wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
wolfcrypt/src/ed25519.c@0:d92f9d21154c, 2015-06-26 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 26 00:39:20 2015 +0000
- Revision:
- 0:d92f9d21154c
wolfSSL 3.6.0
Who changed what in which revision?
| User | Revision | Line number | New contents of line |
|---|---|---|---|
| wolfSSL | 0:d92f9d21154c | 1 | /* ed25519.c |
| wolfSSL | 0:d92f9d21154c | 2 | * |
| wolfSSL | 0:d92f9d21154c | 3 | * Copyright (C) 2006-2015 wolfSSL Inc. |
| wolfSSL | 0:d92f9d21154c | 4 | * |
| wolfSSL | 0:d92f9d21154c | 5 | * This file is part of wolfSSL. (formerly known as CyaSSL) |
| wolfSSL | 0:d92f9d21154c | 6 | * |
| wolfSSL | 0:d92f9d21154c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
| wolfSSL | 0:d92f9d21154c | 8 | * it under the terms of the GNU General Public License as published by |
| wolfSSL | 0:d92f9d21154c | 9 | * the Free Software Foundation; either version 2 of the License, or |
| wolfSSL | 0:d92f9d21154c | 10 | * (at your option) any later version. |
| wolfSSL | 0:d92f9d21154c | 11 | * |
| wolfSSL | 0:d92f9d21154c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
| wolfSSL | 0:d92f9d21154c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| wolfSSL | 0:d92f9d21154c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| wolfSSL | 0:d92f9d21154c | 15 | * GNU General Public License for more details. |
| wolfSSL | 0:d92f9d21154c | 16 | * |
| wolfSSL | 0:d92f9d21154c | 17 | * You should have received a copy of the GNU General Public License |
| wolfSSL | 0:d92f9d21154c | 18 | * along with this program; if not, write to the Free Software |
| wolfSSL | 0:d92f9d21154c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
| wolfSSL | 0:d92f9d21154c | 20 | */ |
| wolfSSL | 0:d92f9d21154c | 21 | |
| wolfSSL | 0:d92f9d21154c | 22 | /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */ |
| wolfSSL | 0:d92f9d21154c | 23 | |
| wolfSSL | 0:d92f9d21154c | 24 | #ifdef HAVE_CONFIG_H |
| wolfSSL | 0:d92f9d21154c | 25 | #include <config.h> |
| wolfSSL | 0:d92f9d21154c | 26 | #endif |
| wolfSSL | 0:d92f9d21154c | 27 | |
| wolfSSL | 0:d92f9d21154c | 28 | /* in case user set HAVE_ED25519 there */ |
| wolfSSL | 0:d92f9d21154c | 29 | #include <wolfssl/wolfcrypt/settings.h> |
| wolfSSL | 0:d92f9d21154c | 30 | |
| wolfSSL | 0:d92f9d21154c | 31 | #ifdef HAVE_ED25519 |
| wolfSSL | 0:d92f9d21154c | 32 | |
| wolfSSL | 0:d92f9d21154c | 33 | #include <wolfssl/wolfcrypt/ed25519.h> |
| wolfSSL | 0:d92f9d21154c | 34 | #include <wolfssl/wolfcrypt/error-crypt.h> |
| wolfSSL | 0:d92f9d21154c | 35 | #ifdef NO_INLINE |
| wolfSSL | 0:d92f9d21154c | 36 | #include <wolfssl/wolfcrypt/misc.h> |
| wolfSSL | 0:d92f9d21154c | 37 | #else |
| wolfSSL | 0:d92f9d21154c | 38 | #include <wolfcrypt/src/misc.c> |
| wolfSSL | 0:d92f9d21154c | 39 | #endif |
| wolfSSL | 0:d92f9d21154c | 40 | |
| wolfSSL | 0:d92f9d21154c | 41 | |
| wolfSSL | 0:d92f9d21154c | 42 | /* |
| wolfSSL | 0:d92f9d21154c | 43 | generate an ed25519 key pair. |
| wolfSSL | 0:d92f9d21154c | 44 | returns 0 on success |
| wolfSSL | 0:d92f9d21154c | 45 | */ |
| wolfSSL | 0:d92f9d21154c | 46 | int wc_ed25519_make_key(RNG* rng, int keySz, ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 47 | { |
| wolfSSL | 0:d92f9d21154c | 48 | byte az[64]; |
| wolfSSL | 0:d92f9d21154c | 49 | int ret; |
| wolfSSL | 0:d92f9d21154c | 50 | ge_p3 A; |
| wolfSSL | 0:d92f9d21154c | 51 | |
| wolfSSL | 0:d92f9d21154c | 52 | if (rng == NULL || key == NULL) |
| wolfSSL | 0:d92f9d21154c | 53 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 54 | |
| wolfSSL | 0:d92f9d21154c | 55 | /* ed25519 has 32 byte key sizes */ |
| wolfSSL | 0:d92f9d21154c | 56 | if (keySz != ED25519_KEY_SIZE) |
| wolfSSL | 0:d92f9d21154c | 57 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 58 | |
| wolfSSL | 0:d92f9d21154c | 59 | ret = 0; |
| wolfSSL | 0:d92f9d21154c | 60 | ret |= wc_RNG_GenerateBlock(rng, key->k, 32); |
| wolfSSL | 0:d92f9d21154c | 61 | ret |= wc_Sha512Hash(key->k, 32, az); |
| wolfSSL | 0:d92f9d21154c | 62 | az[0] &= 248; |
| wolfSSL | 0:d92f9d21154c | 63 | az[31] &= 63; |
| wolfSSL | 0:d92f9d21154c | 64 | az[31] |= 64; |
| wolfSSL | 0:d92f9d21154c | 65 | |
| wolfSSL | 0:d92f9d21154c | 66 | ge_scalarmult_base(&A, az); |
| wolfSSL | 0:d92f9d21154c | 67 | ge_p3_tobytes(key->p, &A); |
| wolfSSL | 0:d92f9d21154c | 68 | XMEMMOVE(key->k + 32, key->p, 32); |
| wolfSSL | 0:d92f9d21154c | 69 | |
| wolfSSL | 0:d92f9d21154c | 70 | return ret; |
| wolfSSL | 0:d92f9d21154c | 71 | } |
| wolfSSL | 0:d92f9d21154c | 72 | |
| wolfSSL | 0:d92f9d21154c | 73 | |
| wolfSSL | 0:d92f9d21154c | 74 | /* |
| wolfSSL | 0:d92f9d21154c | 75 | in contains the message to sign |
| wolfSSL | 0:d92f9d21154c | 76 | inlen is the length of the message to sign |
| wolfSSL | 0:d92f9d21154c | 77 | out is the buffer to write the signature |
| wolfSSL | 0:d92f9d21154c | 78 | outlen [in/out] input size of out buf |
| wolfSSL | 0:d92f9d21154c | 79 | output gets set as the final length of out |
| wolfSSL | 0:d92f9d21154c | 80 | key is the ed25519 key to use when signing |
| wolfSSL | 0:d92f9d21154c | 81 | return 0 on success |
| wolfSSL | 0:d92f9d21154c | 82 | */ |
| wolfSSL | 0:d92f9d21154c | 83 | int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out, |
| wolfSSL | 0:d92f9d21154c | 84 | word32 *outlen, ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 85 | { |
| wolfSSL | 0:d92f9d21154c | 86 | ge_p3 R; |
| wolfSSL | 0:d92f9d21154c | 87 | byte nonce[SHA512_DIGEST_SIZE]; |
| wolfSSL | 0:d92f9d21154c | 88 | byte hram[SHA512_DIGEST_SIZE]; |
| wolfSSL | 0:d92f9d21154c | 89 | byte az[64]; |
| wolfSSL | 0:d92f9d21154c | 90 | word32 sigSz; |
| wolfSSL | 0:d92f9d21154c | 91 | Sha512 sha; |
| wolfSSL | 0:d92f9d21154c | 92 | int ret = 0; |
| wolfSSL | 0:d92f9d21154c | 93 | |
| wolfSSL | 0:d92f9d21154c | 94 | /* sanity check on arguments */ |
| wolfSSL | 0:d92f9d21154c | 95 | if (in == NULL || out == NULL || outlen == NULL || key == NULL) |
| wolfSSL | 0:d92f9d21154c | 96 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 97 | |
| wolfSSL | 0:d92f9d21154c | 98 | /* check and set up out length */ |
| wolfSSL | 0:d92f9d21154c | 99 | ret = 0; |
| wolfSSL | 0:d92f9d21154c | 100 | sigSz = wc_ed25519_sig_size(key); |
| wolfSSL | 0:d92f9d21154c | 101 | if (*outlen < sigSz) |
| wolfSSL | 0:d92f9d21154c | 102 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 103 | *outlen = sigSz; |
| wolfSSL | 0:d92f9d21154c | 104 | |
| wolfSSL | 0:d92f9d21154c | 105 | /* step 1: create nonce to use where nonce is r in |
| wolfSSL | 0:d92f9d21154c | 106 | r = H(h_b, ... ,h_2b-1,M) */ |
| wolfSSL | 0:d92f9d21154c | 107 | ret |= wc_Sha512Hash(key->k,32,az); |
| wolfSSL | 0:d92f9d21154c | 108 | az[0] &= 248; |
| wolfSSL | 0:d92f9d21154c | 109 | az[31] &= 63; |
| wolfSSL | 0:d92f9d21154c | 110 | az[31] |= 64; |
| wolfSSL | 0:d92f9d21154c | 111 | ret |= wc_InitSha512(&sha); |
| wolfSSL | 0:d92f9d21154c | 112 | ret |= wc_Sha512Update(&sha, az + 32, 32); |
| wolfSSL | 0:d92f9d21154c | 113 | ret |= wc_Sha512Update(&sha, in, inlen); |
| wolfSSL | 0:d92f9d21154c | 114 | ret |= wc_Sha512Final(&sha, nonce); |
| wolfSSL | 0:d92f9d21154c | 115 | sc_reduce(nonce); |
| wolfSSL | 0:d92f9d21154c | 116 | |
| wolfSSL | 0:d92f9d21154c | 117 | /* step 2: computing R = rB where rB is the scalar multiplication of |
| wolfSSL | 0:d92f9d21154c | 118 | r and B */ |
| wolfSSL | 0:d92f9d21154c | 119 | ge_scalarmult_base(&R,nonce); |
| wolfSSL | 0:d92f9d21154c | 120 | ge_p3_tobytes(out,&R); |
| wolfSSL | 0:d92f9d21154c | 121 | |
| wolfSSL | 0:d92f9d21154c | 122 | /* step 3: hash R + public key + message getting H(R,A,M) then |
| wolfSSL | 0:d92f9d21154c | 123 | creating S = (r + H(R,A,M)a) mod l */ |
| wolfSSL | 0:d92f9d21154c | 124 | ret |= wc_InitSha512(&sha); |
| wolfSSL | 0:d92f9d21154c | 125 | ret |= wc_Sha512Update(&sha, out, 32); |
| wolfSSL | 0:d92f9d21154c | 126 | ret |= wc_Sha512Update(&sha, key->p, 32); |
| wolfSSL | 0:d92f9d21154c | 127 | ret |= wc_Sha512Update(&sha, in, inlen); |
| wolfSSL | 0:d92f9d21154c | 128 | ret |= wc_Sha512Final(&sha, hram); |
| wolfSSL | 0:d92f9d21154c | 129 | sc_reduce(hram); |
| wolfSSL | 0:d92f9d21154c | 130 | sc_muladd(out + 32, hram, az, nonce); |
| wolfSSL | 0:d92f9d21154c | 131 | |
| wolfSSL | 0:d92f9d21154c | 132 | return ret; |
| wolfSSL | 0:d92f9d21154c | 133 | } |
| wolfSSL | 0:d92f9d21154c | 134 | |
| wolfSSL | 0:d92f9d21154c | 135 | |
| wolfSSL | 0:d92f9d21154c | 136 | /* |
| wolfSSL | 0:d92f9d21154c | 137 | sig is array of bytes containing the signature |
| wolfSSL | 0:d92f9d21154c | 138 | siglen is the length of sig byte array |
| wolfSSL | 0:d92f9d21154c | 139 | msg the array of bytes containing the message |
| wolfSSL | 0:d92f9d21154c | 140 | msglen length of msg array |
| wolfSSL | 0:d92f9d21154c | 141 | stat will be 1 on successful verify and 0 on unsuccessful |
| wolfSSL | 0:d92f9d21154c | 142 | */ |
| wolfSSL | 0:d92f9d21154c | 143 | int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg, |
| wolfSSL | 0:d92f9d21154c | 144 | word32 msglen, int* stat, ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 145 | { |
| wolfSSL | 0:d92f9d21154c | 146 | byte rcheck[32]; |
| wolfSSL | 0:d92f9d21154c | 147 | byte h[SHA512_DIGEST_SIZE]; |
| wolfSSL | 0:d92f9d21154c | 148 | ge_p3 A; |
| wolfSSL | 0:d92f9d21154c | 149 | ge_p2 R; |
| wolfSSL | 0:d92f9d21154c | 150 | word32 sigSz; |
| wolfSSL | 0:d92f9d21154c | 151 | int ret; |
| wolfSSL | 0:d92f9d21154c | 152 | Sha512 sha; |
| wolfSSL | 0:d92f9d21154c | 153 | |
| wolfSSL | 0:d92f9d21154c | 154 | /* sanity check on arguments */ |
| wolfSSL | 0:d92f9d21154c | 155 | if (sig == NULL || msg == NULL || stat == NULL || key == NULL) |
| wolfSSL | 0:d92f9d21154c | 156 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 157 | |
| wolfSSL | 0:d92f9d21154c | 158 | ret = 0; |
| wolfSSL | 0:d92f9d21154c | 159 | *stat = 0; |
| wolfSSL | 0:d92f9d21154c | 160 | sigSz = wc_ed25519_size(key); |
| wolfSSL | 0:d92f9d21154c | 161 | |
| wolfSSL | 0:d92f9d21154c | 162 | /* check on basics needed to verify signature */ |
| wolfSSL | 0:d92f9d21154c | 163 | if (siglen < sigSz) |
| wolfSSL | 0:d92f9d21154c | 164 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 165 | if (sig[63] & 224) |
| wolfSSL | 0:d92f9d21154c | 166 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 167 | |
| wolfSSL | 0:d92f9d21154c | 168 | /* uncompress A (public key), test if valid, and negate it */ |
| wolfSSL | 0:d92f9d21154c | 169 | if (ge_frombytes_negate_vartime(&A, key->p) != 0) |
| wolfSSL | 0:d92f9d21154c | 170 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 171 | |
| wolfSSL | 0:d92f9d21154c | 172 | /* find H(R,A,M) and store it as h */ |
| wolfSSL | 0:d92f9d21154c | 173 | ret |= wc_InitSha512(&sha); |
| wolfSSL | 0:d92f9d21154c | 174 | ret |= wc_Sha512Update(&sha, sig, 32); |
| wolfSSL | 0:d92f9d21154c | 175 | ret |= wc_Sha512Update(&sha, key->p, 32); |
| wolfSSL | 0:d92f9d21154c | 176 | ret |= wc_Sha512Update(&sha, msg, msglen); |
| wolfSSL | 0:d92f9d21154c | 177 | ret |= wc_Sha512Final(&sha, h); |
| wolfSSL | 0:d92f9d21154c | 178 | sc_reduce(h); |
| wolfSSL | 0:d92f9d21154c | 179 | |
| wolfSSL | 0:d92f9d21154c | 180 | /* |
| wolfSSL | 0:d92f9d21154c | 181 | Uses a fast single-signature verification SB = R + H(R,A,M)A becomes |
| wolfSSL | 0:d92f9d21154c | 182 | SB - H(R,A,M)A saving decompression of R |
| wolfSSL | 0:d92f9d21154c | 183 | */ |
| wolfSSL | 0:d92f9d21154c | 184 | ret |= ge_double_scalarmult_vartime(&R, h, &A, sig + 32); |
| wolfSSL | 0:d92f9d21154c | 185 | ge_tobytes(rcheck, &R); |
| wolfSSL | 0:d92f9d21154c | 186 | |
| wolfSSL | 0:d92f9d21154c | 187 | /* comparison of R created to R in sig */ |
| wolfSSL | 0:d92f9d21154c | 188 | ret |= ConstantCompare(rcheck, sig, 32); |
| wolfSSL | 0:d92f9d21154c | 189 | |
| wolfSSL | 0:d92f9d21154c | 190 | *stat = (ret == 0)? 1: 0; |
| wolfSSL | 0:d92f9d21154c | 191 | |
| wolfSSL | 0:d92f9d21154c | 192 | return ret; |
| wolfSSL | 0:d92f9d21154c | 193 | } |
| wolfSSL | 0:d92f9d21154c | 194 | |
| wolfSSL | 0:d92f9d21154c | 195 | |
| wolfSSL | 0:d92f9d21154c | 196 | /* initialize information and memory for key */ |
| wolfSSL | 0:d92f9d21154c | 197 | int wc_ed25519_init(ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 198 | { |
| wolfSSL | 0:d92f9d21154c | 199 | if (key == NULL) |
| wolfSSL | 0:d92f9d21154c | 200 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 201 | |
| wolfSSL | 0:d92f9d21154c | 202 | XMEMSET(key, 0, sizeof(ed25519_key)); |
| wolfSSL | 0:d92f9d21154c | 203 | |
| wolfSSL | 0:d92f9d21154c | 204 | return 0; |
| wolfSSL | 0:d92f9d21154c | 205 | } |
| wolfSSL | 0:d92f9d21154c | 206 | |
| wolfSSL | 0:d92f9d21154c | 207 | |
| wolfSSL | 0:d92f9d21154c | 208 | /* clear memory of key */ |
| wolfSSL | 0:d92f9d21154c | 209 | void wc_ed25519_free(ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 210 | { |
| wolfSSL | 0:d92f9d21154c | 211 | if (key == NULL) |
| wolfSSL | 0:d92f9d21154c | 212 | return; |
| wolfSSL | 0:d92f9d21154c | 213 | |
| wolfSSL | 0:d92f9d21154c | 214 | ForceZero(key, sizeof(ed25519_key)); |
| wolfSSL | 0:d92f9d21154c | 215 | } |
| wolfSSL | 0:d92f9d21154c | 216 | |
| wolfSSL | 0:d92f9d21154c | 217 | |
| wolfSSL | 0:d92f9d21154c | 218 | /* |
| wolfSSL | 0:d92f9d21154c | 219 | outLen should contain the size of out buffer when input. outLen is than set |
| wolfSSL | 0:d92f9d21154c | 220 | to the final output length. |
| wolfSSL | 0:d92f9d21154c | 221 | returns 0 on success |
| wolfSSL | 0:d92f9d21154c | 222 | */ |
| wolfSSL | 0:d92f9d21154c | 223 | int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen) |
| wolfSSL | 0:d92f9d21154c | 224 | { |
| wolfSSL | 0:d92f9d21154c | 225 | word32 keySz; |
| wolfSSL | 0:d92f9d21154c | 226 | |
| wolfSSL | 0:d92f9d21154c | 227 | /* sanity check on arguments */ |
| wolfSSL | 0:d92f9d21154c | 228 | if (key == NULL || out == NULL || outLen == NULL) |
| wolfSSL | 0:d92f9d21154c | 229 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 230 | |
| wolfSSL | 0:d92f9d21154c | 231 | keySz = wc_ed25519_size(key); |
| wolfSSL | 0:d92f9d21154c | 232 | if (*outLen < keySz) { |
| wolfSSL | 0:d92f9d21154c | 233 | *outLen = keySz; |
| wolfSSL | 0:d92f9d21154c | 234 | return BUFFER_E; |
| wolfSSL | 0:d92f9d21154c | 235 | } |
| wolfSSL | 0:d92f9d21154c | 236 | *outLen = keySz; |
| wolfSSL | 0:d92f9d21154c | 237 | XMEMCPY(out, key->p, keySz); |
| wolfSSL | 0:d92f9d21154c | 238 | |
| wolfSSL | 0:d92f9d21154c | 239 | return 0; |
| wolfSSL | 0:d92f9d21154c | 240 | } |
| wolfSSL | 0:d92f9d21154c | 241 | |
| wolfSSL | 0:d92f9d21154c | 242 | |
| wolfSSL | 0:d92f9d21154c | 243 | /* |
| wolfSSL | 0:d92f9d21154c | 244 | Imports a compressed/uncompressed public key. |
| wolfSSL | 0:d92f9d21154c | 245 | in the byte array containing the public key |
| wolfSSL | 0:d92f9d21154c | 246 | inLen the length of the byte array being passed in |
| wolfSSL | 0:d92f9d21154c | 247 | key ed25519 key struct to put the public key in |
| wolfSSL | 0:d92f9d21154c | 248 | */ |
| wolfSSL | 0:d92f9d21154c | 249 | int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 250 | { |
| wolfSSL | 0:d92f9d21154c | 251 | word32 keySz; |
| wolfSSL | 0:d92f9d21154c | 252 | int ret; |
| wolfSSL | 0:d92f9d21154c | 253 | |
| wolfSSL | 0:d92f9d21154c | 254 | /* sanity check on arguments */ |
| wolfSSL | 0:d92f9d21154c | 255 | if (in == NULL || key == NULL) |
| wolfSSL | 0:d92f9d21154c | 256 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 257 | |
| wolfSSL | 0:d92f9d21154c | 258 | keySz = wc_ed25519_size(key); |
| wolfSSL | 0:d92f9d21154c | 259 | |
| wolfSSL | 0:d92f9d21154c | 260 | if (inLen < keySz) |
| wolfSSL | 0:d92f9d21154c | 261 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 262 | |
| wolfSSL | 0:d92f9d21154c | 263 | /* compressed prefix according to draft |
| wolfSSL | 0:d92f9d21154c | 264 | http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */ |
| wolfSSL | 0:d92f9d21154c | 265 | if (in[0] == 0x40) { |
| wolfSSL | 0:d92f9d21154c | 266 | /* key is stored in compressed format so just copy in */ |
| wolfSSL | 0:d92f9d21154c | 267 | XMEMCPY(key->p, (in + 1), keySz); |
| wolfSSL | 0:d92f9d21154c | 268 | return 0; |
| wolfSSL | 0:d92f9d21154c | 269 | } |
| wolfSSL | 0:d92f9d21154c | 270 | |
| wolfSSL | 0:d92f9d21154c | 271 | /* importing uncompressed public key */ |
| wolfSSL | 0:d92f9d21154c | 272 | if (in[0] == 0x04) { |
| wolfSSL | 0:d92f9d21154c | 273 | /* pass in (x,y) and store compressed key */ |
| wolfSSL | 0:d92f9d21154c | 274 | ret = ge_compress_key(key->p, (in+1), (in+1+keySz), keySz); |
| wolfSSL | 0:d92f9d21154c | 275 | return ret; |
| wolfSSL | 0:d92f9d21154c | 276 | } |
| wolfSSL | 0:d92f9d21154c | 277 | |
| wolfSSL | 0:d92f9d21154c | 278 | /* if not specified compressed or uncompressed check key size |
| wolfSSL | 0:d92f9d21154c | 279 | if key size is equal to compressed key size copy in key */ |
| wolfSSL | 0:d92f9d21154c | 280 | if (inLen == keySz) { |
| wolfSSL | 0:d92f9d21154c | 281 | XMEMCPY(key->p, in, keySz); |
| wolfSSL | 0:d92f9d21154c | 282 | return 0; |
| wolfSSL | 0:d92f9d21154c | 283 | } |
| wolfSSL | 0:d92f9d21154c | 284 | |
| wolfSSL | 0:d92f9d21154c | 285 | /* bad public key format */ |
| wolfSSL | 0:d92f9d21154c | 286 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 287 | } |
| wolfSSL | 0:d92f9d21154c | 288 | |
| wolfSSL | 0:d92f9d21154c | 289 | |
| wolfSSL | 0:d92f9d21154c | 290 | /* |
| wolfSSL | 0:d92f9d21154c | 291 | For importing a private key and its associated public key. |
| wolfSSL | 0:d92f9d21154c | 292 | */ |
| wolfSSL | 0:d92f9d21154c | 293 | int wc_ed25519_import_private_key(const byte* priv, word32 privSz, |
| wolfSSL | 0:d92f9d21154c | 294 | const byte* pub, word32 pubSz, ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 295 | { |
| wolfSSL | 0:d92f9d21154c | 296 | word32 keySz; |
| wolfSSL | 0:d92f9d21154c | 297 | int ret; |
| wolfSSL | 0:d92f9d21154c | 298 | |
| wolfSSL | 0:d92f9d21154c | 299 | /* sanity check on arguments */ |
| wolfSSL | 0:d92f9d21154c | 300 | if (priv == NULL || pub == NULL || key == NULL) |
| wolfSSL | 0:d92f9d21154c | 301 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 302 | |
| wolfSSL | 0:d92f9d21154c | 303 | keySz = wc_ed25519_size(key); |
| wolfSSL | 0:d92f9d21154c | 304 | |
| wolfSSL | 0:d92f9d21154c | 305 | /* key size check */ |
| wolfSSL | 0:d92f9d21154c | 306 | if (privSz < keySz || pubSz < keySz) |
| wolfSSL | 0:d92f9d21154c | 307 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 308 | |
| wolfSSL | 0:d92f9d21154c | 309 | XMEMCPY(key->k, priv, keySz); |
| wolfSSL | 0:d92f9d21154c | 310 | ret = wc_ed25519_import_public(pub, pubSz, key); |
| wolfSSL | 0:d92f9d21154c | 311 | XMEMCPY((key->k + keySz), key->p, keySz); |
| wolfSSL | 0:d92f9d21154c | 312 | |
| wolfSSL | 0:d92f9d21154c | 313 | return ret; |
| wolfSSL | 0:d92f9d21154c | 314 | } |
| wolfSSL | 0:d92f9d21154c | 315 | |
| wolfSSL | 0:d92f9d21154c | 316 | |
| wolfSSL | 0:d92f9d21154c | 317 | /* |
| wolfSSL | 0:d92f9d21154c | 318 | outLen should contain the size of out buffer when input. outLen is than set |
| wolfSSL | 0:d92f9d21154c | 319 | to the final output length. |
| wolfSSL | 0:d92f9d21154c | 320 | returns 0 on success |
| wolfSSL | 0:d92f9d21154c | 321 | */ |
| wolfSSL | 0:d92f9d21154c | 322 | int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen) |
| wolfSSL | 0:d92f9d21154c | 323 | { |
| wolfSSL | 0:d92f9d21154c | 324 | word32 keySz; |
| wolfSSL | 0:d92f9d21154c | 325 | |
| wolfSSL | 0:d92f9d21154c | 326 | /* sanity checks on arguments */ |
| wolfSSL | 0:d92f9d21154c | 327 | if (key == NULL || out == NULL || outLen == NULL) |
| wolfSSL | 0:d92f9d21154c | 328 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 329 | |
| wolfSSL | 0:d92f9d21154c | 330 | keySz = wc_ed25519_size(key); |
| wolfSSL | 0:d92f9d21154c | 331 | if (*outLen < keySz) { |
| wolfSSL | 0:d92f9d21154c | 332 | *outLen = keySz; |
| wolfSSL | 0:d92f9d21154c | 333 | return BUFFER_E; |
| wolfSSL | 0:d92f9d21154c | 334 | } |
| wolfSSL | 0:d92f9d21154c | 335 | *outLen = keySz; |
| wolfSSL | 0:d92f9d21154c | 336 | XMEMCPY(out, key->k, keySz); |
| wolfSSL | 0:d92f9d21154c | 337 | |
| wolfSSL | 0:d92f9d21154c | 338 | return 0; |
| wolfSSL | 0:d92f9d21154c | 339 | } |
| wolfSSL | 0:d92f9d21154c | 340 | |
| wolfSSL | 0:d92f9d21154c | 341 | |
| wolfSSL | 0:d92f9d21154c | 342 | /* is the compressed key size in bytes */ |
| wolfSSL | 0:d92f9d21154c | 343 | int wc_ed25519_size(ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 344 | { |
| wolfSSL | 0:d92f9d21154c | 345 | word32 keySz; |
| wolfSSL | 0:d92f9d21154c | 346 | |
| wolfSSL | 0:d92f9d21154c | 347 | if (key == NULL) |
| wolfSSL | 0:d92f9d21154c | 348 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 349 | |
| wolfSSL | 0:d92f9d21154c | 350 | keySz = ED25519_KEY_SIZE; |
| wolfSSL | 0:d92f9d21154c | 351 | |
| wolfSSL | 0:d92f9d21154c | 352 | return keySz; |
| wolfSSL | 0:d92f9d21154c | 353 | } |
| wolfSSL | 0:d92f9d21154c | 354 | |
| wolfSSL | 0:d92f9d21154c | 355 | |
| wolfSSL | 0:d92f9d21154c | 356 | /* returns the size of signature in bytes */ |
| wolfSSL | 0:d92f9d21154c | 357 | int wc_ed25519_sig_size(ed25519_key* key) |
| wolfSSL | 0:d92f9d21154c | 358 | { |
| wolfSSL | 0:d92f9d21154c | 359 | word32 sigSz; |
| wolfSSL | 0:d92f9d21154c | 360 | |
| wolfSSL | 0:d92f9d21154c | 361 | if (key == NULL) |
| wolfSSL | 0:d92f9d21154c | 362 | return BAD_FUNC_ARG; |
| wolfSSL | 0:d92f9d21154c | 363 | |
| wolfSSL | 0:d92f9d21154c | 364 | sigSz = ED25519_SIG_SIZE; |
| wolfSSL | 0:d92f9d21154c | 365 | |
| wolfSSL | 0:d92f9d21154c | 366 | return sigSz; |
| wolfSSL | 0:d92f9d21154c | 367 | } |
| wolfSSL | 0:d92f9d21154c | 368 | |
| wolfSSL | 0:d92f9d21154c | 369 | #endif /* HAVE_ED25519 */ |
| wolfSSL | 0:d92f9d21154c | 370 | |
| wolfSSL | 0:d92f9d21154c | 371 |