X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/catacomb/blobdiff_plain/e830bb692041c75eb29b8c511db21af81b3aae2d..a7aa36f2e3359a9d5cc164cc418352b629451e7c:/pub/ed25519.c diff --git a/pub/ed25519.c b/pub/ed25519.c index c6b805c4..82099f2c 100644 --- a/pub/ed25519.c +++ b/pub/ed25519.c @@ -392,6 +392,17 @@ static void unpack_key(scaf_piece a[NPIECE], octet h1[32], if (h1) memcpy(h1, b + 32, 32); } +#define PREFIX_BUFSZ 290 +static size_t prefix(octet b[PREFIX_BUFSZ], + int phflag, const octet *p, size_t psz) +{ + if (phflag < 0) return (0); + memcpy(b, "SigEd25519 no Ed25519 collisions", 32); + b[32] = phflag; + assert(psz < ED25519_MAXPERSOSZ); b[33] = psz; memcpy(b + 34, p, psz); + return (psz + 34); +} + /*----- Main code ---------------------------------------------------------*/ /* --- @ed25519_pubkey@ --- * @@ -415,52 +426,65 @@ void ed25519_pubkey(octet K[ED25519_PUBSZ], const void *k, size_t ksz) ptencode(K, &AX, &AY, &AZ); } -/* --- @ed25519_sign@ --- * +/* --- @ed25519_sign@, @ed25519ctx_sign@ --- * * * Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature * @const void *k@ = private key * @size_t ksz@ = length of private key * @const octet K[ED25519_PUBSZ]@ = public key + * @int phflag@ = whether the `message' has been hashed already + * @const void *p@ = personalization string + * @size_t psz@ = length of personalization string * @const void *m@ = message to sign * @size_t msz@ = length of message * * Returns: --- * * Use: Signs a message. + * + * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain + * old Ed25519: the personalization string pointer @p@ will be + * ignored. If @phflag > 0@ then the `message' @m@ should be a + * SHA512 hash of the actual message. */ -void ed25519_sign(octet sig[ED25519_SIGSZ], - const void *k, size_t ksz, - const octet K[ED25519_PUBSZ], - const void *m, size_t msz) +void ed25519ctx_sign(octet sig[ED25519_SIGSZ], + const void *k, size_t ksz, const octet K[ED25519_PUBSZ], + int phflag, const void *p, size_t psz, + const void *m, size_t msz) { sha512_ctx h; scaf_piece a[NPIECE], r[NPIECE], t[NPIECE], scratch[3*NPIECE + 1]; scaf_dblpiece tt[2*NPIECE]; f25519 RX, RY, RZ; - octet h1[32], b[SHA512_HASHSZ]; + octet h1[32], pb[PREFIX_BUFSZ], rb[SHA512_HASHSZ]; unsigned i; /* Get my private key. */ unpack_key(a, h1, k, ksz); + /* Determine the prefix string. */ + psz = prefix(pb, phflag, p, psz); + /* Select the nonce and the vector part. */ sha512_init(&h); + sha512_hash(&h, pb, psz); sha512_hash(&h, h1, 32); sha512_hash(&h, m, msz); - sha512_done(&h, b); - scaf_loaddbl(tt, b, 64, 2*NPIECE, PIECEWD); + sha512_done(&h, rb); + scaf_loaddbl(tt, rb, 64, 2*NPIECE, PIECEWD); scaf_reduce(r, tt, l, mu, NPIECE, PIECEWD, scratch); ptmul(&RX, &RY, &RZ, r, BX, BY, BZ); ptencode(sig, &RX, &RY, &RZ); /* Calculate the scalar part. */ sha512_init(&h); + sha512_hash(&h, pb, psz); sha512_hash(&h, sig, 32); sha512_hash(&h, K, 32); sha512_hash(&h, m, msz); - sha512_done(&h, b); - scaf_loaddbl(tt, b, 64, 2*NPIECE, PIECEWD); + sha512_done(&h, rb); + scaf_loaddbl(tt, rb, 64, 2*NPIECE, PIECEWD); scaf_reduce(t, tt, l, mu, NPIECE, PIECEWD, scratch); scaf_mul(tt, t, a, NPIECE); for (i = 0; i < NPIECE; i++) tt[i] += r[i]; @@ -468,9 +492,17 @@ void ed25519_sign(octet sig[ED25519_SIGSZ], scaf_store(sig + 32, 32, t, NPIECE, PIECEWD); } -/* --- @ed25519_verify@ --- * +void ed25519_sign(octet sig[ED25519_SIGSZ], + const void *k, size_t ksz, const octet K[ED25519_PUBSZ], + const void *m, size_t msz) + { ed25519ctx_sign(sig, k, ksz, K, -1, 0, 0, m, msz); } + +/* --- @ed25519_verify@, @ed25519ctx_verify@ --- * * * Arguments: @const octet K[ED25519_PUBSZ]@ = public key + * @int phflag@ = whether the `message' has been hashed already + * @const void *p@ = personalization string + * @size_t psz@ = length of personalization string * @const void *m@ = message to sign * @size_t msz@ = length of message * @const octet sig[ED25519_SIGSZ]@ = signature @@ -478,17 +510,23 @@ void ed25519_sign(octet sig[ED25519_SIGSZ], * Returns: Zero if OK, negative on failure. * * Use: Verify a signature. + * + * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get + * plain old Ed25519: the personalization string pointer @p@ + * will be ignored. If @phflag > 0@ then the `message' @m@ + * should be a SHA512 hash of the actual message. */ -int ed25519_verify(const octet K[ED25519_PUBSZ], - const void *m, size_t msz, - const octet sig[ED25519_SIGSZ]) +int ed25519ctx_verify(const octet K[ED25519_PUBSZ], + int phflag, const void *p, size_t psz, + const void *m, size_t msz, + const octet sig[ED25519_SIGSZ]) { sha512_ctx h; scaf_piece s[NPIECE], t[NPIECE], scratch[3*NPIECE + 1]; scaf_dblpiece tt[2*NPIECE]; f25519 AX, AY, AZ, RX, RY, RZ; - octet b[SHA512_HASHSZ]; + octet b[PREFIX_BUFSZ]; /* Unpack the public key. Negate it: we're meant to subtract the term * involving the public key point, and this is easier than negating the @@ -506,7 +544,9 @@ int ed25519_verify(const octet K[ED25519_PUBSZ], if (memcmp(b, sig + 32, 32) != 0) return (-1); /* Check the signature. */ + psz = prefix(b, phflag, p, psz); sha512_init(&h); + sha512_hash(&h, b, psz); sha512_hash(&h, sig, 32); sha512_hash(&h, K, 32); sha512_hash(&h, m, msz); @@ -521,6 +561,11 @@ int ed25519_verify(const octet K[ED25519_PUBSZ], return (0); } +int ed25519_verify(const octet K[ED25519_PUBSZ], + const void *m, size_t msz, + const octet sig[ED25519_SIGSZ]) + { return (ed25519ctx_verify(K, -1, 0, 0, m, msz, sig)); } + /*----- Test rig ----------------------------------------------------------*/ #ifdef TEST_RIG @@ -553,25 +598,43 @@ static int vrf_pubkey(dstr dv[]) return (ok); } -static int vrf_sign(dstr dv[]) +static int vrf_sign(dstr *priv, int phflag, dstr *perso, + dstr *msg, dstr *want) { + sha512_ctx h; octet K[ED25519_PUBSZ]; - dstr dsig = DSTR_INIT; + dstr d = DSTR_INIT, dsig = DSTR_INIT, *m; int ok = 1; - if (dv[2].len != ED25519_SIGSZ) die(1, "bad result length"); + if (want->len != ED25519_SIGSZ) die(1, "bad result length"); dstr_ensure(&dsig, ED25519_SIGSZ); dsig.len = ED25519_SIGSZ; - ed25519_pubkey(K, dv[0].buf, dv[0].len); - ed25519_sign((octet *)dsig.buf, dv[0].buf, dv[0].len, K, - dv[1].buf, dv[1].len); - if (memcmp(dsig.buf, dv[2].buf, ED25519_SIGSZ) != 0) { + if (phflag <= 0) + m = msg; + else { + dstr_ensure(&d, SHA512_HASHSZ); d.len = SHA512_HASHSZ; + sha512_init(&h); + sha512_hash(&h, msg->buf, msg->len); + sha512_done(&h, d.buf); + m = &d; + } + ed25519_pubkey(K, priv->buf, priv->len); + ed25519ctx_sign((octet *)dsig.buf, priv->buf, priv->len, K, + phflag, perso ? perso->buf : 0, perso ? perso->len : 0, + m->buf, m->len); + if (memcmp(dsig.buf, want->buf, ED25519_SIGSZ) != 0) { ok = 0; fprintf(stderr, "failed!"); - fprintf(stderr, "\n\tpriv = "); type_hex.dump(&dv[0], stderr); - fprintf(stderr, "\n\t msg = "); type_hex.dump(&dv[1], stderr); + fprintf(stderr, "\n\tpriv = "); type_hex.dump(priv, stderr); + if (phflag >= 0) { + fprintf(stderr, "\n\t ph = %d", phflag); + fprintf(stderr, "\n\tpers = "); type_hex.dump(perso, stderr); + } + fprintf(stderr, "\n\t msg = "); type_hex.dump(msg, stderr); + if (phflag > 0) + { fprintf(stderr, "\n\thash = "); type_hex.dump(m, stderr); } fprintf(stderr, "\n\tcalc = "); type_hex.dump(&dsig, stderr); - fprintf(stderr, "\n\twant = "); type_hex.dump(&dv[2], stderr); + fprintf(stderr, "\n\twant = "); type_hex.dump(want, stderr); fprintf(stderr, "\n"); } @@ -579,24 +642,49 @@ static int vrf_sign(dstr dv[]) return (ok); } -static int vrf_verify(dstr dv[]) +static int vrf_sign_trad(dstr *dv) + { return (vrf_sign(&dv[0], -1, 0, &dv[1], &dv[2])); } + +static int vrf_sign_ctx(dstr *dv) + { return (vrf_sign(&dv[0], *(int *)dv[1].buf, &dv[2], &dv[3], &dv[4])); } + +static int vrf_verify(dstr *pub, int phflag, dstr *perso, + dstr *msg, dstr *sig, int rc_want) { - int rc_want, rc_calc; + sha512_ctx h; + int rc_calc; + dstr d = DSTR_INIT, *m; int ok = 1; - if (dv[0].len != ED25519_PUBSZ) die(1, "bad pub length"); - if (dv[2].len != ED25519_SIGSZ) die(1, "bad sig length"); - rc_want = *(int *)dv[3].buf; - - rc_calc = ed25519_verify((const octet *)dv[0].buf, - dv[1].buf, dv[1].len, - (const octet *)dv[2].buf); + if (pub->len != ED25519_PUBSZ) die(1, "bad pub length"); + if (sig->len != ED25519_SIGSZ) die(1, "bad sig length"); + + if (phflag <= 0) + m = msg; + else { + dstr_ensure(&d, SHA512_HASHSZ); d.len = SHA512_HASHSZ; + sha512_init(&h); + sha512_hash(&h, msg->buf, msg->len); + sha512_done(&h, d.buf); + m = &d; + } + rc_calc = ed25519ctx_verify((const octet *)pub->buf, + phflag, perso ? perso->buf : 0, + perso ? perso->len : 0, + m->buf, m->len, + (const octet *)sig->buf); if (!rc_want != !rc_calc) { ok = 0; fprintf(stderr, "failed!"); - fprintf(stderr, "\n\t pub = "); type_hex.dump(&dv[0], stderr); - fprintf(stderr, "\n\t msg = "); type_hex.dump(&dv[1], stderr); - fprintf(stderr, "\n\t sig = "); type_hex.dump(&dv[2], stderr); + fprintf(stderr, "\n\t pub = "); type_hex.dump(pub, stderr); + if (phflag >= 0) { + fprintf(stderr, "\n\t ph = %d", phflag); + fprintf(stderr, "\n\tpers = "); type_hex.dump(perso, stderr); + } + fprintf(stderr, "\n\t msg = "); type_hex.dump(msg, stderr); + if (phflag > 0) + { fprintf(stderr, "\n\thash = "); type_hex.dump(m, stderr); } + fprintf(stderr, "\n\t sig = "); type_hex.dump(sig, stderr); fprintf(stderr, "\n\tcalc = %d", rc_calc); fprintf(stderr, "\n\twant = %d", rc_want); fprintf(stderr, "\n"); @@ -605,10 +693,26 @@ static int vrf_verify(dstr dv[]) return (ok); } +static int vrf_verify_trad(dstr *dv) + { return (vrf_verify(&dv[0], -1, 0, &dv[1], &dv[2], *(int *)dv[3].buf)); } + +static int vrf_verify_ctx(dstr *dv) +{ + return (vrf_verify(&dv[0], *(int *)dv[1].buf, &dv[2], + &dv[3], &dv[4], *(int *)dv[5].buf)); +} + static test_chunk tests[] = { - { "pubkey", vrf_pubkey, { &type_hex, &type_hex } }, - { "sign", vrf_sign, { &type_hex, &type_hex, &type_hex } }, - { "verify", vrf_verify, { &type_hex, &type_hex, &type_hex, &type_int } }, + { "pubkey", vrf_pubkey, + { &type_hex, &type_hex } }, + { "sign", vrf_sign_trad, + { &type_hex, &type_hex, &type_hex } }, + { "verify", vrf_verify_trad, + { &type_hex, &type_hex, &type_hex, &type_int } }, + { "sign-ctx", vrf_sign_ctx, + { &type_hex, &type_int, &type_hex, &type_hex, &type_hex } }, + { "verify-ctx", vrf_verify_ctx, + { &type_hex, &type_int, &type_hex, &type_hex, &type_hex, &type_int } }, { 0, 0, { 0 } } };