_len, - const char *propq); +c448_error_t +ossl_c448_ed448_sign_prehash(OSSL_LIB_CTX *ctx, + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], + const uint8_t *context, + size_t context_len, + const char *propq); /* * EdDSA signature verification. @@ -114,15 +115,16 @@ c448_error_t c448_ed448_sign_prehash( * non-prehashed messages, at least without some very careful protocol-level * disambiguation. For Ed448 it is safe. */ -c448_error_t c448_ed448_verify(OSSL_LIB_CTX *ctx, - const uint8_t - signature[EDDSA_448_SIGNATURE_BYTES], - const uint8_t - pubkey[EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - uint8_t context_len, - const char *propq); +c448_error_t +ossl_c448_ed448_verify(OSSL_LIB_CTX *ctx, + const uint8_t + signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t + pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + uint8_t context_len, + const char *propq); /* * EdDSA signature verification. @@ -141,14 +143,15 @@ c448_error_t c448_ed448_verify(OSSL_LIB_CTX *ctx, * non-prehashed messages, at least without some very careful protocol-level * disambiguation. For Ed448 it is safe. */ -c448_error_t c448_ed448_verify_prehash( - OSSL_LIB_CTX *ctx, - const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], - const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], - const uint8_t hash[64], - const uint8_t *context, - uint8_t context_len, - const char *propq); +c448_error_t +ossl_c448_ed448_verify_prehash( + OSSL_LIB_CTX *ctx, + const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t hash[64], + const uint8_t *context, + uint8_t context_len, + const char *propq); /* * EdDSA point encoding. Used internally, exposed externally. @@ -173,7 +176,8 @@ c448_error_t c448_ed448_verify_prehash( * enc (out): The encoded point. * p (in): The point. */ -void curve448_point_mul_by_ratio_and_encode_like_eddsa( +void +ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa( uint8_t enc [EDDSA_448_PUBLIC_BYTES], const curve448_point_t p); @@ -186,7 +190,8 @@ void curve448_point_mul_by_ratio_and_encode_like_eddsa( * enc (out): The encoded point. * p (in): The point. */ -c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( +c448_error_t +ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio( curve448_point_t p, const uint8_t enc[EDDSA_448_PUBLIC_BYTES]); @@ -198,10 +203,11 @@ c448_error_t curve448_point_decode_like_eddsa_and_mul_by_ratio( * x (out): The ECDH private key as in RFC7748 * ed (in): The EdDSA private key */ -c448_error_t c448_ed448_convert_private_key_to_x448( - OSSL_LIB_CTX *ctx, - uint8_t x[X448_PRIVATE_BYTES], - const uint8_t ed[EDDSA_448_PRIVATE_BYTES], - const char *propq); +c448_error_t +ossl_c448_ed448_convert_private_key_to_x448( + OSSL_LIB_CTX *ctx, + uint8_t x[X448_PRIVATE_BYTES], + const uint8_t ed[EDDSA_448_PRIVATE_BYTES], + const char *propq); #endif /* OSSL_CRYPTO_EC_CURVE448_ED448_H */ diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index d4c7f1562a..d04469989a 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -94,7 +94,8 @@ static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx, } /* In this file because it uses the hash */ -c448_error_t c448_ed448_convert_private_key_to_x448( +c448_error_t +ossl_c448_ed448_convert_private_key_to_x448( OSSL_LIB_CTX *ctx, uint8_t x[X448_PRIVATE_BYTES], const uint8_t ed [EDDSA_448_PRIVATE_BYTES], @@ -106,7 +107,8 @@ c448_error_t c448_ed448_convert_private_key_to_x448( EDDSA_448_PRIVATE_BYTES, propq); } -c448_error_t c448_ed448_derive_public_key( +c448_error_t +ossl_c448_ed448_derive_public_key( OSSL_LIB_CTX *ctx, uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], @@ -126,8 +128,8 @@ c448_error_t c448_ed448_derive_public_key( clamp(secret_scalar_ser); - curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, - sizeof(secret_scalar_ser)); + ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser, + sizeof(secret_scalar_ser)); /* * Since we are going to mul_by_cofactor during encoding, divide by it @@ -138,28 +140,29 @@ c448_error_t c448_ed448_derive_public_key( * we might start at 2 instead of 1. */ for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) - curve448_scalar_halve(secret_scalar, secret_scalar); + ossl_curve448_scalar_halve(secret_scalar, secret_scalar); - curve448_precomputed_scalarmul(p, curve448_precomputed_base, secret_scalar); + ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base, + secret_scalar); - curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); + ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p); /* Cleanup */ - curve448_scalar_destroy(secret_scalar); - curve448_point_destroy(p); + ossl_curve448_scalar_destroy(secret_scalar); + ossl_curve448_point_destroy(p); OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser)); return C448_SUCCESS; } -c448_error_t c448_ed448_sign( - OSSL_LIB_CTX *ctx, - uint8_t signature[EDDSA_448_SIGNATURE_BYTES], - const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], - const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], - const uint8_t *message, size_t message_len, - uint8_t prehashed, const uint8_t *context, - size_t context_len, const char *propq) +c448_error_t +ossl_c448_ed448_sign(OSSL_LIB_CTX *ctx, + uint8_t signature[EDDSA_448_SIGNATURE_BYTES], + const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], + const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], + const uint8_t *message, size_t message_len, + uint8_t prehashed, const uint8_t *context, + size_t context_len, const char *propq) { curve448_scalar_t secret_scalar; EVP_MD_CTX *hashctx = EVP_MD_CTX_new(); @@ -183,8 +186,8 @@ c448_error_t c448_ed448_sign( EDDSA_448_PRIVATE_BYTES, propq)) goto err; clamp(expanded); - curve448_scalar_decode_long(secret_scalar, expanded, - EDDSA_448_PRIVATE_BYTES); + ossl_curve448_scalar_decode_long(secret_scalar, expanded, + EDDSA_448_PRIVATE_BYTES); /* Hash to create the nonce */ if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, @@ -205,7 +208,7 @@ c448_error_t c448_ed448_sign( if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce))) goto err; - curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); + ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce)); OPENSSL_cleanse(nonce, sizeof(nonce)); } @@ -214,15 +217,15 @@ c448_error_t c448_ed448_sign( curve448_scalar_t nonce_scalar_2; curve448_point_t p; - curve448_scalar_halve(nonce_scalar_2, nonce_scalar); + ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar); for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1) - curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); + ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2); - curve448_precomputed_scalarmul(p, curve448_precomputed_base, - nonce_scalar_2); - curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); - curve448_point_destroy(p); - curve448_scalar_destroy(nonce_scalar_2); + ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base, + nonce_scalar_2); + ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p); + ossl_curve448_point_destroy(p); + ossl_curve448_scalar_destroy(nonce_scalar_2); } { @@ -237,22 +240,22 @@ c448_error_t c448_ed448_sign( || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) goto err; - curve448_scalar_decode_long(challenge_scalar, challenge, - sizeof(challenge)); + ossl_curve448_scalar_decode_long(challenge_scalar, challenge, + sizeof(challenge)); OPENSSL_cleanse(challenge, sizeof(challenge)); } - curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); - curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); + ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar); + ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar); OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES); memcpy(signature, nonce_point, sizeof(nonce_point)); - curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], - challenge_scalar); + ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES], + challenge_scalar); - curve448_scalar_destroy(secret_scalar); - curve448_scalar_destroy(nonce_scalar); - curve448_scalar_destroy(challenge_scalar); + ossl_curve448_scalar_destroy(secret_scalar); + ossl_curve448_scalar_destroy(nonce_scalar); + ossl_curve448_scalar_destroy(challenge_scalar); ret = C448_SUCCESS; err: @@ -260,7 +263,8 @@ c448_error_t c448_ed448_sign( return ret; } -c448_error_t c448_ed448_sign_prehash( +c448_error_t +ossl_c448_ed448_sign_prehash( OSSL_LIB_CTX *ctx, uint8_t signature[EDDSA_448_SIGNATURE_BYTES], const uint8_t privkey[EDDSA_448_PRIVATE_BYTES], @@ -268,11 +272,12 @@ c448_error_t c448_ed448_sign_prehash( const uint8_t hash[64], const uint8_t *context, size_t context_len, const char *propq) { - return c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1, - context, context_len, propq); + return ossl_c448_ed448_sign(ctx, signature, privkey, pubkey, hash, 64, 1, + context, context_len, propq); } -c448_error_t c448_ed448_verify( +c448_error_t +ossl_c448_ed448_verify( OSSL_LIB_CTX *ctx, const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], @@ -310,13 +315,13 @@ c448_error_t c448_ed448_verify( return C448_FAILURE; error = - curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); + ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); if (C448_SUCCESS != error) return error; error = - curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); + ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature); if (C448_SUCCESS != error) return error; @@ -337,74 +342,82 @@ c448_error_t c448_ed448_verify( } EVP_MD_CTX_free(hashctx); - curve448_scalar_decode_long(challenge_scalar, challenge, - sizeof(challenge)); + ossl_curve448_scalar_decode_long(challenge_scalar, challenge, + sizeof(challenge)); OPENSSL_cleanse(challenge, sizeof(challenge)); } - curve448_scalar_sub(challenge_scalar, curve448_scalar_zero, - challenge_scalar); + ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero, + challenge_scalar); - curve448_scalar_decode_long(response_scalar, - &signature[EDDSA_448_PUBLIC_BYTES], - EDDSA_448_PRIVATE_BYTES); + ossl_curve448_scalar_decode_long(response_scalar, + &signature[EDDSA_448_PUBLIC_BYTES], + EDDSA_448_PRIVATE_BYTES); /* pk_point = -c(x(P)) + (cx + k)G = kG */ - curve448_base_double_scalarmul_non_secret(pk_point, - response_scalar, - pk_point, challenge_scalar); - return c448_succeed_if(curve448_point_eq(pk_point, r_point)); + ossl_curve448_base_double_scalarmul_non_secret(pk_point, + response_scalar, + pk_point, challenge_scalar); + return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point)); } -c448_error_t c448_ed448_verify_prehash( +c448_error_t +ossl_c448_ed448_verify_prehash( OSSL_LIB_CTX *ctx, const uint8_t signature[EDDSA_448_SIGNATURE_BYTES], const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES], const uint8_t hash[64], const uint8_t *context, uint8_t context_len, const char *propq) { - return c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context, - context_len, propq); + return ossl_c448_ed448_verify(ctx, signature, pubkey, hash, 64, 1, context, + context_len, propq); } -int ED448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, - size_t message_len, const uint8_t public_key[57], - const uint8_t private_key[57], const uint8_t *context, - size_t context_len, const char *propq) +int +ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig, const uint8_t *message, + size_t message_len, const uint8_t public_key[57], + const uint8_t private_key[57], const uint8_t *context, + size_t context_len, const char *propq) { - return c448_ed448_sign(ctx, out_sig, private_key, public_key, message, - message_len, 0, context, context_len,propq) - == C448_SUCCESS; + return ossl_c448_ed448_sign(ctx, out_sig, private_key, public_key, message, + message_len, 0, context, context_len, + propq) == C448_SUCCESS; } -int ED448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, - const uint8_t signature[114], const uint8_t public_key[57], - const uint8_t *context, size_t context_len, const char *propq) +int +ossl_ed448_verify(OSSL_LIB_CTX *ctx, const uint8_t *message, size_t message_len, + const uint8_t signature[114], const uint8_t public_key[57], + const uint8_t *context, size_t context_len, const char *propq) { - return c448_ed448_verify(ctx, signature, public_key, message, message_len, - 0, context, (uint8_t)context_len, - propq) == C448_SUCCESS; + return ossl_c448_ed448_verify(ctx, signature, public_key, message, + message_len, 0, context, (uint8_t)context_len, + propq) == C448_SUCCESS; } |