diff options
Diffstat (limited to 'src/util/crypto_ecc_gnsrecord.c')
| -rw-r--r-- | src/util/crypto_ecc_gnsrecord.c | 45 |
1 files changed, 18 insertions, 27 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index fc99bfc18..873ed978e 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c | |||
| @@ -170,6 +170,7 @@ GNUNET_CRYPTO_eddsa_sign_derived ( | |||
| 170 | return GNUNET_OK; | 170 | return GNUNET_OK; |
| 171 | } | 171 | } |
| 172 | 172 | ||
| 173 | |||
| 173 | enum GNUNET_GenericReturnValue | 174 | enum GNUNET_GenericReturnValue |
| 174 | GNUNET_CRYPTO_ecdsa_sign_derived ( | 175 | GNUNET_CRYPTO_ecdsa_sign_derived ( |
| 175 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 176 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, |
| @@ -190,6 +191,7 @@ GNUNET_CRYPTO_ecdsa_sign_derived ( | |||
| 190 | return res; | 191 | return res; |
| 191 | } | 192 | } |
| 192 | 193 | ||
| 194 | |||
| 193 | struct GNUNET_CRYPTO_EcdsaPrivateKey * | 195 | struct GNUNET_CRYPTO_EcdsaPrivateKey * |
| 194 | GNUNET_CRYPTO_ecdsa_private_key_derive ( | 196 | GNUNET_CRYPTO_ecdsa_private_key_derive ( |
| 195 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | 197 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, |
| @@ -300,10 +302,10 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
| 300 | uint8_t dc[32]; | 302 | uint8_t dc[32]; |
| 301 | unsigned char sk[64]; | 303 | unsigned char sk[64]; |
| 302 | gcry_mpi_t h; | 304 | gcry_mpi_t h; |
| 303 | gcry_mpi_t h_mod_n; | 305 | gcry_mpi_t h_mod_L; |
| 304 | gcry_mpi_t x; | 306 | gcry_mpi_t a; |
| 305 | gcry_mpi_t d; | 307 | gcry_mpi_t d; |
| 306 | gcry_mpi_t n; | 308 | gcry_mpi_t L; |
| 307 | gcry_mpi_t a1; | 309 | gcry_mpi_t a1; |
| 308 | gcry_mpi_t a2; | 310 | gcry_mpi_t a2; |
| 309 | gcry_ctx_t ctx; | 311 | gcry_ctx_t ctx; |
| @@ -315,9 +317,9 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
| 315 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); | 317 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); |
| 316 | 318 | ||
| 317 | /** | 319 | /** |
| 318 | * Get our modulo | 320 | * Get our modulo L |
| 319 | */ | 321 | */ |
| 320 | n = gcry_mpi_ec_get_mpi ("n", ctx, 1); | 322 | L = gcry_mpi_ec_get_mpi ("n", ctx, 1); |
| 321 | GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub); | 323 | GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub); |
| 322 | 324 | ||
| 323 | /** | 325 | /** |
| @@ -332,39 +334,28 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
| 332 | sk[31] |= 64; | 334 | sk[31] |= 64; |
| 333 | 335 | ||
| 334 | /** | 336 | /** |
| 335 | * Get h mod n | 337 | * Get h mod L |
| 336 | */ | 338 | */ |
| 337 | derive_h (&pub, sizeof (pub), label, context, &hc); | 339 | derive_h (&pub, sizeof (pub), label, context, &hc); |
| 338 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | 340 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); |
| 339 | h_mod_n = gcry_mpi_new (256); | 341 | h_mod_L = gcry_mpi_new (256); |
| 340 | gcry_mpi_mod (h_mod_n, h, n); | 342 | gcry_mpi_mod (h_mod_L, h, L); |
| 341 | /* Convert scalar to big endian for libgcrypt */ | 343 | /* Convert scalar to big endian for libgcrypt */ |
| 342 | for (size_t i = 0; i < 32; i++) | 344 | for (size_t i = 0; i < 32; i++) |
| 343 | dc[i] = sk[31 - i]; | 345 | dc[i] = sk[31 - i]; |
| 344 | 346 | ||
| 345 | /** | 347 | /** |
| 346 | * dc now contains the private scalar "a". | 348 | * dc now contains the private scalar "a". |
| 347 | * We carefully remove the clamping and derive a'. | 349 | * We calculate: |
| 348 | * Calculate: | 350 | * d' := h * a mod L |
| 349 | * a1 := a / 8 | ||
| 350 | * a2 := h * a1 mod n | ||
| 351 | * a' := a2 * 8 mod n | ||
| 352 | */ | 351 | */ |
| 353 | GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); // a | 352 | GNUNET_CRYPTO_mpi_scan_unsigned (&a, dc, sizeof(dc)); // a |
| 354 | a1 = gcry_mpi_new (256); | ||
| 355 | gcry_mpi_t eight = gcry_mpi_set_ui (NULL, 8); | ||
| 356 | gcry_mpi_div (a1, NULL, x, eight, 0); // a1 := a / 8 | ||
| 357 | a2 = gcry_mpi_new (256); | ||
| 358 | gcry_mpi_mulm (a2, h_mod_n, a1, n); // a2 := h * a1 mod n | ||
| 359 | d = gcry_mpi_new (256); | 353 | d = gcry_mpi_new (256); |
| 360 | gcry_mpi_mul (d, a2, eight); // a' := a2 * 8 | 354 | gcry_mpi_mulm (d, h_mod_L, a, L); // d := h * a mod L |
| 361 | gcry_mpi_release (h); | 355 | gcry_mpi_release (h); |
| 362 | gcry_mpi_release (x); | 356 | gcry_mpi_release (a); |
| 363 | gcry_mpi_release (n); | 357 | gcry_mpi_release (L); |
| 364 | gcry_mpi_release (h_mod_n); | 358 | gcry_mpi_release (h_mod_L); |
| 365 | gcry_mpi_release (a1); | ||
| 366 | gcry_mpi_release (eight); | ||
| 367 | gcry_mpi_release (a2); | ||
| 368 | gcry_ctx_release (ctx); | 359 | gcry_ctx_release (ctx); |
| 369 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); | 360 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); |
| 370 | /** | 361 | /** |
| @@ -378,7 +369,7 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
| 378 | crypto_hash_sha256_update (&hs, sk + 32, 32); | 369 | crypto_hash_sha256_update (&hs, sk + 32, 32); |
| 379 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); | 370 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); |
| 380 | crypto_hash_sha256_final (&hs, result->s + 32); | 371 | crypto_hash_sha256_final (&hs, result->s + 32); |
| 381 | //memcpy (result->s, sk, sizeof (sk)); | 372 | // memcpy (result->s, sk, sizeof (sk)); |
| 382 | /* Convert to little endian for libsodium */ | 373 | /* Convert to little endian for libsodium */ |
| 383 | for (size_t i = 0; i < 32; i++) | 374 | for (size_t i = 0; i < 32; i++) |
| 384 | result->s[i] = dc[31 - i]; | 375 | result->s[i] = dc[31 - i]; |