@@@ testing

[secnet] / x448.c

/*
 * x448.c: Hamburg's X448 key-exchange function
 */
/*
 * This file is Free Software.  It has been modified to as part of its
 * incorporation into secnet.
 *
 * Copyright 2017 Mark Wooding
 *
 * You may redistribute this file and/or modify it under the terms of
 * the permissive licence shown below.
 *
 * You may redistribute secnet as a whole and/or modify it under the
 * terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 3, or (at your option) any
 * later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 */
/*
 * Imported from Catacomb, and modified for Secnet (2017-04-30):
 *
 *   * Use `fake-mLib-bits.h' in place of the real <mLib/bits.h>.
 *
 *   * Remove the test rig code: a replacement is in a separate source file.
 *
 *   * Strip out the key-management definitions.
 *
 * The file's original comment headers are preserved below.
 */
/* -*-c-*-
 *
 * The X448 key-agreement algorithm
 *
 * (c) 2017 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "fake-mLib-bits.h"

#include "montladder.h"
#include "fgoldi.h"
#include "x448.h"

/*----- Important constants -----------------------------------------------*/

const octet x448_base[56] = { 5, 0, /* ... */ };

#define A0 39081

/*----- Main code ---------------------------------------------------------*/

/* --- @x448@ --- *
 *
 * Arguments:   @octet zz[X448_OUTSZ]@ = where to put the result
 *              @const octet k[X448_KEYSZ]@ = pointer to private key
 *              @const octet qx[X448_PUBSZ]@ = pointer to public value
 *
 * Returns:     ---
 *
 * Use:         Calculates X448 of @k@ and @qx@.
 */

void x448(octet zz[X448_OUTSZ],
          const octet k[X448_KEYSZ],
          const octet qx[X448_PUBSZ])
{
  uint32 kw[14];
  fgoldi x1;
  unsigned i;

  /* Load and clamp the key.  The low bits are cleared to kill the small
   * subgroups on the curve and its twist, and a high bit is set to guard
   * against careless implementations, though this isn't one of those.
   */
  for (i = 0; i < 14; i++) kw[i] = LOAD32_L(k + 4*i);
  kw[0] &= 0xfffffffc; kw[13] |= 0x80000000;

  /* And run the ladder. */
  fgoldi_load(&x1, qx);
#define MULA0(z, x) do { fgoldi_mulconst((z), (x), A0); } while (0)
  MONT_LADDER(fgoldi, MULA0, kw, 14, 32, &x1, &x1);
#undef MULA0
  fgoldi_store(zz, &x1);
}

/*----- Test rig ----------------------------------------------------------*/

#ifdef TEST_RIG

#include <mLib/report.h>
#include <mLib/str.h>
#include <mLib/testrig.h>

static int vrf_x448(dstr dv[])
{
  dstr dz = DSTR_INIT;
  int ok = 1;

  if (dv[0].len != 56) die(1, "bad key length");
  if (dv[1].len != 56) die(1, "bad public length");
  if (dv[2].len != 56) die(1, "bad result length");

  dstr_ensure(&dz, 56); dz.len = 56;
  x448((octet *)dz.buf,
       (const octet *)dv[0].buf,
       (const octet *)dv[1].buf);
  if (memcmp(dz.buf, dv[2].buf, 56) != 0) {
    ok = 0;
    fprintf(stderr, "failed!");
    fprintf(stderr, "\n\t   k = "); type_hex.dump(&dv[0], stderr);
    fprintf(stderr, "\n\t   p = "); type_hex.dump(&dv[1], stderr);
    fprintf(stderr, "\n\twant = "); type_hex.dump(&dv[2], stderr);
    fprintf(stderr, "\n\tcalc = "); type_hex.dump(&dz, stderr);
    fprintf(stderr, "\n");
  }

  dstr_destroy(&dz);
  return (ok);
}

static int vrf_mct(dstr dv[])
{
  octet b0[56], b1[56], *k = b0, *x = b1, *t;
  unsigned long i, niter;
  dstr d = DSTR_INIT;
  int ok = 1;

  if (dv[0].len != sizeof(b0)) { fprintf(stderr, "k len\n"); exit(2); }
  if (dv[1].len != sizeof(b1)) { fprintf(stderr, "x len\n"); exit(2); }
  if (dv[3].len != sizeof(b0)) { fprintf(stderr, "result len\n"); exit(2); }
  memcpy(b0, dv[0].buf, sizeof(b0));
  memcpy(b1, dv[1].buf, sizeof(b1));
  niter = *(unsigned long *)dv[2].buf;
  dstr_ensure(&d, 56); d.len = 56; t = (octet *)d.buf;

  for (i = 0; i < niter; i++) {
    x448(x, k, x);
    t = x; x = k; k = t;
  }
  memcpy(d.buf, k, d.len);

  if (memcmp(d.buf, dv[3].buf, d.len) != 0) {
    ok = 0;
    fprintf(stderr, "failed...");
    fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&dv[0], stderr);
    fprintf(stderr, "\n\tinitial x = "); type_hex.dump(&dv[1], stderr);
    fprintf(stderr, "\n\titerations = %lu", niter);
    fprintf(stderr, "\n\texpected = "); type_hex.dump(&dv[3], stderr);
    fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&d, stderr);
    fputc('\n', stderr);
  }

  dstr_destroy(&d);
  return (ok);
}

static test_chunk tests[] = {
  { "x448", vrf_x448, { &type_hex, &type_hex, &type_hex } },
  { "x448-mct", vrf_mct,
    { &type_hex, &type_hex, &type_ulong, &type_hex } },
  { 0, 0, { 0 } }
};

int main(int argc, char *argv[])
{
  test_run(argc, argv, tests, SRCDIR "/t/x448");
  return (0);
}

#endif

/*----- That's all, folks -------------------------------------------------*/