wolfSSL - wolfSSL SSL/TLS library, support up to TLS1.3

Users » wolfSSL » Code » wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

wolfcrypt/src/ed25519.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Committer:: wolfSSL
Date:: Tue Aug 22 10:48:22 2017 +0000
Revision:: 13:f67a6c6013ca

wolfSSL3.12.0 with TLS1.3

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	13:f67a6c6013ca	1	/* ed25519.c
wolfSSL	13:f67a6c6013ca	2	*
wolfSSL	13:f67a6c6013ca	3	* Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL	13:f67a6c6013ca	4	*
wolfSSL	13:f67a6c6013ca	5	* This file is part of wolfSSL.
wolfSSL	13:f67a6c6013ca	6	*
wolfSSL	13:f67a6c6013ca	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	13:f67a6c6013ca	8	* it under the terms of the GNU General Public License as published by
wolfSSL	13:f67a6c6013ca	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	13:f67a6c6013ca	10	* (at your option) any later version.
wolfSSL	13:f67a6c6013ca	11	*
wolfSSL	13:f67a6c6013ca	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	13:f67a6c6013ca	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	13:f67a6c6013ca	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	13:f67a6c6013ca	15	* GNU General Public License for more details.
wolfSSL	13:f67a6c6013ca	16	*
wolfSSL	13:f67a6c6013ca	17	* You should have received a copy of the GNU General Public License
wolfSSL	13:f67a6c6013ca	18	* along with this program; if not, write to the Free Software
wolfSSL	13:f67a6c6013ca	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL	13:f67a6c6013ca	20	*/
wolfSSL	13:f67a6c6013ca	21
wolfSSL	13:f67a6c6013ca	22
wolfSSL	13:f67a6c6013ca	23	/* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
wolfSSL	13:f67a6c6013ca	24
wolfSSL	13:f67a6c6013ca	25	#ifdef HAVE_CONFIG_H
wolfSSL	13:f67a6c6013ca	26	#include <config.h>
wolfSSL	13:f67a6c6013ca	27	#endif
wolfSSL	13:f67a6c6013ca	28
wolfSSL	13:f67a6c6013ca	29	/* in case user set HAVE_ED25519 there */
wolfSSL	13:f67a6c6013ca	30	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	13:f67a6c6013ca	31
wolfSSL	13:f67a6c6013ca	32	#ifdef HAVE_ED25519
wolfSSL	13:f67a6c6013ca	33
wolfSSL	13:f67a6c6013ca	34	#include <wolfssl/wolfcrypt/ed25519.h>
wolfSSL	13:f67a6c6013ca	35	#include <wolfssl/wolfcrypt/error-crypt.h>
wolfSSL	13:f67a6c6013ca	36	#include <wolfssl/wolfcrypt/hash.h>
wolfSSL	13:f67a6c6013ca	37	#ifdef NO_INLINE
wolfSSL	13:f67a6c6013ca	38	#include <wolfssl/wolfcrypt/misc.h>
wolfSSL	13:f67a6c6013ca	39	#else
wolfSSL	13:f67a6c6013ca	40	#define WOLFSSL_MISC_INCLUDED
wolfSSL	13:f67a6c6013ca	41	#include <wolfcrypt/src/misc.c>
wolfSSL	13:f67a6c6013ca	42	#endif
wolfSSL	13:f67a6c6013ca	43
wolfSSL	13:f67a6c6013ca	44	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	45	#include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
wolfSSL	13:f67a6c6013ca	46	#endif
wolfSSL	13:f67a6c6013ca	47
wolfSSL	13:f67a6c6013ca	48	/* generate an ed25519 key pair.
wolfSSL	13:f67a6c6013ca	49	* returns 0 on success
wolfSSL	13:f67a6c6013ca	50	*/
wolfSSL	13:f67a6c6013ca	51	int wc_ed25519_make_key(WC_RNG* rng, int keySz, ed25519_key* key)
wolfSSL	13:f67a6c6013ca	52	{
wolfSSL	13:f67a6c6013ca	53	byte az[ED25519_PRV_KEY_SIZE];
wolfSSL	13:f67a6c6013ca	54	int ret;
wolfSSL	13:f67a6c6013ca	55	#if !defined(FREESCALE_LTC_ECC)
wolfSSL	13:f67a6c6013ca	56	ge_p3 A;
wolfSSL	13:f67a6c6013ca	57	#endif
wolfSSL	13:f67a6c6013ca	58
wolfSSL	13:f67a6c6013ca	59	if (rng == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	60	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	61
wolfSSL	13:f67a6c6013ca	62	/* ed25519 has 32 byte key sizes */
wolfSSL	13:f67a6c6013ca	63	if (keySz != ED25519_KEY_SIZE)
wolfSSL	13:f67a6c6013ca	64	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	65
wolfSSL	13:f67a6c6013ca	66	ret = wc_RNG_GenerateBlock(rng, key->k, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	67	if (ret != 0)
wolfSSL	13:f67a6c6013ca	68	return ret;
wolfSSL	13:f67a6c6013ca	69	ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
wolfSSL	13:f67a6c6013ca	70	if (ret != 0) {
wolfSSL	13:f67a6c6013ca	71	ForceZero(key->k, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	72	return ret;
wolfSSL	13:f67a6c6013ca	73	}
wolfSSL	13:f67a6c6013ca	74
wolfSSL	13:f67a6c6013ca	75	/* apply clamp */
wolfSSL	13:f67a6c6013ca	76	az[0] &= 248;
wolfSSL	13:f67a6c6013ca	77	az[31] &= 63; /* same than az[31] &= 127 because of az[31] \|= 64 */
wolfSSL	13:f67a6c6013ca	78	az[31] \|= 64;
wolfSSL	13:f67a6c6013ca	79
wolfSSL	13:f67a6c6013ca	80	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	81	ltc_pkha_ecc_point_t publicKey = {0};
wolfSSL	13:f67a6c6013ca	82	publicKey.X = key->pointX;
wolfSSL	13:f67a6c6013ca	83	publicKey.Y = key->pointY;
wolfSSL	13:f67a6c6013ca	84	LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), az, ED25519_KEY_SIZE, &publicKey, kLTC_Ed25519 /* result on Ed25519 */);
wolfSSL	13:f67a6c6013ca	85	LTC_PKHA_Ed25519_Compress(&publicKey, key->p);
wolfSSL	13:f67a6c6013ca	86	#else
wolfSSL	13:f67a6c6013ca	87	ge_scalarmult_base(&A, az);
wolfSSL	13:f67a6c6013ca	88	ge_p3_tobytes(key->p, &A);
wolfSSL	13:f67a6c6013ca	89	#endif
wolfSSL	13:f67a6c6013ca	90	/* put public key after private key, on the same buffer */
wolfSSL	13:f67a6c6013ca	91	XMEMMOVE(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	92
wolfSSL	13:f67a6c6013ca	93	return ret;
wolfSSL	13:f67a6c6013ca	94	}
wolfSSL	13:f67a6c6013ca	95
wolfSSL	13:f67a6c6013ca	96
wolfSSL	13:f67a6c6013ca	97	#ifdef HAVE_ED25519_SIGN
wolfSSL	13:f67a6c6013ca	98	/*
wolfSSL	13:f67a6c6013ca	99	in contains the message to sign
wolfSSL	13:f67a6c6013ca	100	inlen is the length of the message to sign
wolfSSL	13:f67a6c6013ca	101	out is the buffer to write the signature
wolfSSL	13:f67a6c6013ca	102	outLen [in/out] input size of out buf
wolfSSL	13:f67a6c6013ca	103	output gets set as the final length of out
wolfSSL	13:f67a6c6013ca	104	key is the ed25519 key to use when signing
wolfSSL	13:f67a6c6013ca	105	return 0 on success
wolfSSL	13:f67a6c6013ca	106	*/
wolfSSL	13:f67a6c6013ca	107	int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
wolfSSL	13:f67a6c6013ca	108	word32 outLen, ed25519_key key)
wolfSSL	13:f67a6c6013ca	109	{
wolfSSL	13:f67a6c6013ca	110	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	111	byte tempBuf[ED25519_PRV_KEY_SIZE];
wolfSSL	13:f67a6c6013ca	112	#else
wolfSSL	13:f67a6c6013ca	113	ge_p3 R;
wolfSSL	13:f67a6c6013ca	114	#endif
wolfSSL	13:f67a6c6013ca	115	byte nonce[SHA512_DIGEST_SIZE];
wolfSSL	13:f67a6c6013ca	116	byte hram[SHA512_DIGEST_SIZE];
wolfSSL	13:f67a6c6013ca	117	byte az[ED25519_PRV_KEY_SIZE];
wolfSSL	13:f67a6c6013ca	118	Sha512 sha;
wolfSSL	13:f67a6c6013ca	119	int ret;
wolfSSL	13:f67a6c6013ca	120
wolfSSL	13:f67a6c6013ca	121	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	122	if (in == NULL \|\| out == NULL \|\| outLen == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	123	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	124
wolfSSL	13:f67a6c6013ca	125	/* check and set up out length */
wolfSSL	13:f67a6c6013ca	126	if (*outLen < ED25519_SIG_SIZE) {
wolfSSL	13:f67a6c6013ca	127	*outLen = ED25519_SIG_SIZE;
wolfSSL	13:f67a6c6013ca	128	return BUFFER_E;
wolfSSL	13:f67a6c6013ca	129	}
wolfSSL	13:f67a6c6013ca	130	*outLen = ED25519_SIG_SIZE;
wolfSSL	13:f67a6c6013ca	131
wolfSSL	13:f67a6c6013ca	132	/* step 1: create nonce to use where nonce is r in
wolfSSL	13:f67a6c6013ca	133	r = H(h_b, ... ,h_2b-1,M) */
wolfSSL	13:f67a6c6013ca	134	ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
wolfSSL	13:f67a6c6013ca	135	if (ret != 0)
wolfSSL	13:f67a6c6013ca	136	return ret;
wolfSSL	13:f67a6c6013ca	137
wolfSSL	13:f67a6c6013ca	138	/* apply clamp */
wolfSSL	13:f67a6c6013ca	139	az[0] &= 248;
wolfSSL	13:f67a6c6013ca	140	az[31] &= 63; /* same than az[31] &= 127 because of az[31] \|= 64 */
wolfSSL	13:f67a6c6013ca	141	az[31] \|= 64;
wolfSSL	13:f67a6c6013ca	142
wolfSSL	13:f67a6c6013ca	143	ret = wc_InitSha512(&sha);
wolfSSL	13:f67a6c6013ca	144	if (ret != 0)
wolfSSL	13:f67a6c6013ca	145	return ret;
wolfSSL	13:f67a6c6013ca	146	ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	147	if (ret != 0)
wolfSSL	13:f67a6c6013ca	148	return ret;
wolfSSL	13:f67a6c6013ca	149	ret = wc_Sha512Update(&sha, in, inlen);
wolfSSL	13:f67a6c6013ca	150	if (ret != 0)
wolfSSL	13:f67a6c6013ca	151	return ret;
wolfSSL	13:f67a6c6013ca	152	ret = wc_Sha512Final(&sha, nonce);
wolfSSL	13:f67a6c6013ca	153	if (ret != 0)
wolfSSL	13:f67a6c6013ca	154	return ret;
wolfSSL	13:f67a6c6013ca	155
wolfSSL	13:f67a6c6013ca	156	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	157	ltc_pkha_ecc_point_t ltcPoint = {0};
wolfSSL	13:f67a6c6013ca	158	ltcPoint.X = &tempBuf[0];
wolfSSL	13:f67a6c6013ca	159	ltcPoint.Y = &tempBuf[32];
wolfSSL	13:f67a6c6013ca	160	LTC_PKHA_sc_reduce(nonce);
wolfSSL	13:f67a6c6013ca	161	LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce, ED25519_KEY_SIZE, &ltcPoint, kLTC_Ed25519 /* result on Ed25519 */);
wolfSSL	13:f67a6c6013ca	162	LTC_PKHA_Ed25519_Compress(&ltcPoint, out);
wolfSSL	13:f67a6c6013ca	163	#else
wolfSSL	13:f67a6c6013ca	164	sc_reduce(nonce);
wolfSSL	13:f67a6c6013ca	165
wolfSSL	13:f67a6c6013ca	166	/* step 2: computing R = rB where rB is the scalar multiplication of
wolfSSL	13:f67a6c6013ca	167	r and B */
wolfSSL	13:f67a6c6013ca	168	ge_scalarmult_base(&R,nonce);
wolfSSL	13:f67a6c6013ca	169	ge_p3_tobytes(out,&R);
wolfSSL	13:f67a6c6013ca	170	#endif
wolfSSL	13:f67a6c6013ca	171
wolfSSL	13:f67a6c6013ca	172	/* step 3: hash R + public key + message getting H(R,A,M) then
wolfSSL	13:f67a6c6013ca	173	creating S = (r + H(R,A,M)a) mod l */
wolfSSL	13:f67a6c6013ca	174	ret = wc_InitSha512(&sha);
wolfSSL	13:f67a6c6013ca	175	if (ret != 0)
wolfSSL	13:f67a6c6013ca	176	return ret;
wolfSSL	13:f67a6c6013ca	177	ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2);
wolfSSL	13:f67a6c6013ca	178	if (ret != 0)
wolfSSL	13:f67a6c6013ca	179	return ret;
wolfSSL	13:f67a6c6013ca	180	ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	181	if (ret != 0)
wolfSSL	13:f67a6c6013ca	182	return ret;
wolfSSL	13:f67a6c6013ca	183	ret = wc_Sha512Update(&sha, in, inlen);
wolfSSL	13:f67a6c6013ca	184	if (ret != 0)
wolfSSL	13:f67a6c6013ca	185	return ret;
wolfSSL	13:f67a6c6013ca	186	ret = wc_Sha512Final(&sha, hram);
wolfSSL	13:f67a6c6013ca	187	if (ret != 0)
wolfSSL	13:f67a6c6013ca	188	return ret;
wolfSSL	13:f67a6c6013ca	189
wolfSSL	13:f67a6c6013ca	190	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	191	LTC_PKHA_sc_reduce(hram);
wolfSSL	13:f67a6c6013ca	192	LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
wolfSSL	13:f67a6c6013ca	193	#else
wolfSSL	13:f67a6c6013ca	194	sc_reduce(hram);
wolfSSL	13:f67a6c6013ca	195	sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
wolfSSL	13:f67a6c6013ca	196	#endif
wolfSSL	13:f67a6c6013ca	197
wolfSSL	13:f67a6c6013ca	198	return ret;
wolfSSL	13:f67a6c6013ca	199	}
wolfSSL	13:f67a6c6013ca	200
wolfSSL	13:f67a6c6013ca	201	#endif /* HAVE_ED25519_SIGN */
wolfSSL	13:f67a6c6013ca	202
wolfSSL	13:f67a6c6013ca	203	#ifdef HAVE_ED25519_VERIFY
wolfSSL	13:f67a6c6013ca	204
wolfSSL	13:f67a6c6013ca	205	/*
wolfSSL	13:f67a6c6013ca	206	sig is array of bytes containing the signature
wolfSSL	13:f67a6c6013ca	207	siglen is the length of sig byte array
wolfSSL	13:f67a6c6013ca	208	msg the array of bytes containing the message
wolfSSL	13:f67a6c6013ca	209	msglen length of msg array
wolfSSL	13:f67a6c6013ca	210	res will be 1 on successful verify and 0 on unsuccessful
wolfSSL	13:f67a6c6013ca	211	return 0 and res of 1 on success
wolfSSL	13:f67a6c6013ca	212	*/
wolfSSL	13:f67a6c6013ca	213	int wc_ed25519_verify_msg(const byte* sig, word32 siglen, const byte* msg,
wolfSSL	13:f67a6c6013ca	214	word32 msglen, int* res, ed25519_key* key)
wolfSSL	13:f67a6c6013ca	215	{
wolfSSL	13:f67a6c6013ca	216	byte rcheck[ED25519_KEY_SIZE];
wolfSSL	13:f67a6c6013ca	217	byte h[SHA512_DIGEST_SIZE];
wolfSSL	13:f67a6c6013ca	218	#ifndef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	219	ge_p3 A;
wolfSSL	13:f67a6c6013ca	220	ge_p2 R;
wolfSSL	13:f67a6c6013ca	221	#endif
wolfSSL	13:f67a6c6013ca	222	int ret;
wolfSSL	13:f67a6c6013ca	223	Sha512 sha;
wolfSSL	13:f67a6c6013ca	224
wolfSSL	13:f67a6c6013ca	225	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	226	if (sig == NULL \|\| msg == NULL \|\| res == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	227	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	228
wolfSSL	13:f67a6c6013ca	229	/* set verification failed by default */
wolfSSL	13:f67a6c6013ca	230	*res = 0;
wolfSSL	13:f67a6c6013ca	231
wolfSSL	13:f67a6c6013ca	232	/* check on basics needed to verify signature */
wolfSSL	13:f67a6c6013ca	233	if (siglen < ED25519_SIG_SIZE \|\| (sig[ED25519_SIG_SIZE-1] & 224))
wolfSSL	13:f67a6c6013ca	234	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	235
wolfSSL	13:f67a6c6013ca	236	/* uncompress A (public key), test if valid, and negate it */
wolfSSL	13:f67a6c6013ca	237	#ifndef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	238	if (ge_frombytes_negate_vartime(&A, key->p) != 0)
wolfSSL	13:f67a6c6013ca	239	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	240	#endif
wolfSSL	13:f67a6c6013ca	241
wolfSSL	13:f67a6c6013ca	242	/* find H(R,A,M) and store it as h */
wolfSSL	13:f67a6c6013ca	243	ret = wc_InitSha512(&sha);
wolfSSL	13:f67a6c6013ca	244	if (ret != 0)
wolfSSL	13:f67a6c6013ca	245	return ret;
wolfSSL	13:f67a6c6013ca	246	ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2);
wolfSSL	13:f67a6c6013ca	247	if (ret != 0)
wolfSSL	13:f67a6c6013ca	248	return ret;
wolfSSL	13:f67a6c6013ca	249	ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	250	if (ret != 0)
wolfSSL	13:f67a6c6013ca	251	return ret;
wolfSSL	13:f67a6c6013ca	252	ret = wc_Sha512Update(&sha, msg, msglen);
wolfSSL	13:f67a6c6013ca	253	if (ret != 0)
wolfSSL	13:f67a6c6013ca	254	return ret;
wolfSSL	13:f67a6c6013ca	255	ret = wc_Sha512Final(&sha, h);
wolfSSL	13:f67a6c6013ca	256	if (ret != 0)
wolfSSL	13:f67a6c6013ca	257	return ret;
wolfSSL	13:f67a6c6013ca	258
wolfSSL	13:f67a6c6013ca	259	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	260	LTC_PKHA_sc_reduce(h);
wolfSSL	13:f67a6c6013ca	261	LTC_PKHA_SignatureForVerify(rcheck, h, sig + (ED25519_SIG_SIZE/2), key);
wolfSSL	13:f67a6c6013ca	262	#else
wolfSSL	13:f67a6c6013ca	263	sc_reduce(h);
wolfSSL	13:f67a6c6013ca	264
wolfSSL	13:f67a6c6013ca	265	/*
wolfSSL	13:f67a6c6013ca	266	Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
wolfSSL	13:f67a6c6013ca	267	SB - H(R,A,M)A saving decompression of R
wolfSSL	13:f67a6c6013ca	268	*/
wolfSSL	13:f67a6c6013ca	269	ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2));
wolfSSL	13:f67a6c6013ca	270	if (ret != 0)
wolfSSL	13:f67a6c6013ca	271	return ret;
wolfSSL	13:f67a6c6013ca	272
wolfSSL	13:f67a6c6013ca	273	ge_tobytes(rcheck, &R);
wolfSSL	13:f67a6c6013ca	274	#endif /* FREESCALE_LTC_ECC */
wolfSSL	13:f67a6c6013ca	275
wolfSSL	13:f67a6c6013ca	276	/* comparison of R created to R in sig */
wolfSSL	13:f67a6c6013ca	277	ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
wolfSSL	13:f67a6c6013ca	278	if (ret != 0)
wolfSSL	13:f67a6c6013ca	279	return SIG_VERIFY_E;
wolfSSL	13:f67a6c6013ca	280
wolfSSL	13:f67a6c6013ca	281	/* set the verification status */
wolfSSL	13:f67a6c6013ca	282	*res = 1;
wolfSSL	13:f67a6c6013ca	283
wolfSSL	13:f67a6c6013ca	284	return ret;
wolfSSL	13:f67a6c6013ca	285	}
wolfSSL	13:f67a6c6013ca	286
wolfSSL	13:f67a6c6013ca	287	#endif /* HAVE_ED25519_VERIFY */
wolfSSL	13:f67a6c6013ca	288
wolfSSL	13:f67a6c6013ca	289
wolfSSL	13:f67a6c6013ca	290	/* initialize information and memory for key */
wolfSSL	13:f67a6c6013ca	291	int wc_ed25519_init(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	292	{
wolfSSL	13:f67a6c6013ca	293	if (key == NULL)
wolfSSL	13:f67a6c6013ca	294	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	295
wolfSSL	13:f67a6c6013ca	296	XMEMSET(key, 0, sizeof(ed25519_key));
wolfSSL	13:f67a6c6013ca	297
wolfSSL	13:f67a6c6013ca	298	return 0;
wolfSSL	13:f67a6c6013ca	299	}
wolfSSL	13:f67a6c6013ca	300
wolfSSL	13:f67a6c6013ca	301
wolfSSL	13:f67a6c6013ca	302	/* clear memory of key */
wolfSSL	13:f67a6c6013ca	303	void wc_ed25519_free(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	304	{
wolfSSL	13:f67a6c6013ca	305	if (key == NULL)
wolfSSL	13:f67a6c6013ca	306	return;
wolfSSL	13:f67a6c6013ca	307
wolfSSL	13:f67a6c6013ca	308	ForceZero(key, sizeof(ed25519_key));
wolfSSL	13:f67a6c6013ca	309	}
wolfSSL	13:f67a6c6013ca	310
wolfSSL	13:f67a6c6013ca	311
wolfSSL	13:f67a6c6013ca	312	#ifdef HAVE_ED25519_KEY_EXPORT
wolfSSL	13:f67a6c6013ca	313
wolfSSL	13:f67a6c6013ca	314	/*
wolfSSL	13:f67a6c6013ca	315	outLen should contain the size of out buffer when input. outLen is than set
wolfSSL	13:f67a6c6013ca	316	to the final output length.
wolfSSL	13:f67a6c6013ca	317	returns 0 on success
wolfSSL	13:f67a6c6013ca	318	*/
wolfSSL	13:f67a6c6013ca	319	int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen)
wolfSSL	13:f67a6c6013ca	320	{
wolfSSL	13:f67a6c6013ca	321	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	322	if (key == NULL \|\| out == NULL \|\| outLen == NULL)
wolfSSL	13:f67a6c6013ca	323	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	324
wolfSSL	13:f67a6c6013ca	325	if (*outLen < ED25519_PUB_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	326	*outLen = ED25519_PUB_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	327	return BUFFER_E;
wolfSSL	13:f67a6c6013ca	328	}
wolfSSL	13:f67a6c6013ca	329
wolfSSL	13:f67a6c6013ca	330	*outLen = ED25519_PUB_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	331	XMEMCPY(out, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	332
wolfSSL	13:f67a6c6013ca	333	return 0;
wolfSSL	13:f67a6c6013ca	334	}
wolfSSL	13:f67a6c6013ca	335
wolfSSL	13:f67a6c6013ca	336	#endif /* HAVE_ED25519_KEY_EXPORT */
wolfSSL	13:f67a6c6013ca	337
wolfSSL	13:f67a6c6013ca	338
wolfSSL	13:f67a6c6013ca	339	#ifdef HAVE_ED25519_KEY_IMPORT
wolfSSL	13:f67a6c6013ca	340	/*
wolfSSL	13:f67a6c6013ca	341	Imports a compressed/uncompressed public key.
wolfSSL	13:f67a6c6013ca	342	in the byte array containing the public key
wolfSSL	13:f67a6c6013ca	343	inLen the length of the byte array being passed in
wolfSSL	13:f67a6c6013ca	344	key ed25519 key struct to put the public key in
wolfSSL	13:f67a6c6013ca	345	*/
wolfSSL	13:f67a6c6013ca	346	int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key)
wolfSSL	13:f67a6c6013ca	347	{
wolfSSL	13:f67a6c6013ca	348	int ret;
wolfSSL	13:f67a6c6013ca	349
wolfSSL	13:f67a6c6013ca	350	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	351	if (in == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	352	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	353
wolfSSL	13:f67a6c6013ca	354	if (inLen < ED25519_PUB_KEY_SIZE)
wolfSSL	13:f67a6c6013ca	355	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	356
wolfSSL	13:f67a6c6013ca	357	/* compressed prefix according to draft
wolfSSL	13:f67a6c6013ca	358	http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */
wolfSSL	13:f67a6c6013ca	359	if (in[0] == 0x40 && inLen > ED25519_PUB_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	360	/* key is stored in compressed format so just copy in */
wolfSSL	13:f67a6c6013ca	361	XMEMCPY(key->p, (in + 1), ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	362	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	363	/* recover X coordinate */
wolfSSL	13:f67a6c6013ca	364	ltc_pkha_ecc_point_t pubKey;
wolfSSL	13:f67a6c6013ca	365	pubKey.X = key->pointX;
wolfSSL	13:f67a6c6013ca	366	pubKey.Y = key->pointY;
wolfSSL	13:f67a6c6013ca	367	LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
wolfSSL	13:f67a6c6013ca	368	#endif
wolfSSL	13:f67a6c6013ca	369	return 0;
wolfSSL	13:f67a6c6013ca	370	}
wolfSSL	13:f67a6c6013ca	371
wolfSSL	13:f67a6c6013ca	372	/* importing uncompressed public key */
wolfSSL	13:f67a6c6013ca	373	if (in[0] == 0x04 && inLen > 2*ED25519_PUB_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	374	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	375	/* reverse bytes for little endian byte order */
wolfSSL	13:f67a6c6013ca	376	for (int i = 0; i < ED25519_KEY_SIZE; i++)
wolfSSL	13:f67a6c6013ca	377	{
wolfSSL	13:f67a6c6013ca	378	key->pointX[i] = *(in + ED25519_KEY_SIZE - i);
wolfSSL	13:f67a6c6013ca	379	key->pointY[i] = (in + 2ED25519_KEY_SIZE - i);
wolfSSL	13:f67a6c6013ca	380	}
wolfSSL	13:f67a6c6013ca	381	XMEMCPY(key->p, key->pointY, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	382	ret = 0;
wolfSSL	13:f67a6c6013ca	383	#else
wolfSSL	13:f67a6c6013ca	384	/* pass in (x,y) and store compressed key */
wolfSSL	13:f67a6c6013ca	385	ret = ge_compress_key(key->p, in+1,
wolfSSL	13:f67a6c6013ca	386	in+1+ED25519_PUB_KEY_SIZE, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	387	#endif /* FREESCALE_LTC_ECC */
wolfSSL	13:f67a6c6013ca	388	return ret;
wolfSSL	13:f67a6c6013ca	389	}
wolfSSL	13:f67a6c6013ca	390
wolfSSL	13:f67a6c6013ca	391	/* if not specified compressed or uncompressed check key size
wolfSSL	13:f67a6c6013ca	392	if key size is equal to compressed key size copy in key */
wolfSSL	13:f67a6c6013ca	393	if (inLen == ED25519_PUB_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	394	XMEMCPY(key->p, in, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	395	#ifdef FREESCALE_LTC_ECC
wolfSSL	13:f67a6c6013ca	396	/* recover X coordinate */
wolfSSL	13:f67a6c6013ca	397	ltc_pkha_ecc_point_t pubKey;
wolfSSL	13:f67a6c6013ca	398	pubKey.X = key->pointX;
wolfSSL	13:f67a6c6013ca	399	pubKey.Y = key->pointY;
wolfSSL	13:f67a6c6013ca	400	LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
wolfSSL	13:f67a6c6013ca	401	#endif
wolfSSL	13:f67a6c6013ca	402	return 0;
wolfSSL	13:f67a6c6013ca	403	}
wolfSSL	13:f67a6c6013ca	404
wolfSSL	13:f67a6c6013ca	405	/* bad public key format */
wolfSSL	13:f67a6c6013ca	406	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	407	}
wolfSSL	13:f67a6c6013ca	408
wolfSSL	13:f67a6c6013ca	409
wolfSSL	13:f67a6c6013ca	410	/*
wolfSSL	13:f67a6c6013ca	411	For importing a private key.
wolfSSL	13:f67a6c6013ca	412	*/
wolfSSL	13:f67a6c6013ca	413	int wc_ed25519_import_private_only(const byte* priv, word32 privSz,
wolfSSL	13:f67a6c6013ca	414	ed25519_key* key)
wolfSSL	13:f67a6c6013ca	415	{
wolfSSL	13:f67a6c6013ca	416	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	417	if (priv == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	418	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	419
wolfSSL	13:f67a6c6013ca	420	/* key size check */
wolfSSL	13:f67a6c6013ca	421	if (privSz < ED25519_KEY_SIZE)
wolfSSL	13:f67a6c6013ca	422	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	423
wolfSSL	13:f67a6c6013ca	424	XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	425
wolfSSL	13:f67a6c6013ca	426	return 0;
wolfSSL	13:f67a6c6013ca	427	}
wolfSSL	13:f67a6c6013ca	428
wolfSSL	13:f67a6c6013ca	429	/*
wolfSSL	13:f67a6c6013ca	430	For importing a private key and its associated public key.
wolfSSL	13:f67a6c6013ca	431	*/
wolfSSL	13:f67a6c6013ca	432	int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
wolfSSL	13:f67a6c6013ca	433	const byte* pub, word32 pubSz, ed25519_key* key)
wolfSSL	13:f67a6c6013ca	434	{
wolfSSL	13:f67a6c6013ca	435	int ret;
wolfSSL	13:f67a6c6013ca	436
wolfSSL	13:f67a6c6013ca	437	/* sanity check on arguments */
wolfSSL	13:f67a6c6013ca	438	if (priv == NULL \|\| pub == NULL \|\| key == NULL)
wolfSSL	13:f67a6c6013ca	439	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	440
wolfSSL	13:f67a6c6013ca	441	/* key size check */
wolfSSL	13:f67a6c6013ca	442	if (privSz < ED25519_KEY_SIZE \|\| pubSz < ED25519_PUB_KEY_SIZE)
wolfSSL	13:f67a6c6013ca	443	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	444
wolfSSL	13:f67a6c6013ca	445	/* import public key */
wolfSSL	13:f67a6c6013ca	446	ret = wc_ed25519_import_public(pub, pubSz, key);
wolfSSL	13:f67a6c6013ca	447	if (ret != 0)
wolfSSL	13:f67a6c6013ca	448	return ret;
wolfSSL	13:f67a6c6013ca	449
wolfSSL	13:f67a6c6013ca	450	/* make the private key (priv + pub) */
wolfSSL	13:f67a6c6013ca	451	XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	452	XMEMCPY(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	453
wolfSSL	13:f67a6c6013ca	454	return ret;
wolfSSL	13:f67a6c6013ca	455	}
wolfSSL	13:f67a6c6013ca	456
wolfSSL	13:f67a6c6013ca	457	#endif /* HAVE_ED25519_KEY_IMPORT */
wolfSSL	13:f67a6c6013ca	458
wolfSSL	13:f67a6c6013ca	459
wolfSSL	13:f67a6c6013ca	460	#ifdef HAVE_ED25519_KEY_EXPORT
wolfSSL	13:f67a6c6013ca	461
wolfSSL	13:f67a6c6013ca	462	/*
wolfSSL	13:f67a6c6013ca	463	export private key only (secret part so 32 bytes)
wolfSSL	13:f67a6c6013ca	464	outLen should contain the size of out buffer when input. outLen is than set
wolfSSL	13:f67a6c6013ca	465	to the final output length.
wolfSSL	13:f67a6c6013ca	466	returns 0 on success
wolfSSL	13:f67a6c6013ca	467	*/
wolfSSL	13:f67a6c6013ca	468	int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen)
wolfSSL	13:f67a6c6013ca	469	{
wolfSSL	13:f67a6c6013ca	470	/* sanity checks on arguments */
wolfSSL	13:f67a6c6013ca	471	if (key == NULL \|\| out == NULL \|\| outLen == NULL)
wolfSSL	13:f67a6c6013ca	472	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	473
wolfSSL	13:f67a6c6013ca	474	if (*outLen < ED25519_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	475	*outLen = ED25519_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	476	return BUFFER_E;
wolfSSL	13:f67a6c6013ca	477	}
wolfSSL	13:f67a6c6013ca	478
wolfSSL	13:f67a6c6013ca	479	*outLen = ED25519_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	480	XMEMCPY(out, key->k, ED25519_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	481
wolfSSL	13:f67a6c6013ca	482	return 0;
wolfSSL	13:f67a6c6013ca	483	}
wolfSSL	13:f67a6c6013ca	484
wolfSSL	13:f67a6c6013ca	485	/*
wolfSSL	13:f67a6c6013ca	486	export private key, including public part
wolfSSL	13:f67a6c6013ca	487	outLen should contain the size of out buffer when input. outLen is than set
wolfSSL	13:f67a6c6013ca	488	to the final output length.
wolfSSL	13:f67a6c6013ca	489	returns 0 on success
wolfSSL	13:f67a6c6013ca	490	*/
wolfSSL	13:f67a6c6013ca	491	int wc_ed25519_export_private(ed25519_key* key, byte* out, word32* outLen)
wolfSSL	13:f67a6c6013ca	492	{
wolfSSL	13:f67a6c6013ca	493	/* sanity checks on arguments */
wolfSSL	13:f67a6c6013ca	494	if (key == NULL \|\| out == NULL \|\| outLen == NULL)
wolfSSL	13:f67a6c6013ca	495	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	496
wolfSSL	13:f67a6c6013ca	497	if (*outLen < ED25519_PRV_KEY_SIZE) {
wolfSSL	13:f67a6c6013ca	498	*outLen = ED25519_PRV_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	499	return BUFFER_E;
wolfSSL	13:f67a6c6013ca	500	}
wolfSSL	13:f67a6c6013ca	501
wolfSSL	13:f67a6c6013ca	502	*outLen = ED25519_PRV_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	503	XMEMCPY(out, key->k, ED25519_PRV_KEY_SIZE);
wolfSSL	13:f67a6c6013ca	504
wolfSSL	13:f67a6c6013ca	505	return 0;
wolfSSL	13:f67a6c6013ca	506	}
wolfSSL	13:f67a6c6013ca	507
wolfSSL	13:f67a6c6013ca	508	/* export full private key and public key
wolfSSL	13:f67a6c6013ca	509	return 0 on success
wolfSSL	13:f67a6c6013ca	510	*/
wolfSSL	13:f67a6c6013ca	511	int wc_ed25519_export_key(ed25519_key* key,
wolfSSL	13:f67a6c6013ca	512	byte* priv, word32 *privSz,
wolfSSL	13:f67a6c6013ca	513	byte* pub, word32 *pubSz)
wolfSSL	13:f67a6c6013ca	514	{
wolfSSL	13:f67a6c6013ca	515	int ret;
wolfSSL	13:f67a6c6013ca	516
wolfSSL	13:f67a6c6013ca	517	/* export 'full' private part */
wolfSSL	13:f67a6c6013ca	518	ret = wc_ed25519_export_private(key, priv, privSz);
wolfSSL	13:f67a6c6013ca	519	if (ret != 0)
wolfSSL	13:f67a6c6013ca	520	return ret;
wolfSSL	13:f67a6c6013ca	521
wolfSSL	13:f67a6c6013ca	522	/* export public part */
wolfSSL	13:f67a6c6013ca	523	ret = wc_ed25519_export_public(key, pub, pubSz);
wolfSSL	13:f67a6c6013ca	524
wolfSSL	13:f67a6c6013ca	525	return ret;
wolfSSL	13:f67a6c6013ca	526	}
wolfSSL	13:f67a6c6013ca	527
wolfSSL	13:f67a6c6013ca	528	#endif /* HAVE_ED25519_KEY_EXPORT */
wolfSSL	13:f67a6c6013ca	529
wolfSSL	13:f67a6c6013ca	530	/* check the private and public keys match */
wolfSSL	13:f67a6c6013ca	531	int wc_ed25519_check_key(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	532	{
wolfSSL	13:f67a6c6013ca	533	/* TODO: Perform check of private and public key */
wolfSSL	13:f67a6c6013ca	534	(void)key;
wolfSSL	13:f67a6c6013ca	535
wolfSSL	13:f67a6c6013ca	536	return 0;
wolfSSL	13:f67a6c6013ca	537	}
wolfSSL	13:f67a6c6013ca	538
wolfSSL	13:f67a6c6013ca	539	/* returns the private key size (secret only) in bytes */
wolfSSL	13:f67a6c6013ca	540	int wc_ed25519_size(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	541	{
wolfSSL	13:f67a6c6013ca	542	if (key == NULL)
wolfSSL	13:f67a6c6013ca	543	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	544
wolfSSL	13:f67a6c6013ca	545	return ED25519_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	546	}
wolfSSL	13:f67a6c6013ca	547
wolfSSL	13:f67a6c6013ca	548	/* returns the private key size (secret + public) in bytes */
wolfSSL	13:f67a6c6013ca	549	int wc_ed25519_priv_size(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	550	{
wolfSSL	13:f67a6c6013ca	551	if (key == NULL)
wolfSSL	13:f67a6c6013ca	552	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	553
wolfSSL	13:f67a6c6013ca	554	return ED25519_PRV_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	555	}
wolfSSL	13:f67a6c6013ca	556
wolfSSL	13:f67a6c6013ca	557	/* returns the compressed key size in bytes (public key) */
wolfSSL	13:f67a6c6013ca	558	int wc_ed25519_pub_size(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	559	{
wolfSSL	13:f67a6c6013ca	560	if (key == NULL)
wolfSSL	13:f67a6c6013ca	561	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	562
wolfSSL	13:f67a6c6013ca	563	return ED25519_PUB_KEY_SIZE;
wolfSSL	13:f67a6c6013ca	564	}
wolfSSL	13:f67a6c6013ca	565
wolfSSL	13:f67a6c6013ca	566	/* returns the size of signature in bytes */
wolfSSL	13:f67a6c6013ca	567	int wc_ed25519_sig_size(ed25519_key* key)
wolfSSL	13:f67a6c6013ca	568	{
wolfSSL	13:f67a6c6013ca	569	if (key == NULL)
wolfSSL	13:f67a6c6013ca	570	return BAD_FUNC_ARG;
wolfSSL	13:f67a6c6013ca	571
wolfSSL	13:f67a6c6013ca	572	return ED25519_SIG_SIZE;
wolfSSL	13:f67a6c6013ca	573	}
wolfSSL	13:f67a6c6013ca	574
wolfSSL	13:f67a6c6013ca	575	#endif /* HAVE_ED25519 */
wolfSSL	13:f67a6c6013ca	576
wolfSSL	13:f67a6c6013ca	577

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	26 Jun 2015
Imports:	673
Forks:	0
Commits:	18
Dependents:	29
Dependencies:	0
Followers:	21

wolfcrypt/src/ed25519.c@13:f67a6c6013ca, 2017-08-22 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning