diff options
Diffstat (limited to 'src/util/crypto_ecc_gnsrecord.c')
-rw-r--r-- | src/util/crypto_ecc_gnsrecord.c | 45 |
1 files changed, 18 insertions, 27 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index fc99bfc18..873ed978e 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c | |||
@@ -170,6 +170,7 @@ GNUNET_CRYPTO_eddsa_sign_derived ( | |||
170 | return GNUNET_OK; | 170 | return GNUNET_OK; |
171 | } | 171 | } |
172 | 172 | ||
173 | |||
173 | enum GNUNET_GenericReturnValue | 174 | enum GNUNET_GenericReturnValue |
174 | GNUNET_CRYPTO_ecdsa_sign_derived ( | 175 | GNUNET_CRYPTO_ecdsa_sign_derived ( |
175 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 176 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, |
@@ -190,6 +191,7 @@ GNUNET_CRYPTO_ecdsa_sign_derived ( | |||
190 | return res; | 191 | return res; |
191 | } | 192 | } |
192 | 193 | ||
194 | |||
193 | struct GNUNET_CRYPTO_EcdsaPrivateKey * | 195 | struct GNUNET_CRYPTO_EcdsaPrivateKey * |
194 | GNUNET_CRYPTO_ecdsa_private_key_derive ( | 196 | GNUNET_CRYPTO_ecdsa_private_key_derive ( |
195 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 197 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, |
@@ -300,10 +302,10 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
300 | uint8_t dc[32]; | 302 | uint8_t dc[32]; |
301 | unsigned char sk[64]; | 303 | unsigned char sk[64]; |
302 | gcry_mpi_t h; | 304 | gcry_mpi_t h; |
303 | gcry_mpi_t h_mod_n; | 305 | gcry_mpi_t h_mod_L; |
304 | gcry_mpi_t x; | 306 | gcry_mpi_t a; |
305 | gcry_mpi_t d; | 307 | gcry_mpi_t d; |
306 | gcry_mpi_t n; | 308 | gcry_mpi_t L; |
307 | gcry_mpi_t a1; | 309 | gcry_mpi_t a1; |
308 | gcry_mpi_t a2; | 310 | gcry_mpi_t a2; |
309 | gcry_ctx_t ctx; | 311 | gcry_ctx_t ctx; |
@@ -315,9 +317,9 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
315 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); | 317 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); |
316 | 318 | ||
317 | /** | 319 | /** |
318 | * Get our modulo | 320 | * Get our modulo L |
319 | */ | 321 | */ |
320 | n = gcry_mpi_ec_get_mpi ("n", ctx, 1); | 322 | L = gcry_mpi_ec_get_mpi ("n", ctx, 1); |
321 | GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub); | 323 | GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub); |
322 | 324 | ||
323 | /** | 325 | /** |
@@ -332,39 +334,28 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
332 | sk[31] |= 64; | 334 | sk[31] |= 64; |
333 | 335 | ||
334 | /** | 336 | /** |
335 | * Get h mod n | 337 | * Get h mod L |
336 | */ | 338 | */ |
337 | derive_h (&pub, sizeof (pub), label, context, &hc); | 339 | derive_h (&pub, sizeof (pub), label, context, &hc); |
338 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | 340 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); |
339 | h_mod_n = gcry_mpi_new (256); | 341 | h_mod_L = gcry_mpi_new (256); |
340 | gcry_mpi_mod (h_mod_n, h, n); | 342 | gcry_mpi_mod (h_mod_L, h, L); |
341 | /* Convert scalar to big endian for libgcrypt */ | 343 | /* Convert scalar to big endian for libgcrypt */ |
342 | for (size_t i = 0; i < 32; i++) | 344 | for (size_t i = 0; i < 32; i++) |
343 | dc[i] = sk[31 - i]; | 345 | dc[i] = sk[31 - i]; |
344 | 346 | ||
345 | /** | 347 | /** |
346 | * dc now contains the private scalar "a". | 348 | * dc now contains the private scalar "a". |
347 | * We carefully remove the clamping and derive a'. | 349 | * We calculate: |
348 | * Calculate: | 350 | * d' := h * a mod L |
349 | * a1 := a / 8 | ||
350 | * a2 := h * a1 mod n | ||
351 | * a' := a2 * 8 mod n | ||
352 | */ | 351 | */ |
353 | GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); // a | 352 | GNUNET_CRYPTO_mpi_scan_unsigned (&a, dc, sizeof(dc)); // a |
354 | a1 = gcry_mpi_new (256); | ||
355 | gcry_mpi_t eight = gcry_mpi_set_ui (NULL, 8); | ||
356 | gcry_mpi_div (a1, NULL, x, eight, 0); // a1 := a / 8 | ||
357 | a2 = gcry_mpi_new (256); | ||
358 | gcry_mpi_mulm (a2, h_mod_n, a1, n); // a2 := h * a1 mod n | ||
359 | d = gcry_mpi_new (256); | 353 | d = gcry_mpi_new (256); |
360 | gcry_mpi_mul (d, a2, eight); // a' := a2 * 8 | 354 | gcry_mpi_mulm (d, h_mod_L, a, L); // d := h * a mod L |
361 | gcry_mpi_release (h); | 355 | gcry_mpi_release (h); |
362 | gcry_mpi_release (x); | 356 | gcry_mpi_release (a); |
363 | gcry_mpi_release (n); | 357 | gcry_mpi_release (L); |
364 | gcry_mpi_release (h_mod_n); | 358 | gcry_mpi_release (h_mod_L); |
365 | gcry_mpi_release (a1); | ||
366 | gcry_mpi_release (eight); | ||
367 | gcry_mpi_release (a2); | ||
368 | gcry_ctx_release (ctx); | 359 | gcry_ctx_release (ctx); |
369 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); | 360 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); |
370 | /** | 361 | /** |
@@ -378,7 +369,7 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
378 | crypto_hash_sha256_update (&hs, sk + 32, 32); | 369 | crypto_hash_sha256_update (&hs, sk + 32, 32); |
379 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); | 370 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); |
380 | crypto_hash_sha256_final (&hs, result->s + 32); | 371 | crypto_hash_sha256_final (&hs, result->s + 32); |
381 | //memcpy (result->s, sk, sizeof (sk)); | 372 | // memcpy (result->s, sk, sizeof (sk)); |
382 | /* Convert to little endian for libsodium */ | 373 | /* Convert to little endian for libsodium */ |
383 | for (size_t i = 0; i < 32; i++) | 374 | for (size_t i = 0; i < 32; i++) |
384 | result->s[i] = dc[31 - i]; | 375 | result->s[i] = dc[31 - i]; |