From d7028a584bf96fb5b84c765a885159cabb95dea2 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Wed, 6 May 2020 18:39:16 +0530 Subject: move from tweetnacl (+custom hacks) -> only sodium --- src/util/Makefile.am | 3 +- src/util/crypto_ecc.c | 85 ++++--- src/util/tweetnacl-gnunet.c | 560 -------------------------------------------- src/util/tweetnacl-gnunet.h | 54 ----- 4 files changed, 54 insertions(+), 648 deletions(-) delete mode 100644 src/util/tweetnacl-gnunet.c delete mode 100644 src/util/tweetnacl-gnunet.h diff --git a/src/util/Makefile.am b/src/util/Makefile.am index fed0dad79..f3373fc38 100644 --- a/src/util/Makefile.am +++ b/src/util/Makefile.am @@ -96,8 +96,6 @@ libgnunetutil_la_SOURCES = \ strings.c \ time.c \ tun.c \ - tweetnacl-gnunet.c \ - tweetnacl-gnunet.h \ speedup.c speedup.h \ proc_compat.c @@ -134,6 +132,7 @@ libgnunetutil_la_LIBADD = \ $(Z_LIBS) \ -lunistring \ -largon2 \ + -lsodium \ $(XLIB) \ $(PTHREAD) diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c index 851a45f93..17986a9d1 100644 --- a/src/util/crypto_ecc.c +++ b/src/util/crypto_ecc.c @@ -26,10 +26,10 @@ */ #include "platform.h" #include +#include #include "gnunet_crypto_lib.h" #include "gnunet_strings_lib.h" #include "benchmark.h" -#include "tweetnacl-gnunet.h" #define EXTRA_CHECKS 0 @@ -173,8 +173,14 @@ GNUNET_CRYPTO_ecdsa_key_get_public ( const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, struct GNUNET_CRYPTO_EcdsaPublicKey *pub) { + uint8_t d[32]; + + /* Treat priv as little endian, due to libgcrypt. */ + for (size_t i = 0; i < 32; i++) + d[i] = priv->d[31 - i]; BENCHMARK_START (ecdsa_key_get_public); - GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (pub->q_y, priv->d); + crypto_scalarmult_ed25519_base_noclamp (pub->q_y, d); + sodium_memzero (d, 32); BENCHMARK_END (ecdsa_key_get_public); } @@ -190,8 +196,13 @@ GNUNET_CRYPTO_eddsa_key_get_public ( const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, struct GNUNET_CRYPTO_EddsaPublicKey *pub) { + unsigned char pk[crypto_sign_PUBLICKEYBYTES]; + unsigned char sk[crypto_sign_SECRETKEYBYTES]; + BENCHMARK_START (eddsa_key_get_public); - GNUNET_TWEETNACL_sign_pk_from_seed (pub->q_y, priv->d); + GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d)); + GNUNET_memcpy (pub->q_y, pk, crypto_sign_PUBLICKEYBYTES); + sodium_memzero (sk, crypto_sign_SECRETKEYBYTES); BENCHMARK_END (eddsa_key_get_public); } @@ -208,7 +219,7 @@ GNUNET_CRYPTO_ecdhe_key_get_public ( struct GNUNET_CRYPTO_EcdhePublicKey *pub) { BENCHMARK_START (ecdhe_key_get_public); - GNUNET_TWEETNACL_scalarmult_curve25519_base (pub->q_y, priv->d); + GNUNET_assert (0 == crypto_scalarmult_base (pub->q_y, priv->d)); BENCHMARK_END (ecdhe_key_get_public); } @@ -737,15 +748,17 @@ GNUNET_CRYPTO_eddsa_sign_ ( { size_t mlen = ntohl (purpose->size); - unsigned char sk[GNUNET_TWEETNACL_SIGN_SECRETKEYBYTES]; + unsigned char sk[crypto_sign_SECRETKEYBYTES]; + unsigned char pk[crypto_sign_PUBLICKEYBYTES]; int res; BENCHMARK_START (eddsa_sign); - GNUNET_TWEETNACL_sign_sk_from_seed (sk, priv->d); - res = GNUNET_TWEETNACL_sign_detached ((uint8_t *) sig, - (uint8_t *) purpose, - mlen, - sk); + GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d)); + res = crypto_sign_detached ((uint8_t *) sig, + NULL, + (uint8_t *) purpose, + mlen, + sk); BENCHMARK_END (eddsa_sign); return (res == 0) ? GNUNET_OK : GNUNET_SYSERR; } @@ -856,7 +869,7 @@ GNUNET_CRYPTO_eddsa_verify_ ( return GNUNET_SYSERR; /* purpose mismatch */ BENCHMARK_START (eddsa_verify); - res = GNUNET_TWEETNACL_sign_detached_verify (s, m, mlen, pub->q_y); + res = crypto_sign_verify_detached (s, m, mlen, pub->q_y); BENCHMARK_END (eddsa_verify); return (res == 0) ? GNUNET_OK : GNUNET_SYSERR; } @@ -875,9 +888,10 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material) { - uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; - GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, pub->q_y); - GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material); + uint8_t p[crypto_scalarmult_BYTES]; + if (0 != crypto_scalarmult (p, priv->d, pub->q_y)) + return GNUNET_SYSERR; + GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material); return GNUNET_OK; } @@ -1041,16 +1055,17 @@ GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, struct GNUNET_HashCode *key_material) { struct GNUNET_HashCode hc; - uint8_t a[GNUNET_TWEETNACL_SCALARMULT_BYTES]; - uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; + uint8_t a[crypto_scalarmult_SCALARBYTES]; + uint8_t p[crypto_scalarmult_BYTES]; GNUNET_CRYPTO_hash (priv, sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey), &hc); memcpy (a, &hc, sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey)); - GNUNET_TWEETNACL_scalarmult_curve25519 (p, a, pub->q_y); + if (0 != crypto_scalarmult (p, a, pub->q_y)) + return GNUNET_SYSERR; GNUNET_CRYPTO_hash (p, - GNUNET_TWEETNACL_SCALARMULT_BYTES, + crypto_scalarmult_BYTES, key_material); return GNUNET_OK; } @@ -1071,15 +1086,17 @@ GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material) { - uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; - uint8_t d_rev[GNUNET_TWEETNACL_SCALARMULT_BYTES]; + uint8_t p[crypto_scalarmult_BYTES]; + uint8_t d_rev[crypto_scalarmult_SCALARBYTES]; BENCHMARK_START (ecdsa_ecdh); + // FIXME: byte order for (size_t i = 0; i < 32; i++) d_rev[i] = priv->d[31 - i]; - GNUNET_TWEETNACL_scalarmult_curve25519 (p, d_rev, pub->q_y); + if (0 != crypto_scalarmult (p, d_rev, pub->q_y)) + return GNUNET_SYSERR; GNUNET_CRYPTO_hash (p, - GNUNET_TWEETNACL_SCALARMULT_BYTES, + crypto_scalarmult_BYTES, key_material); BENCHMARK_END (ecdsa_ecdh); return GNUNET_OK; @@ -1101,12 +1118,14 @@ GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EddsaPublicKey *pub, struct GNUNET_HashCode *key_material) { - uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; - uint8_t curve25510_pk[GNUNET_TWEETNACL_SIGN_PUBLICBYTES]; + uint8_t p[crypto_scalarmult_BYTES]; + uint8_t curve25510_pk[crypto_scalarmult_BYTES]; - GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y); - GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, curve25510_pk); - GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material); + if (0 != crypto_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y)) + return GNUNET_SYSERR; + if (0 != crypto_scalarmult (p, priv->d, curve25510_pk)) + return GNUNET_SYSERR; + GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material); return GNUNET_OK; } @@ -1126,12 +1145,14 @@ GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, struct GNUNET_HashCode *key_material) { - uint8_t p[GNUNET_TWEETNACL_SCALARMULT_BYTES]; - uint8_t curve25510_pk[GNUNET_TWEETNACL_SIGN_PUBLICBYTES]; + uint8_t p[crypto_scalarmult_BYTES]; + uint8_t curve25510_pk[crypto_scalarmult_BYTES]; - GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y); - GNUNET_TWEETNACL_scalarmult_curve25519 (p, priv->d, curve25510_pk); - GNUNET_CRYPTO_hash (p, GNUNET_TWEETNACL_SCALARMULT_BYTES, key_material); + if (0 != crypto_sign_ed25519_pk_to_curve25519 (curve25510_pk, pub->q_y)) + return GNUNET_SYSERR; + if (0 != crypto_scalarmult (p, priv->d, curve25510_pk)) + return GNUNET_SYSERR; + GNUNET_CRYPTO_hash (p, crypto_scalarmult_BYTES, key_material); return GNUNET_OK; } diff --git a/src/util/tweetnacl-gnunet.c b/src/util/tweetnacl-gnunet.c deleted file mode 100644 index f01667adb..000000000 --- a/src/util/tweetnacl-gnunet.c +++ /dev/null @@ -1,560 +0,0 @@ -/* - This file has been placed in the public domain. - - Based on TweetNaCl version 20140427 - - Originally obtained from: - https://tweetnacl.cr.yp.to/20140427/tweetnacl.h - - SPDX-License-Identifier: 0BSD -*/ - -#include "platform.h" -#include "gnunet_crypto_lib.h" -#include "tweetnacl-gnunet.h" -#define FOR(i,n) for (i = 0; i < n; ++i) - -typedef uint8_t u8; -typedef uint32_t u32; -typedef uint64_t u64; -typedef int64_t i64; -typedef i64 gf[16]; - -static const u8 _9[32] = {9}; -static const gf - gf0, - gf1 = {1}, - _121665 = {0xDB41,1}, - D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, - 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203}, - D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, - 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406}, - X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, - 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169}, - Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, - 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666}, - I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, - 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83}; - -static int -vn (const u8 *x,const u8 *y,int n) -{ - u32 i,d = 0; - FOR (i,n) d |= x[i] ^ y[i]; - return (1 & ((d - 1) >> 8)) - 1; -} - -static int -crypto_verify_32 (const u8 *x,const u8 *y) -{ - return vn (x,y,32); -} - -static void -set25519 (gf r, const gf a) -{ - int i; - FOR (i,16) r[i] = a[i]; -} - -static void -car25519 (gf o) -{ - int i; - i64 c; - FOR (i,16) { - o[i] += (1LL << 16); - c = o[i] >> 16; - o[(i + 1) * (i<15)] += c - 1 + 37 * (c - 1) * (i==15); - o[i] -= c << 16; - } -} - -static void -sel25519 (gf p,gf q,int b) -{ - i64 t,i,c = ~(b - 1); - FOR (i,16) { - t = c & (p[i] ^ q[i]); - p[i] ^= t; - q[i] ^= t; - } -} - -static void -pack25519 (u8 *o,const gf n) -{ - int i,j,b; - gf m,t; - FOR (i,16) t[i] = n[i]; - car25519 (t); - car25519 (t); - car25519 (t); - FOR (j,2) { - m[0] = t[0] - 0xffed; - for (i = 1; i<15; i++) { - m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1); - m[i - 1] &= 0xffff; - } - m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1); - b = (m[15] >> 16) & 1; - m[14] &= 0xffff; - sel25519 (t,m,1 - b); - } - FOR (i,16) { - o[2 * i] = t[i] & 0xff; - o[2 * i + 1] = t[i] >> 8; - } -} - -static int -neq25519 (const gf a, const gf b) -{ - u8 c[32],d[32]; - pack25519 (c,a); - pack25519 (d,b); - return crypto_verify_32 (c,d); -} - -static uint8_t -par25519 (const gf a) -{ - u8 d[32]; - pack25519 (d,a); - return d[0] & 1; -} - -static void -unpack25519 (gf o, const u8 *n) -{ - int i; - FOR (i,16) o[i] = n[2 * i] + ((i64) n[2 * i + 1] << 8); - o[15] &= 0x7fff; -} - -static void -A (gf o,const gf a,const gf b) -{ - int i; - FOR (i,16) o[i] = a[i] + b[i]; -} - -static void -Z (gf o,const gf a,const gf b) -{ - int i; - FOR (i,16) o[i] = a[i] - b[i]; -} - -static void -M (gf o,const gf a,const gf b) -{ - i64 i,j,t[31]; - FOR (i,31) t[i] = 0; - FOR (i,16) FOR (j,16) t[i + j] += a[i] * b[j]; - FOR (i,15) t[i] += 38 * t[i + 16]; - FOR (i,16) o[i] = t[i]; - car25519 (o); - car25519 (o); -} - -static void -S (gf o,const gf a) -{ - M (o,a,a); -} - -static void -inv25519 (gf o,const gf i) -{ - gf c; - int a; - FOR (a,16) c[a] = i[a]; - for (a = 253; a>=0; a--) { - S (c,c); - if ((a!=2)&&(a!=4)) - M (c,c,i); - } - FOR (a,16) o[a] = c[a]; -} - -static void pow2523 (gf o,const gf i) -{ - gf c; - int a; - FOR (a,16) c[a] = i[a]; - for (a = 250; a>=0; a--) { - S (c,c); - if (a!=1) - M (c,c,i); - } - FOR (a,16) o[a] = c[a]; -} - -int -GNUNET_TWEETNACL_scalarmult_curve25519 (u8 *q,const u8 *n,const u8 *p) -{ - u8 z[32]; - i64 x[80],r,i; - gf a,b,c,d,e,f; - FOR (i,31) z[i] = n[i]; - z[31] = (n[31] & 127) | 64; - z[0] &= 248; - unpack25519 (x,p); - FOR (i,16) { - b[i] = x[i]; - d[i] = a[i] = c[i] = 0; - } - a[0] = d[0] = 1; - for (i = 254; i>=0; --i) { - r = (z[i >> 3] >> (i & 7)) & 1; - sel25519 (a,b,r); - sel25519 (c,d,r); - A (e,a,c); - Z (a,a,c); - A (c,b,d); - Z (b,b,d); - S (d,e); - S (f,a); - M (a,c,a); - M (c,b,e); - A (e,a,c); - Z (a,a,c); - S (b,a); - Z (c,d,f); - M (a,c,_121665); - A (a,a,d); - M (c,c,a); - M (a,d,f); - M (d,b,x); - S (b,e); - sel25519 (a,b,r); - sel25519 (c,d,r); - } - FOR (i,16) { - x[i + 16] = a[i]; - x[i + 32] = c[i]; - x[i + 48] = b[i]; - x[i + 64] = d[i]; - } - inv25519 (x + 32,x + 32); - M (x + 16,x + 16,x + 32); - pack25519 (q,x + 16); - return 0; -} - -int -GNUNET_TWEETNACL_scalarmult_curve25519_base (u8 *q,const u8 *n) -{ - return GNUNET_TWEETNACL_scalarmult_curve25519 (q,n,_9); -} - -static int -crypto_hash (u8 *out,const u8 *m,u64 n) -{ - struct GNUNET_HashCode *hc = (void *) out; - GNUNET_CRYPTO_hash (m, n, hc); - return 0; -} - -static void -add (gf p[4],gf q[4]) -{ - gf a,b,c,d,t,e,f,g,h; - - Z (a, p[1], p[0]); - Z (t, q[1], q[0]); - M (a, a, t); - A (b, p[0], p[1]); - A (t, q[0], q[1]); - M (b, b, t); - M (c, p[3], q[3]); - M (c, c, D2); - M (d, p[2], q[2]); - A (d, d, d); - Z (e, b, a); - Z (f, d, c); - A (g, d, c); - A (h, b, a); - - M (p[0], e, f); - M (p[1], h, g); - M (p[2], g, f); - M (p[3], e, h); -} - -static void -cswap (gf p[4],gf q[4],u8 b) -{ - int i; - FOR (i,4) - sel25519 (p[i],q[i],b); -} - -static void -pack (u8 *r,gf p[4]) -{ - gf tx, ty, zi; - inv25519 (zi, p[2]); - M (tx, p[0], zi); - M (ty, p[1], zi); - pack25519 (r, ty); - r[31] ^= par25519 (tx) << 7; -} - -static void -scalarmult (gf p[4],gf q[4],const u8 *s) -{ - int i; - set25519 (p[0],gf0); - set25519 (p[1],gf1); - set25519 (p[2],gf1); - set25519 (p[3],gf0); - for (i = 255; i >= 0; --i) { - u8 b = (s[i / 8] >> (i & 7)) & 1; - cswap (p,q,b); - add (q,p); - add (p,p); - cswap (p,q,b); - } -} - -static void -scalarbase (gf p[4],const u8 *s) -{ - gf q[4]; - set25519 (q[0],X); - set25519 (q[1],Y); - set25519 (q[2],gf1); - M (q[3],X,Y); - scalarmult (p,q,s); -} - -static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, - 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0x10}; - -static void -modL (u8 *r,i64 x[64]) -{ - i64 carry,i,j; - for (i = 63; i >= 32; --i) { - carry = 0; - for (j = i - 32; j < i - 12; ++j) { - x[j] += carry - 16 * x[i] * L[j - (i - 32)]; - carry = (x[j] + 128) >> 8; - x[j] -= carry << 8; - } - x[j] += carry; - x[i] = 0; - } - carry = 0; - FOR (j,32) { - x[j] += carry - (x[31] >> 4) * L[j]; - carry = x[j] >> 8; - x[j] &= 255; - } - FOR (j,32) x[j] -= carry * L[j]; - FOR (i,32) { - x[i + 1] += x[i] >> 8; - r[i] = x[i] & 255; - } -} - -static void -reduce (u8 *r) -{ - i64 x[64],i; - FOR (i,64) x[i] = (u64) r[i]; - FOR (i,64) r[i] = 0; - modL (r,x); -} - -static int -unpackneg (gf r[4],const u8 p[32]) -{ - gf t, chk, num, den, den2, den4, den6; - set25519 (r[2],gf1); - unpack25519 (r[1],p); - S (num,r[1]); - M (den,num,D); - Z (num,num,r[2]); - A (den,r[2],den); - - S (den2,den); - S (den4,den2); - M (den6,den4,den2); - M (t,den6,num); - M (t,t,den); - - pow2523 (t,t); - M (t,t,num); - M (t,t,den); - M (t,t,den); - M (r[0],t,den); - - S (chk,r[0]); - M (chk,chk,den); - if (neq25519 (chk, num)) - M (r[0],r[0],I); - - S (chk,r[0]); - M (chk,chk,den); - if (neq25519 (chk, num)) - return -1; - - if (par25519 (r[0]) == (p[31] >> 7)) - Z (r[0],gf0,r[0]); - - M (r[3],r[0],r[1]); - return 0; -} - -/* The following functions have been added for GNUnet */ - -void -GNUNET_TWEETNACL_sign_pk_from_seed (u8 *pk, const u8 *seed) -{ - u8 d[64]; - gf p[4]; - - crypto_hash (d, seed, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; - - scalarbase (p, d); - pack (pk, p); -} - -void -GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (u8 *pk, const u8 *s) -{ - u8 d[64]; - gf p[4]; - - // Treat s as little endian. - for (u32 i = 0; i < 32; i++) - d[i] = s[31 - i]; - - // For GNUnet, we don't normalize d - - scalarbase (p, d); - pack (pk, p); -} - -void -GNUNET_TWEETNACL_sign_sk_from_seed (u8 *sk, const u8 *seed) -{ - u8 d[64]; - gf p[4]; - u8 pk[32]; - int i; - - crypto_hash (d, seed, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; - - scalarbase (p,d); - pack (pk,p); - - FOR (i,32) sk[i] = seed[i]; - FOR (i,32) sk[32 + i] = pk[i]; -} - -int -GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (u8 *x25519_pk, - const u8 *ed25519_pk) -{ - gf ge_a[4]; - gf x; - gf one_minus_y; - - if (0 != unpackneg (ge_a, ed25519_pk)) - return -1; - - set25519 (one_minus_y, gf1); - Z (one_minus_y, one_minus_y, ge_a[1]); - - set25519 (x, gf1); - A (x, x, ge_a[1]); - - inv25519 (one_minus_y, one_minus_y); - M (x, x, one_minus_y); - pack25519 (x25519_pk, x); - - return 0; -} - -int GNUNET_TWEETNACL_sign_detached_verify (const u8 *sig, - const u8 *m, - u64 n, - const u8 *pk) -{ - struct GNUNET_HashContext *hc; - u8 t[32],h[64]; - gf p[4],q[4]; - - if (unpackneg (q,pk)) - return -1; - - hc = GNUNET_CRYPTO_hash_context_start (); - GNUNET_CRYPTO_hash_context_read (hc, sig, 32); - GNUNET_CRYPTO_hash_context_read (hc, pk, 32); - GNUNET_CRYPTO_hash_context_read (hc, m, n); - GNUNET_CRYPTO_hash_context_finish (hc, (void *) h); - - reduce (h); - scalarmult (p,q,h); - - scalarbase (q,sig+32); - add (p,q); - pack (t,p); - - if (crypto_verify_32 (sig, t)) - return -1; - return 0; -} - -int -GNUNET_TWEETNACL_sign_detached (u8 *sig, - const u8 *m, - u64 n, - const u8 *sk) -{ - struct GNUNET_HashContext *hc; - u8 d[64],h[64],r[64]; - i64 i,j,x[64]; - gf p[4]; - - crypto_hash (d, sk, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; - - hc = GNUNET_CRYPTO_hash_context_start (); - GNUNET_CRYPTO_hash_context_read (hc, d + 32, 32); - GNUNET_CRYPTO_hash_context_read (hc, m, n); - GNUNET_CRYPTO_hash_context_finish (hc, (void *) r); - - reduce (r); - scalarbase (p,r); - pack (sig,p); - - hc = GNUNET_CRYPTO_hash_context_start (); - GNUNET_CRYPTO_hash_context_read (hc, sig, 32); - GNUNET_CRYPTO_hash_context_read (hc, sk + 32, 32); - GNUNET_CRYPTO_hash_context_read (hc, m, n); - GNUNET_CRYPTO_hash_context_finish (hc, (void *) h); - - reduce (h); - - FOR (i,64) x[i] = 0; - FOR (i,32) x[i] = (u64) r[i]; - FOR (i,32) FOR (j,32) x[i + j] += h[i] * (u64) d[j]; - modL (sig + 32,x); - - return 0; -} diff --git a/src/util/tweetnacl-gnunet.h b/src/util/tweetnacl-gnunet.h deleted file mode 100644 index d052d8824..000000000 --- a/src/util/tweetnacl-gnunet.h +++ /dev/null @@ -1,54 +0,0 @@ -/* - This file has been placed in the public domain. - - Based on TweetNaCl version 20140427 - - Originally obtained from: - https://tweetnacl.cr.yp.to/20140427/tweetnacl.h - - SPDX-License-Identifier: 0BSD - */ - - -#ifndef TWEETNACL_H -#define TWEETNACL_H -#include - - -#define GNUNET_TWEETNACL_SIGN_SECRETKEYBYTES 64 -#define GNUNET_TWEETNACL_SIGN_PUBLICBYTES 32 -#define GNUNET_TWEETNACL_SCALARMULT_BYTES 32 - -int -GNUNET_TWEETNACL_scalarmult_curve25519 (uint8_t *, - const uint8_t *, - const uint8_t *); -extern int -GNUNET_TWEETNACL_scalarmult_curve25519_base (uint8_t *, - const uint8_t *); -void -GNUNET_TWEETNACL_sign_pk_from_seed (uint8_t *pk, const uint8_t *seed); - -void -GNUNET_TWEETNACL_sign_sk_from_seed (uint8_t *sk, const uint8_t *seed); - -int -GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (uint8_t *x25519_pk, - const uint8_t *ed25519_pk); - -int -GNUNET_TWEETNACL_sign_detached_verify (const uint8_t *sig, - const uint8_t *m, - uint64_t n, - const uint8_t *pk); - -int -GNUNET_TWEETNACL_sign_detached (uint8_t *sig, - const uint8_t *m, - uint64_t n, - const uint8_t *sk); - -void -GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (uint8_t *pk, const uint8_t *s); - -#endif -- cgit v1.2.3