wolf SSL
wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
Diff: wolfcrypt/src/ed25519.c
- Revision:
- 13:f67a6c6013ca
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/wolfcrypt/src/ed25519.c Tue Aug 22 10:48:22 2017 +0000
@@ -0,0 +1,577 @@
+/* ed25519.c
+ *
+ * Copyright (C) 2006-2016 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+
+ /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
+
+#ifdef HAVE_CONFIG_H
+ #include <config.h>
+#endif
+
+/* in case user set HAVE_ED25519 there */
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_ED25519
+
+#include <wolfssl/wolfcrypt/ed25519.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
+#include <wolfssl/wolfcrypt/hash.h>
+#ifdef NO_INLINE
+ #include <wolfssl/wolfcrypt/misc.h>
+#else
+ #define WOLFSSL_MISC_INCLUDED
+ #include <wolfcrypt/src/misc.c>
+#endif
+
+#ifdef FREESCALE_LTC_ECC
+ #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
+#endif
+
+/* generate an ed25519 key pair.
+ * returns 0 on success
+ */
+int wc_ed25519_make_key(WC_RNG* rng, int keySz, ed25519_key* key)
+{
+ byte az[ED25519_PRV_KEY_SIZE];
+ int ret;
+#if !defined(FREESCALE_LTC_ECC)
+ ge_p3 A;
+#endif
+
+ if (rng == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ /* ed25519 has 32 byte key sizes */
+ if (keySz != ED25519_KEY_SIZE)
+ return BAD_FUNC_ARG;
+
+ ret = wc_RNG_GenerateBlock(rng, key->k, ED25519_KEY_SIZE);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
+ if (ret != 0) {
+ ForceZero(key->k, ED25519_KEY_SIZE);
+ return ret;
+ }
+
+ /* apply clamp */
+ az[0] &= 248;
+ az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
+ az[31] |= 64;
+
+#ifdef FREESCALE_LTC_ECC
+ ltc_pkha_ecc_point_t publicKey = {0};
+ publicKey.X = key->pointX;
+ publicKey.Y = key->pointY;
+ LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), az, ED25519_KEY_SIZE, &publicKey, kLTC_Ed25519 /* result on Ed25519 */);
+ LTC_PKHA_Ed25519_Compress(&publicKey, key->p);
+#else
+ ge_scalarmult_base(&A, az);
+ ge_p3_tobytes(key->p, &A);
+#endif
+ /* put public key after private key, on the same buffer */
+ XMEMMOVE(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
+
+ return ret;
+}
+
+
+#ifdef HAVE_ED25519_SIGN
+/*
+ in contains the message to sign
+ inlen is the length of the message to sign
+ out is the buffer to write the signature
+ outLen [in/out] input size of out buf
+ output gets set as the final length of out
+ key is the ed25519 key to use when signing
+ return 0 on success
+ */
+int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
+ word32 *outLen, ed25519_key* key)
+{
+#ifdef FREESCALE_LTC_ECC
+ byte tempBuf[ED25519_PRV_KEY_SIZE];
+#else
+ ge_p3 R;
+#endif
+ byte nonce[SHA512_DIGEST_SIZE];
+ byte hram[SHA512_DIGEST_SIZE];
+ byte az[ED25519_PRV_KEY_SIZE];
+ Sha512 sha;
+ int ret;
+
+ /* sanity check on arguments */
+ if (in == NULL || out == NULL || outLen == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ /* check and set up out length */
+ if (*outLen < ED25519_SIG_SIZE) {
+ *outLen = ED25519_SIG_SIZE;
+ return BUFFER_E;
+ }
+ *outLen = ED25519_SIG_SIZE;
+
+ /* step 1: create nonce to use where nonce is r in
+ r = H(h_b, ... ,h_2b-1,M) */
+ ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az);
+ if (ret != 0)
+ return ret;
+
+ /* apply clamp */
+ az[0] &= 248;
+ az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */
+ az[31] |= 64;
+
+ ret = wc_InitSha512(&sha);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, in, inlen);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Final(&sha, nonce);
+ if (ret != 0)
+ return ret;
+
+#ifdef FREESCALE_LTC_ECC
+ ltc_pkha_ecc_point_t ltcPoint = {0};
+ ltcPoint.X = &tempBuf[0];
+ ltcPoint.Y = &tempBuf[32];
+ LTC_PKHA_sc_reduce(nonce);
+ LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce, ED25519_KEY_SIZE, <cPoint, kLTC_Ed25519 /* result on Ed25519 */);
+ LTC_PKHA_Ed25519_Compress(<cPoint, out);
+#else
+ sc_reduce(nonce);
+
+ /* step 2: computing R = rB where rB is the scalar multiplication of
+ r and B */
+ ge_scalarmult_base(&R,nonce);
+ ge_p3_tobytes(out,&R);
+#endif
+
+ /* step 3: hash R + public key + message getting H(R,A,M) then
+ creating S = (r + H(R,A,M)a) mod l */
+ ret = wc_InitSha512(&sha);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, in, inlen);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Final(&sha, hram);
+ if (ret != 0)
+ return ret;
+
+#ifdef FREESCALE_LTC_ECC
+ LTC_PKHA_sc_reduce(hram);
+ LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+#else
+ sc_reduce(hram);
+ sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
+#endif
+
+ return ret;
+}
+
+#endif /* HAVE_ED25519_SIGN */
+
+#ifdef HAVE_ED25519_VERIFY
+
+/*
+ sig is array of bytes containing the signature
+ siglen is the length of sig byte array
+ msg the array of bytes containing the message
+ msglen length of msg array
+ res will be 1 on successful verify and 0 on unsuccessful
+ return 0 and res of 1 on success
+*/
+int wc_ed25519_verify_msg(const byte* sig, word32 siglen, const byte* msg,
+ word32 msglen, int* res, ed25519_key* key)
+{
+ byte rcheck[ED25519_KEY_SIZE];
+ byte h[SHA512_DIGEST_SIZE];
+#ifndef FREESCALE_LTC_ECC
+ ge_p3 A;
+ ge_p2 R;
+#endif
+ int ret;
+ Sha512 sha;
+
+ /* sanity check on arguments */
+ if (sig == NULL || msg == NULL || res == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ /* set verification failed by default */
+ *res = 0;
+
+ /* check on basics needed to verify signature */
+ if (siglen < ED25519_SIG_SIZE || (sig[ED25519_SIG_SIZE-1] & 224))
+ return BAD_FUNC_ARG;
+
+ /* uncompress A (public key), test if valid, and negate it */
+#ifndef FREESCALE_LTC_ECC
+ if (ge_frombytes_negate_vartime(&A, key->p) != 0)
+ return BAD_FUNC_ARG;
+#endif
+
+ /* find H(R,A,M) and store it as h */
+ ret = wc_InitSha512(&sha);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Update(&sha, msg, msglen);
+ if (ret != 0)
+ return ret;
+ ret = wc_Sha512Final(&sha, h);
+ if (ret != 0)
+ return ret;
+
+#ifdef FREESCALE_LTC_ECC
+ LTC_PKHA_sc_reduce(h);
+ LTC_PKHA_SignatureForVerify(rcheck, h, sig + (ED25519_SIG_SIZE/2), key);
+#else
+ sc_reduce(h);
+
+ /*
+ Uses a fast single-signature verification SB = R + H(R,A,M)A becomes
+ SB - H(R,A,M)A saving decompression of R
+ */
+ ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2));
+ if (ret != 0)
+ return ret;
+
+ ge_tobytes(rcheck, &R);
+#endif /* FREESCALE_LTC_ECC */
+
+ /* comparison of R created to R in sig */
+ ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
+ if (ret != 0)
+ return SIG_VERIFY_E;
+
+ /* set the verification status */
+ *res = 1;
+
+ return ret;
+}
+
+#endif /* HAVE_ED25519_VERIFY */
+
+
+/* initialize information and memory for key */
+int wc_ed25519_init(ed25519_key* key)
+{
+ if (key == NULL)
+ return BAD_FUNC_ARG;
+
+ XMEMSET(key, 0, sizeof(ed25519_key));
+
+ return 0;
+}
+
+
+/* clear memory of key */
+void wc_ed25519_free(ed25519_key* key)
+{
+ if (key == NULL)
+ return;
+
+ ForceZero(key, sizeof(ed25519_key));
+}
+
+
+#ifdef HAVE_ED25519_KEY_EXPORT
+
+/*
+ outLen should contain the size of out buffer when input. outLen is than set
+ to the final output length.
+ returns 0 on success
+ */
+int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen)
+{
+ /* sanity check on arguments */
+ if (key == NULL || out == NULL || outLen == NULL)
+ return BAD_FUNC_ARG;
+
+ if (*outLen < ED25519_PUB_KEY_SIZE) {
+ *outLen = ED25519_PUB_KEY_SIZE;
+ return BUFFER_E;
+ }
+
+ *outLen = ED25519_PUB_KEY_SIZE;
+ XMEMCPY(out, key->p, ED25519_PUB_KEY_SIZE);
+
+ return 0;
+}
+
+#endif /* HAVE_ED25519_KEY_EXPORT */
+
+
+#ifdef HAVE_ED25519_KEY_IMPORT
+/*
+ Imports a compressed/uncompressed public key.
+ in the byte array containing the public key
+ inLen the length of the byte array being passed in
+ key ed25519 key struct to put the public key in
+ */
+int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key)
+{
+ int ret;
+
+ /* sanity check on arguments */
+ if (in == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ if (inLen < ED25519_PUB_KEY_SIZE)
+ return BAD_FUNC_ARG;
+
+ /* compressed prefix according to draft
+ http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */
+ if (in[0] == 0x40 && inLen > ED25519_PUB_KEY_SIZE) {
+ /* key is stored in compressed format so just copy in */
+ XMEMCPY(key->p, (in + 1), ED25519_PUB_KEY_SIZE);
+#ifdef FREESCALE_LTC_ECC
+ /* recover X coordinate */
+ ltc_pkha_ecc_point_t pubKey;
+ pubKey.X = key->pointX;
+ pubKey.Y = key->pointY;
+ LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
+#endif
+ return 0;
+ }
+
+ /* importing uncompressed public key */
+ if (in[0] == 0x04 && inLen > 2*ED25519_PUB_KEY_SIZE) {
+#ifdef FREESCALE_LTC_ECC
+ /* reverse bytes for little endian byte order */
+ for (int i = 0; i < ED25519_KEY_SIZE; i++)
+ {
+ key->pointX[i] = *(in + ED25519_KEY_SIZE - i);
+ key->pointY[i] = *(in + 2*ED25519_KEY_SIZE - i);
+ }
+ XMEMCPY(key->p, key->pointY, ED25519_KEY_SIZE);
+ ret = 0;
+#else
+ /* pass in (x,y) and store compressed key */
+ ret = ge_compress_key(key->p, in+1,
+ in+1+ED25519_PUB_KEY_SIZE, ED25519_PUB_KEY_SIZE);
+#endif /* FREESCALE_LTC_ECC */
+ return ret;
+ }
+
+ /* if not specified compressed or uncompressed check key size
+ if key size is equal to compressed key size copy in key */
+ if (inLen == ED25519_PUB_KEY_SIZE) {
+ XMEMCPY(key->p, in, ED25519_PUB_KEY_SIZE);
+#ifdef FREESCALE_LTC_ECC
+ /* recover X coordinate */
+ ltc_pkha_ecc_point_t pubKey;
+ pubKey.X = key->pointX;
+ pubKey.Y = key->pointY;
+ LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey);
+#endif
+ return 0;
+ }
+
+ /* bad public key format */
+ return BAD_FUNC_ARG;
+}
+
+
+/*
+ For importing a private key.
+ */
+int wc_ed25519_import_private_only(const byte* priv, word32 privSz,
+ ed25519_key* key)
+{
+ /* sanity check on arguments */
+ if (priv == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ /* key size check */
+ if (privSz < ED25519_KEY_SIZE)
+ return BAD_FUNC_ARG;
+
+ XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
+
+ return 0;
+}
+
+/*
+ For importing a private key and its associated public key.
+ */
+int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
+ const byte* pub, word32 pubSz, ed25519_key* key)
+{
+ int ret;
+
+ /* sanity check on arguments */
+ if (priv == NULL || pub == NULL || key == NULL)
+ return BAD_FUNC_ARG;
+
+ /* key size check */
+ if (privSz < ED25519_KEY_SIZE || pubSz < ED25519_PUB_KEY_SIZE)
+ return BAD_FUNC_ARG;
+
+ /* import public key */
+ ret = wc_ed25519_import_public(pub, pubSz, key);
+ if (ret != 0)
+ return ret;
+
+ /* make the private key (priv + pub) */
+ XMEMCPY(key->k, priv, ED25519_KEY_SIZE);
+ XMEMCPY(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE);
+
+ return ret;
+}
+
+#endif /* HAVE_ED25519_KEY_IMPORT */
+
+
+#ifdef HAVE_ED25519_KEY_EXPORT
+
+/*
+ export private key only (secret part so 32 bytes)
+ outLen should contain the size of out buffer when input. outLen is than set
+ to the final output length.
+ returns 0 on success
+ */
+int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen)
+{
+ /* sanity checks on arguments */
+ if (key == NULL || out == NULL || outLen == NULL)
+ return BAD_FUNC_ARG;
+
+ if (*outLen < ED25519_KEY_SIZE) {
+ *outLen = ED25519_KEY_SIZE;
+ return BUFFER_E;
+ }
+
+ *outLen = ED25519_KEY_SIZE;
+ XMEMCPY(out, key->k, ED25519_KEY_SIZE);
+
+ return 0;
+}
+
+/*
+ export private key, including public part
+ outLen should contain the size of out buffer when input. outLen is than set
+ to the final output length.
+ returns 0 on success
+ */
+int wc_ed25519_export_private(ed25519_key* key, byte* out, word32* outLen)
+{
+ /* sanity checks on arguments */
+ if (key == NULL || out == NULL || outLen == NULL)
+ return BAD_FUNC_ARG;
+
+ if (*outLen < ED25519_PRV_KEY_SIZE) {
+ *outLen = ED25519_PRV_KEY_SIZE;
+ return BUFFER_E;
+ }
+
+ *outLen = ED25519_PRV_KEY_SIZE;
+ XMEMCPY(out, key->k, ED25519_PRV_KEY_SIZE);
+
+ return 0;
+}
+
+/* export full private key and public key
+ return 0 on success
+ */
+int wc_ed25519_export_key(ed25519_key* key,
+ byte* priv, word32 *privSz,
+ byte* pub, word32 *pubSz)
+{
+ int ret;
+
+ /* export 'full' private part */
+ ret = wc_ed25519_export_private(key, priv, privSz);
+ if (ret != 0)
+ return ret;
+
+ /* export public part */
+ ret = wc_ed25519_export_public(key, pub, pubSz);
+
+ return ret;
+}
+
+#endif /* HAVE_ED25519_KEY_EXPORT */
+
+/* check the private and public keys match */
+int wc_ed25519_check_key(ed25519_key* key)
+{
+ /* TODO: Perform check of private and public key */
+ (void)key;
+
+ return 0;
+}
+
+/* returns the private key size (secret only) in bytes */
+int wc_ed25519_size(ed25519_key* key)
+{
+ if (key == NULL)
+ return BAD_FUNC_ARG;
+
+ return ED25519_KEY_SIZE;
+}
+
+/* returns the private key size (secret + public) in bytes */
+int wc_ed25519_priv_size(ed25519_key* key)
+{
+ if (key == NULL)
+ return BAD_FUNC_ARG;
+
+ return ED25519_PRV_KEY_SIZE;
+}
+
+/* returns the compressed key size in bytes (public key) */
+int wc_ed25519_pub_size(ed25519_key* key)
+{
+ if (key == NULL)
+ return BAD_FUNC_ARG;
+
+ return ED25519_PUB_KEY_SIZE;
+}
+
+/* returns the size of signature in bytes */
+int wc_ed25519_sig_size(ed25519_key* key)
+{
+ if (key == NULL)
+ return BAD_FUNC_ARG;
+
+ return ED25519_SIG_SIZE;
+}
+
+#endif /* HAVE_ED25519 */
+
+