ecdh-eddsa implementation now works

author: Christian Grothoff <christian@grothoff.org> 2015-05-15 13:45:53 +0000
committer: Christian Grothoff <christian@grothoff.org> 2015-05-15 13:45:53 +0000
commit: 1fa44a546134cd03a827387b664a2bbee1a209f8 (patch)
tree: d65c7ce10c2b30fbdc498030fc240d95c1011eb6 /src/util/crypto_ecc.c
parent: c0e6f18c0ebe60bff0437740d64a7de43b9304ca (diff)
download: gnunet-1fa44a546134cd03a827387b664a2bbee1a209f8.tar.gz
gnunet-1fa44a546134cd03a827387b664a2bbee1a209f8.zip
1 files changed, 189 insertions, 4 deletions
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index c3a60e841..a29e27a44 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -1430,7 +1430,9 @@ derive_h (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
                     label, strlen (label),
                     context, strlen (context),
                     NULL, 0);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof (hc));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&h,
+                                   (unsigned char *) &hc,
+                                   sizeof (hc));
  return h;
 }
@@ -1466,7 +1468,9 @@ GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateK
  GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
  h = derive_h (&pub, label, context);
-  GNUNET_CRYPTO_mpi_scan_unsigned (&x, priv->d, sizeof (priv->d));
+  GNUNET_CRYPTO_mpi_scan_unsigned (&x,
+                                   priv->d,
+                                   sizeof (priv->d));
  d = gcry_mpi_new (256);
  gcry_mpi_mulm (d, h, x, n);
  gcry_mpi_release (h);
@@ -1543,6 +1547,78 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
 /**
+ * Reverse the sequence of the bytes in @a buffer
+ *
+ * @param[in|out] buffer buffer to invert
+ * @param length number of bytes in @a buffer
+ */
+static void
+reverse_buffer (unsigned char *buffer,
+                size_t length)
+{
+  unsigned char tmp;
+  size_t i;
+  for (i=0; i < length/2; i++)
+  {
+    tmp = buffer[i];
+    buffer[i] = buffer[length-1-i];
+    buffer[length-1-i] = tmp;
+  }
+}
+/**
+ * Convert the secret @a d of an EdDSA key to the
+ * value that is actually used in the EdDSA computation.
+ *
+ * @param d secret input
+ * @return value used for the calculation in EdDSA
+ */
+static gcry_mpi_t
+eddsa_d_to_a (gcry_mpi_t d)
+{
+  unsigned char rawmpi[32]; /* 256-bit value */
+  size_t rawmpilen;
+  unsigned char digest[64]; /* 512-bit hash value */
+  gcry_buffer_t hvec[2];
+  int b;
+  gcry_mpi_t a;
+  b = 256 / 8; /* number of bytes in `d` */
+  
+  /* Note that we clear DIGEST so we can use it as input to left pad
+     the key with zeroes for hashing.  */
+  memset (hvec, 0, sizeof hvec);
+  rawmpilen = sizeof (rawmpi);
+  GNUNET_assert (0 ==
+                 gcry_mpi_print (GCRYMPI_FMT_USG,
+                                 rawmpi, rawmpilen, &rawmpilen,
+                                 d));
+  hvec[0].data = digest;
+  hvec[0].off = 0;
+  hvec[0].len = b > rawmpilen? b - rawmpilen : 0;
+  hvec[1].data = rawmpi;
+  hvec[1].off = 0;
+  hvec[1].len = rawmpilen;
+  GNUNET_assert (0 ==
+                 gcry_md_hash_buffers (GCRY_MD_SHA512,
+                                       0 /* flags */,
+                                       digest,
+                                       hvec, 2));
+  /* Compute the A value.  */
+  reverse_buffer (digest, 32);  /* Only the first half of the hash.  */
+  digest[0]   = (digest[0] & 0x7f) | 0x40;
+  digest[31] &= 0xf8;
+  GNUNET_CRYPTO_mpi_scan_unsigned (&a,
+                                   digest,
+                                   32);
+  return a;
+}
+/**
 * @ingroup crypto
 * Derive key material from a ECDH public key and a private EdDSA key.
 * Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
@@ -1557,7 +1633,64 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
                          const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
                          struct GNUNET_HashCode *key_material)
 {
-  return GNUNET_SYSERR;
+  gcry_mpi_point_t result;
+  gcry_mpi_point_t q;
+  gcry_mpi_t d;
+  gcry_mpi_t a;
+  gcry_ctx_t ctx;
+  gcry_sexp_t pub_sexpr;
+  gcry_mpi_t result_x;
+  unsigned char xbuf[256 / 8];
+  size_t rsize;
+  /* first, extract the q = dP value from the public key */
+  if (0 != gcry_sexp_build (&pub_sexpr, NULL,
+                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                            (int)sizeof (pub->q_y), pub->q_y))
+    return GNUNET_SYSERR;
+  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
+  gcry_sexp_release (pub_sexpr);
+  q = gcry_mpi_ec_get_point ("q", ctx, 0);
+  /* second, extract the d value from our private key */
+  GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d));
+  /* NOW, because this is EdDSA, HASH 'd' first! */
+  a = eddsa_d_to_a (d);
+  gcry_mpi_release (d);
+    
+  /* then call the 'multiply' function, to compute the product */
+  result = gcry_mpi_point_new (0);
+  gcry_mpi_ec_mul (result, a, q, ctx);
+  gcry_mpi_point_release (q);
+  gcry_mpi_release (a);
+  /* finally, convert point to string for hashing */
+  result_x = gcry_mpi_new (256);
+  if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
+  {
+    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
+    gcry_mpi_point_release (result);
+    gcry_ctx_release (ctx);
+    return GNUNET_SYSERR;
+  }
+  gcry_mpi_point_release (result);
+  gcry_ctx_release (ctx);
+  rsize = sizeof (xbuf);
+  GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
+  /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
+     as that does not include the sign bit; x should be a 255-bit
+     value, so with the sign it should fit snugly into the 256-bit
+     xbuf */
+  GNUNET_assert (0 ==
+                 gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize,
+                                 result_x));
+  GNUNET_CRYPTO_hash (xbuf,
+                      rsize,
+                      key_material);
+  gcry_mpi_release (result_x);
+  return GNUNET_OK;
 }
@@ -1576,7 +1709,59 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
                          const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
                          struct GNUNET_HashCode *key_material)
 {
-  return GNUNET_SYSERR;
+  gcry_mpi_point_t result;
+  gcry_mpi_point_t q;
+  gcry_mpi_t d;
+  gcry_ctx_t ctx;
+  gcry_sexp_t pub_sexpr;
+  gcry_mpi_t result_x;
+  unsigned char xbuf[256 / 8];
+  size_t rsize;
+  /* first, extract the q = dP value from the public key */
+  if (0 != gcry_sexp_build (&pub_sexpr, NULL,
+                            "(public-key(ecc(curve " CURVE ")(q %b)))",
+                            (int)sizeof (pub->q_y), pub->q_y))
+    return GNUNET_SYSERR;
+  GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
+  gcry_sexp_release (pub_sexpr);
+  q = gcry_mpi_ec_get_point ("q", ctx, 0);
+  /* second, extract the d value from our private key */
+  GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d));
+  /* then call the 'multiply' function, to compute the product */
+  result = gcry_mpi_point_new (0);
+  gcry_mpi_ec_mul (result, d, q, ctx);
+  gcry_mpi_point_release (q);
+  gcry_mpi_release (d);
+  /* finally, convert point to string for hashing */
+  result_x = gcry_mpi_new (256);
+  if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
+  {
+    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
+    gcry_mpi_point_release (result);
+    gcry_ctx_release (ctx);
+    return GNUNET_SYSERR;
+  }
+  gcry_mpi_point_release (result);
+  gcry_ctx_release (ctx);
+  rsize = sizeof (xbuf);
+  GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
+  /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
+     as that does not include the sign bit; x should be a 255-bit
+     value, so with the sign it should fit snugly into the 256-bit
+     xbuf */
+  GNUNET_assert (0 ==
+                 gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize,
+                                 result_x));
+  GNUNET_CRYPTO_hash (xbuf,
+                      rsize,
+                      key_material);
+  gcry_mpi_release (result_x);
+  return GNUNET_OK;
 }
author	Christian Grothoff <christian@grothoff.org>	2015-05-15 13:45:53 +0000
committer	Christian Grothoff <christian@grothoff.org>	2015-05-15 13:45:53 +0000
commit	1fa44a546134cd03a827387b664a2bbee1a209f8 (patch)
tree	d65c7ce10c2b30fbdc498030fc240d95c1011eb6 /src/util/crypto_ecc.c
parent	c0e6f18c0ebe60bff0437740d64a7de43b9304ca (diff)
download	gnunet-1fa44a546134cd03a827387b664a2bbee1a209f8.tar.gz gnunet-1fa44a546134cd03a827387b664a2bbee1a209f8.zip

diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c index c3a60e841..a29e27a44 100644 --- a/src/util/crypto_ecc.c +++ b/src/util/crypto_ecc.c
@@ -1430,7 +1430,9 @@ derive_h (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub,
1430	label, strlen (label),	1430	label, strlen (label),
1431	context, strlen (context),	1431	context, strlen (context),
1432	NULL, 0);	1432	NULL, 0);
1433	GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof (hc));	1433	GNUNET_CRYPTO_mpi_scan_unsigned (&h,
		1434	(unsigned char *) &hc,
		1435	sizeof (hc));
1434	return h;	1436	return h;
1435	}	1437	}
1436		1438
@@ -1466,7 +1468,9 @@ GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateK
1466	GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);	1468	GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub);
1467		1469
1468	h = derive_h (&pub, label, context);	1470	h = derive_h (&pub, label, context);
1469	GNUNET_CRYPTO_mpi_scan_unsigned (&x, priv->d, sizeof (priv->d));	1471	GNUNET_CRYPTO_mpi_scan_unsigned (&x,
		1472	priv->d,
		1473	sizeof (priv->d));
1470	d = gcry_mpi_new (256);	1474	d = gcry_mpi_new (256);
1471	gcry_mpi_mulm (d, h, x, n);	1475	gcry_mpi_mulm (d, h, x, n);
1472	gcry_mpi_release (h);	1476	gcry_mpi_release (h);
@@ -1543,6 +1547,78 @@ GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey
1543		1547
1544		1548
1545	/**	1549	/**
		1550	* Reverse the sequence of the bytes in @a buffer
		1551	*
		1552	* @param[in\|out] buffer buffer to invert
		1553	* @param length number of bytes in @a buffer
		1554	*/
		1555	static void
		1556	reverse_buffer (unsigned char *buffer,
		1557	size_t length)
		1558	{
		1559	unsigned char tmp;
		1560	size_t i;
		1561
		1562	for (i=0; i < length/2; i++)
		1563	{
		1564	tmp = buffer[i];
		1565	buffer[i] = buffer[length-1-i];
		1566	buffer[length-1-i] = tmp;
		1567	}
		1568	}
		1569
		1570
		1571	/**
		1572	* Convert the secret @a d of an EdDSA key to the
		1573	* value that is actually used in the EdDSA computation.
		1574	*
		1575	* @param d secret input
		1576	* @return value used for the calculation in EdDSA
		1577	*/
		1578	static gcry_mpi_t
		1579	eddsa_d_to_a (gcry_mpi_t d)
		1580	{
		1581	unsigned char rawmpi[32]; /* 256-bit value */
		1582	size_t rawmpilen;
		1583	unsigned char digest[64]; /* 512-bit hash value */
		1584	gcry_buffer_t hvec[2];
		1585	int b;
		1586	gcry_mpi_t a;
		1587
		1588	b = 256 / 8; /* number of bytes in `d` */
		1589
		1590	/* Note that we clear DIGEST so we can use it as input to left pad
		1591	the key with zeroes for hashing. */
		1592	memset (hvec, 0, sizeof hvec);
		1593	rawmpilen = sizeof (rawmpi);
		1594	GNUNET_assert (0 ==
		1595	gcry_mpi_print (GCRYMPI_FMT_USG,
		1596	rawmpi, rawmpilen, &rawmpilen,
		1597	d));
		1598	hvec[0].data = digest;
		1599	hvec[0].off = 0;
		1600	hvec[0].len = b > rawmpilen? b - rawmpilen : 0;
		1601	hvec[1].data = rawmpi;
		1602	hvec[1].off = 0;
		1603	hvec[1].len = rawmpilen;
		1604	GNUNET_assert (0 ==
		1605	gcry_md_hash_buffers (GCRY_MD_SHA512,
		1606	0 /* flags */,
		1607	digest,
		1608	hvec, 2));
		1609	/* Compute the A value. */
		1610	reverse_buffer (digest, 32); /* Only the first half of the hash. */
		1611	digest[0] = (digest[0] & 0x7f) \| 0x40;
		1612	digest[31] &= 0xf8;
		1613
		1614	GNUNET_CRYPTO_mpi_scan_unsigned (&a,
		1615	digest,
		1616	32);
		1617	return a;
		1618	}
		1619
		1620
		1621	/**
1546	* @ingroup crypto	1622	* @ingroup crypto
1547	* Derive key material from a ECDH public key and a private EdDSA key.	1623	* Derive key material from a ECDH public key and a private EdDSA key.
1548	* Dual to #GNUNET_CRRYPTO_ecdh_eddsa.	1624	* Dual to #GNUNET_CRRYPTO_ecdh_eddsa.
@@ -1557,7 +1633,64 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
1557	const struct GNUNET_CRYPTO_EcdhePublicKey *pub,	1633	const struct GNUNET_CRYPTO_EcdhePublicKey *pub,
1558	struct GNUNET_HashCode *key_material)	1634	struct GNUNET_HashCode *key_material)
1559	{	1635	{
1560	return GNUNET_SYSERR;	1636	gcry_mpi_point_t result;
		1637	gcry_mpi_point_t q;
		1638	gcry_mpi_t d;
		1639	gcry_mpi_t a;
		1640	gcry_ctx_t ctx;
		1641	gcry_sexp_t pub_sexpr;
		1642	gcry_mpi_t result_x;
		1643	unsigned char xbuf[256 / 8];
		1644	size_t rsize;
		1645
		1646	/* first, extract the q = dP value from the public key */
		1647	if (0 != gcry_sexp_build (&pub_sexpr, NULL,
		1648	"(public-key(ecc(curve " CURVE ")(q %b)))",
		1649	(int)sizeof (pub->q_y), pub->q_y))
		1650	return GNUNET_SYSERR;
		1651	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
		1652	gcry_sexp_release (pub_sexpr);
		1653	q = gcry_mpi_ec_get_point ("q", ctx, 0);
		1654
		1655	/* second, extract the d value from our private key */
		1656	GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d));
		1657
		1658	/* NOW, because this is EdDSA, HASH 'd' first! */
		1659	a = eddsa_d_to_a (d);
		1660	gcry_mpi_release (d);
		1661
		1662	/* then call the 'multiply' function, to compute the product */
		1663	result = gcry_mpi_point_new (0);
		1664	gcry_mpi_ec_mul (result, a, q, ctx);
		1665	gcry_mpi_point_release (q);
		1666	gcry_mpi_release (a);
		1667
		1668	/* finally, convert point to string for hashing */
		1669	result_x = gcry_mpi_new (256);
		1670	if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
		1671	{
		1672	LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
		1673	gcry_mpi_point_release (result);
		1674	gcry_ctx_release (ctx);
		1675	return GNUNET_SYSERR;
		1676	}
		1677	gcry_mpi_point_release (result);
		1678	gcry_ctx_release (ctx);
		1679
		1680	rsize = sizeof (xbuf);
		1681	GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
		1682	/* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
		1683	as that does not include the sign bit; x should be a 255-bit
		1684	value, so with the sign it should fit snugly into the 256-bit
		1685	xbuf */
		1686	GNUNET_assert (0 ==
		1687	gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize,
		1688	result_x));
		1689	GNUNET_CRYPTO_hash (xbuf,
		1690	rsize,
		1691	key_material);
		1692	gcry_mpi_release (result_x);
		1693	return GNUNET_OK;
1561	}	1694	}
1562		1695
1563		1696
@@ -1576,7 +1709,59 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv,
1576	const struct GNUNET_CRYPTO_EddsaPublicKey *pub,	1709	const struct GNUNET_CRYPTO_EddsaPublicKey *pub,
1577	struct GNUNET_HashCode *key_material)	1710	struct GNUNET_HashCode *key_material)
1578	{	1711	{
1579	return GNUNET_SYSERR;	1712	gcry_mpi_point_t result;
		1713	gcry_mpi_point_t q;
		1714	gcry_mpi_t d;
		1715	gcry_ctx_t ctx;
		1716	gcry_sexp_t pub_sexpr;
		1717	gcry_mpi_t result_x;
		1718	unsigned char xbuf[256 / 8];
		1719	size_t rsize;
		1720
		1721	/* first, extract the q = dP value from the public key */
		1722	if (0 != gcry_sexp_build (&pub_sexpr, NULL,
		1723	"(public-key(ecc(curve " CURVE ")(q %b)))",
		1724	(int)sizeof (pub->q_y), pub->q_y))
		1725	return GNUNET_SYSERR;
		1726	GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL));
		1727	gcry_sexp_release (pub_sexpr);
		1728	q = gcry_mpi_ec_get_point ("q", ctx, 0);
		1729
		1730	/* second, extract the d value from our private key */
		1731	GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d));
		1732
		1733	/* then call the 'multiply' function, to compute the product */
		1734	result = gcry_mpi_point_new (0);
		1735	gcry_mpi_ec_mul (result, d, q, ctx);
		1736	gcry_mpi_point_release (q);
		1737	gcry_mpi_release (d);
		1738
		1739	/* finally, convert point to string for hashing */
		1740	result_x = gcry_mpi_new (256);
		1741	if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx))
		1742	{
		1743	LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0);
		1744	gcry_mpi_point_release (result);
		1745	gcry_ctx_release (ctx);
		1746	return GNUNET_SYSERR;
		1747	}
		1748	gcry_mpi_point_release (result);
		1749	gcry_ctx_release (ctx);
		1750
		1751	rsize = sizeof (xbuf);
		1752	GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE));
		1753	/* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned'
		1754	as that does not include the sign bit; x should be a 255-bit
		1755	value, so with the sign it should fit snugly into the 256-bit
		1756	xbuf */
		1757	GNUNET_assert (0 ==
		1758	gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize,
		1759	result_x));
		1760	GNUNET_CRYPTO_hash (xbuf,
		1761	rsize,
		1762	key_material);
		1763	gcry_mpi_release (result_x);
		1764	return GNUNET_OK;
1580	}	1765	}
1581		1766
1582		1767