/* Compute the affine coordinates from the projective coordinates in
POINT. Set them into X and Y. If one coordinate is not required,
X or Y may be passed as NULL. CTX is the usual context. Returns: 0
on success or !0 if POINT is at infinity. */
int
_gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point,
mpi_ec_t ctx)
{
gcry_mpi_t z1, z2, z3;
if (!mpi_cmp_ui (point->z, 0))
return -1;
z1 = mpi_new (0);
z2 = mpi_new (0);
ec_invm (z1, point->z, ctx); /* z1 = z^(-1) mod p */
ec_mulm (z2, z1, z1, ctx); /* z2 = z^(-2) mod p */
if (x)
ec_mulm (x, point->x, z2, ctx);
if (y)
{
z3 = mpi_new (0);
ec_mulm (z3, z2, z1, ctx); /* z3 = z^(-3) mod p */
ec_mulm (y, point->y, z3, ctx);
mpi_free (z3);
}
mpi_free (z2);
mpi_free (z1);
return 0;
}
/* Return the parameters of the curve NAME. */
gcry_err_code_t
_gcry_ecc_get_param (const char *name, gcry_mpi_t *pkey)
{
gpg_err_code_t err;
unsigned int nbits;
elliptic_curve_t E;
mpi_ec_t ctx;
gcry_mpi_t g_x, g_y;
err = generate_curve (0, name, &E, &nbits);
if (err)
return err;
g_x = mpi_new (0);
g_y = mpi_new (0);
ctx = _gcry_mpi_ec_init (E.p, E.a);
if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
log_fatal ("ecc get param: Failed to get affine coordinates\n");
_gcry_mpi_ec_free (ctx);
point_free (&E.G);
pkey[0] = E.p;
pkey[1] = E.a;
pkey[2] = E.b;
pkey[3] = ec2os (g_x, g_y, E.p);
pkey[4] = E.n;
pkey[5] = NULL;
return 0;
}
/* Initialize the fields of a point object. gcry_mpi_point_free_parts
may be used to release the fields. */
void
_gcry_mpi_point_init (mpi_point_t p)
{
p->x = mpi_new (0);
p->y = mpi_new (0);
p->z = mpi_new (0);
}
/* Encode POINT using the EdDSA scheme. X and Y are either scratch
variables supplied by the caller or NULL. CTX is the usual
context. If WITH_PREFIX is set the returned buffer is prefixed
with a 0x40 byte. On success 0 is returned and a malloced buffer
with the encoded point is stored at R_BUFFER; the length of this
buffer is stored at R_BUFLEN. */
gpg_err_code_t
_gcry_ecc_eddsa_encodepoint (mpi_point_t point, mpi_ec_t ec,
gcry_mpi_t x_in, gcry_mpi_t y_in,
int with_prefix,
unsigned char **r_buffer, unsigned int *r_buflen)
{
gpg_err_code_t rc;
gcry_mpi_t x, y;
x = x_in? x_in : mpi_new (0);
y = y_in? y_in : mpi_new (0);
if (_gcry_mpi_ec_get_affine (x, y, point, ec))
{
log_error ("eddsa_encodepoint: Failed to get affine coordinates\n");
rc = GPG_ERR_INTERNAL;
}
else
rc = eddsa_encode_x_y (x, y, ec->nbits/8, with_prefix, r_buffer, r_buflen);
if (!x_in)
mpi_free (x);
if (!y_in)
mpi_free (y);
return rc;
}
/* Convert POINT into affine coordinates using the context CTX and
return a newly allocated MPI. If the conversion is not possible
NULL is returned. This function won't print an error message. */
gcry_mpi_t
_gcry_mpi_ec_ec2os (gcry_mpi_point_t point, mpi_ec_t ectx)
{
gcry_mpi_t g_x, g_y, result;
g_x = mpi_new (0);
g_y = mpi_new (0);
if (_gcry_mpi_ec_get_affine (g_x, g_y, point, ectx))
result = NULL;
else
result = _gcry_ecc_ec2os (g_x, g_y, ectx->p);
mpi_free (g_x);
mpi_free (g_y);
return result;
}
/* Return the parameters of the curve NAME as an S-expression. */
gcry_sexp_t
_gcry_ecc_get_param_sexp (const char *name)
{
unsigned int nbits;
elliptic_curve_t E;
mpi_ec_t ctx;
gcry_mpi_t g_x, g_y;
gcry_mpi_t pkey[7];
gcry_sexp_t result;
int i;
memset (&E, 0, sizeof E);
if (_gcry_ecc_fill_in_curve (0, name, &E, &nbits))
return NULL;
g_x = mpi_new (0);
g_y = mpi_new (0);
ctx = _gcry_mpi_ec_p_internal_new (MPI_EC_WEIERSTRASS,
ECC_DIALECT_STANDARD,
0,
E.p, E.a, NULL);
if (_gcry_mpi_ec_get_affine (g_x, g_y, &E.G, ctx))
log_fatal ("ecc get param: Failed to get affine coordinates\n");
_gcry_mpi_ec_free (ctx);
_gcry_mpi_point_free_parts (&E.G);
pkey[0] = E.p;
pkey[1] = E.a;
pkey[2] = E.b;
pkey[3] = _gcry_ecc_ec2os (g_x, g_y, E.p);
pkey[4] = E.n;
pkey[5] = E.h;
pkey[6] = NULL;
mpi_free (g_x);
mpi_free (g_y);
if (sexp_build (&result, NULL,
"(public-key(ecc(p%m)(a%m)(b%m)(g%m)(n%m)(h%m)))",
pkey[0], pkey[1], pkey[2], pkey[3], pkey[4], pkey[5]))
result = NULL;
for (i=0; pkey[i]; i++)
_gcry_mpi_release (pkey[i]);
return result;
}
/* Check that a freshly generated key actually works. Returns 0 on success. */
static int
test_keys (RSA_secret_key *sk, unsigned int nbits)
{
int result = -1; /* Default to failure. */
RSA_public_key pk;
gcry_mpi_t plaintext = mpi_new (nbits);
gcry_mpi_t ciphertext = mpi_new (nbits);
gcry_mpi_t decr_plaintext = mpi_new (nbits);
gcry_mpi_t signature = mpi_new (nbits);
/* Put the relevant parameters into a public key structure. */
pk.n = sk->n;
pk.e = sk->e;
/* Create a random plaintext. */
_gcry_mpi_randomize (plaintext, nbits, GCRY_WEAK_RANDOM);
/* Encrypt using the public key. */
public (ciphertext, plaintext, &pk);
/****************
* To verify correct skey it use a random information.
* First, encrypt and decrypt this dummy value,
* test if the information is recuperated.
* Second, test with the sign and verify functions.
*/
static void
test_keys (ECC_secret_key *sk, unsigned int nbits)
{
ECC_public_key pk;
gcry_mpi_t test = mpi_new (nbits);
mpi_point_t R_;
gcry_mpi_t c = mpi_new (nbits);
gcry_mpi_t out = mpi_new (nbits);
gcry_mpi_t r = mpi_new (nbits);
gcry_mpi_t s = mpi_new (nbits);
if (DBG_CIPHER)
log_debug ("Testing key.\n");
point_init (&R_);
pk.E = curve_copy (sk->E);
point_init (&pk.Q);
point_set (&pk.Q, &sk->Q);
gcry_mpi_randomize (test, nbits, GCRY_WEAK_RANDOM);
if (sign (test, sk, r, s) )
log_fatal ("ECDSA operation: sign failed\n");
if (verify (test, &pk, r, s))
{
log_fatal ("ECDSA operation: sign, verify failed\n");
}
if (DBG_CIPHER)
log_debug ("ECDSA operation: sign, verify ok.\n");
point_free (&pk.Q);
curve_free (&pk.E);
point_free (&R_);
mpi_free (s);
mpi_free (r);
mpi_free (out);
mpi_free (c);
mpi_free (test);
}
/* Extended version of ecc_generate which is called directly by
pubkey.c. If CURVE is not NULL, that name will be used to select
the domain parameters. NBITS is not used in this case. */
gcry_err_code_t
_gcry_ecc_generate (int algo, unsigned int nbits, const char *curve,
gcry_mpi_t *skey, gcry_mpi_t **retfactors)
{
gpg_err_code_t err;
ECC_secret_key sk;
gcry_mpi_t g_x, g_y, q_x, q_y;
(void)algo;
/* Make an empty list of factors. */
*retfactors = gcry_calloc ( 1, sizeof **retfactors );
if (!*retfactors)
return gpg_err_code_from_syserror ();
g_x = mpi_new (0);
g_y = mpi_new (0);
q_x = mpi_new (0);
q_y = mpi_new (0);
err = generate_key (&sk, nbits, curve, g_x, g_y, q_x, q_y);
if (err)
{
gcry_free (*retfactors);
*retfactors = NULL;
return err;
}
skey[0] = sk.E.p;
skey[1] = sk.E.a;
skey[2] = sk.E.b;
/* The function ec2os releases g_x and g_y. */
skey[3] = ec2os (g_x, g_y, sk.E.p);
skey[4] = sk.E.n;
/* The function ec2os releases g_x and g_y. */
skey[5] = ec2os (q_x, q_y, sk.E.p);
skey[6] = sk.d;
point_free (&sk.E.G);
point_free (&sk.Q);
return 0;
}
/****************
* Solve the right side of the equation that defines a curve.
*/
static gcry_mpi_t
gen_y_2 (gcry_mpi_t x, elliptic_curve_t *base)
{
gcry_mpi_t three, x_3, axb, y;
three = mpi_alloc_set_ui (3);
x_3 = mpi_new (0);
axb = mpi_new (0);
y = mpi_new (0);
mpi_powm (x_3, x, three, base->p);
mpi_mulm (axb, base->a, x, base->p);
mpi_addm (axb, axb, base->b, base->p);
mpi_addm (y, x_3, axb, base->p);
mpi_free (x_3);
mpi_free (axb);
mpi_free (three);
return y; /* The quadratic value of the coordinate if it exist. */
}
static void
do_powm (void)
{
gcry_mpi_t a;
if (stackidx < 3)
{
fputs ("stack underflow\n", stderr);
return;
}
a = mpi_new (0);
mpi_powm (a, stack[stackidx - 3], stack[stackidx - 2], stack[stackidx - 1]);
mpi_release (stack[stackidx - 3]);
stack[stackidx - 3] = a;
stackidx -= 2;
}
static void
do_gcd (void)
{
gcry_mpi_t a;
if (stackidx < 2)
{
fputs ("stack underflow\n", stderr);
return;
}
a = mpi_new (0);
mpi_gcd (a, stack[stackidx - 2], stack[stackidx - 1]);
mpi_set (stack[stackidx - 2], a);
mpi_release (a);
stackidx--;
}
int
main (int argc, char **argv)
{
const char *pgm;
int last_argc = -1;
int print_config = 0;
int i, c;
int state = 0;
char strbuf[4096];
int stridx = 0;
if (argc)
{
pgm = strrchr (*argv, '/');
if (pgm)
pgm++;
else
pgm = *argv;
argc--; argv++;
}
else
pgm = "?";
while (argc && last_argc != argc )
{
last_argc = argc;
if (!strcmp (*argv, "--"))
{
argc--; argv++;
break;
}
else if (!strcmp (*argv, "--version")
|| !strcmp (*argv, "--help"))
{
printf ("%s " MPICALC_VERSION "\n"
"libgcrypt %s\n"
"Copyright (C) 1997, 2013 Werner Koch\n"
"License LGPLv2.1+: GNU LGPL version 2.1 or later "
"<http://gnu.org/licenses/old-licenses/lgpl-2.1.html>\n"
"This is free software: you are free to change and "
"redistribute it.\n"
"There is NO WARRANTY, to the extent permitted by law.\n"
"\n"
"Syntax: mpicalc [options]\n"
"Simple interactive big integer RPN calculator\n"
"\n"
"Options:\n"
" --version print version information\n"
" --print-config print the Libgcrypt config\n"
" --disable-hwf NAME disable feature NAME\n",
pgm, gcry_check_version (NULL));
exit (0);
}
else if (!strcmp (*argv, "--print-config"))
{
argc--; argv++;
print_config = 1;
}
else if (!strcmp (*argv, "--disable-hwf"))
{
argc--; argv++;
if (argc)
{
if (gcry_control (GCRYCTL_DISABLE_HWF, *argv, NULL))
fprintf (stderr, "%s: unknown hardware feature `%s'"
" - option ignored\n", pgm, *argv);
argc--; argv++;
}
}
}
if (argc)
{
fprintf (stderr, "usage: %s [options] (--help for help)\n", pgm);
exit (1);
}
if (!gcry_check_version (NEED_LIBGCRYPT_VERSION))
{
fprintf (stderr, "%s: Libgcrypt is too old (need %s, have %s)\n",
pgm, NEED_LIBGCRYPT_VERSION, gcry_check_version (NULL) );
exit (1);
}
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
if (print_config)
{
gcry_control (GCRYCTL_PRINT_CONFIG, stdout);
exit (0);
}
for (i = 0; i < STACKSIZE; i++)
stack[i] = NULL;
stackidx = 0;
while ((c = my_getc ()) != EOF)
{
if (!state) /* waiting */
{
if (isdigit (c))
{
state = 1;
ungetc (c, stdin);
strbuf[0] = '0';
strbuf[1] = 'x';
stridx = 2;
}
else if (isspace (c))
;
else
{
switch (c)
{
case '#':
state = 2;
break;
case '+':
if ((c = my_getc ()) == '+')
do_inc ();
else
{
ungetc (c, stdin);
do_add ();
}
break;
case '-':
if ((c = my_getc ()) == '-')
do_dec ();
else if (isdigit (c)
|| (c >= 'A' && c <= 'F')
|| (c >= 'a' && c <= 'f'))
{
state = 1;
ungetc (c, stdin);
strbuf[0] = '-';
strbuf[1] = '0';
strbuf[2] = 'x';
stridx = 3;
}
else
{
ungetc (c, stdin);
do_sub ();
}
break;
case '*':
do_mul ();
break;
case 'm':
do_mulm ();
break;
case '/':
do_div ();
break;
case '%':
do_rem ();
break;
case '^':
do_powm ();
break;
case '<':
do_lshift ();
break;
case '>':
do_rshift ();
break;
case 'I':
do_inv ();
break;
case 'G':
do_gcd ();
break;
case 'i': /* dummy */
if (!stackidx)
fputs ("stack underflow\n", stderr);
else
{
mpi_release (stack[stackidx - 1]);
stackidx--;
}
break;
case 'd': /* duplicate the tos */
if (!stackidx)
fputs ("stack underflow\n", stderr);
else if (stackidx < STACKSIZE)
{
mpi_release (stack[stackidx]);
stack[stackidx] = mpi_copy (stack[stackidx - 1]);
stackidx++;
}
else
fputs ("stack overflow\n", stderr);
break;
case 'r': /* swap top elements */
if (stackidx < 2)
fputs ("stack underflow\n", stderr);
else if (stackidx < STACKSIZE)
{
gcry_mpi_t tmp = stack[stackidx-1];
stack[stackidx-1] = stack[stackidx - 2];
stack[stackidx-2] = tmp;
}
break;
case 'b':
do_nbits ();
break;
case 'P':
do_primecheck ();
break;
case 'c':
for (i = 0; i < stackidx; i++)
{
mpi_release (stack[i]); stack[i] = NULL;
}
stackidx = 0;
break;
case 'p': /* print the tos */
if (!stackidx)
puts ("stack is empty");
else
{
print_mpi (stack[stackidx - 1]);
putchar ('\n');
}
break;
case 'f': /* print the stack */
for (i = stackidx - 1; i >= 0; i--)
{
printf ("[%2d]: ", i);
print_mpi (stack[i]);
putchar ('\n');
}
break;
case '?':
print_help ();
break;
default:
fputs ("invalid operator\n", stderr);
}
}
}
else if (state == 1) /* In a number. */
{
if (!isxdigit (c))
{
/* Store the number */
state = 0;
ungetc (c, stdin);
if (stridx < sizeof strbuf)
strbuf[stridx] = 0;
if (stackidx < STACKSIZE)
{
if (!stack[stackidx])
stack[stackidx] = mpi_new (0);
if (scan_mpi (stack[stackidx], strbuf))
fputs ("invalid number\n", stderr);
else
stackidx++;
}
else
fputs ("stack overflow\n", stderr);
}
else
{ /* Store a digit. */
if (stridx < sizeof strbuf - 1)
strbuf[stridx++] = c;
else if (stridx == sizeof strbuf - 1)
{
strbuf[stridx] = 0;
fputs ("input too large - truncated\n", stderr);
stridx++;
}
}
}
else if (state == 2) /* In a comment. */
{
if (c == '\n')
state = 0;
}
}
for (i = 0; i < stackidx; i++)
mpi_release (stack[i]);
return 0;
}
/* Recover X from Y and SIGN (which actually is a parity bit). */
gpg_err_code_t
_gcry_ecc_eddsa_recover_x (gcry_mpi_t x, gcry_mpi_t y, int sign, mpi_ec_t ec)
{
gpg_err_code_t rc = 0;
gcry_mpi_t u, v, v3, t;
static gcry_mpi_t p58, seven;
if (ec->dialect != ECC_DIALECT_ED25519)
return GPG_ERR_NOT_IMPLEMENTED;
if (!p58)
p58 = scanval ("0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD");
if (!seven)
seven = mpi_set_ui (NULL, 7);
u = mpi_new (0);
v = mpi_new (0);
v3 = mpi_new (0);
t = mpi_new (0);
/* Compute u and v */
/* u = y^2 */
mpi_mulm (u, y, y, ec->p);
/* v = b*y^2 */
mpi_mulm (v, ec->b, u, ec->p);
/* u = y^2-1 */
mpi_sub_ui (u, u, 1);
/* v = b*y^2+1 */
mpi_add_ui (v, v, 1);
/* Compute sqrt(u/v) */
/* v3 = v^3 */
mpi_powm (v3, v, mpi_const (MPI_C_THREE), ec->p);
/* t = v3 * v3 * u * v = u * v^7 */
mpi_powm (t, v, seven, ec->p);
mpi_mulm (t, t, u, ec->p);
/* t = t^((p-5)/8) = (u * v^7)^((p-5)/8) */
mpi_powm (t, t, p58, ec->p);
/* x = t * u * v^3 = (u * v^3) * (u * v^7)^((p-5)/8) */
mpi_mulm (t, t, u, ec->p);
mpi_mulm (x, t, v3, ec->p);
/* Adjust if needed. */
/* t = v * x^2 */
mpi_mulm (t, x, x, ec->p);
mpi_mulm (t, t, v, ec->p);
/* -t == u ? x = x * sqrt(-1) */
mpi_neg (t, t);
if (!mpi_cmp (t, u))
{
static gcry_mpi_t m1; /* Fixme: this is not thread-safe. */
if (!m1)
m1 = scanval ("2B8324804FC1DF0B2B4D00993DFBD7A7"
"2F431806AD2FE478C4EE1B274A0EA0B0");
mpi_mulm (x, x, m1, ec->p);
/* t = v * x^2 */
mpi_mulm (t, x, x, ec->p);
mpi_mulm (t, t, v, ec->p);
/* -t == u ? x = x * sqrt(-1) */
mpi_neg (t, t);
if (!mpi_cmp (t, u))
rc = GPG_ERR_INV_OBJ;
}
/* Choose the desired square root according to parity */
if (mpi_test_bit (x, 0) != !!sign)
mpi_sub (x, ec->p, x);
mpi_free (t);
mpi_free (v3);
mpi_free (v);
mpi_free (u);
return rc;
}
/**
* _gcry_ecc_eddsa_genkey - EdDSA version of the key generation.
*
* @sk: A struct to receive the secret key.
* @E: Parameters of the curve.
* @ctx: Elliptic curve computation context.
* @flags: Flags controlling aspects of the creation.
*
* Return: An error code.
*
* The only @flags bit used by this function is %PUBKEY_FLAG_TRANSIENT
* to use a faster RNG.
*/
gpg_err_code_t
_gcry_ecc_eddsa_genkey (ECC_secret_key *sk, elliptic_curve_t *E, mpi_ec_t ctx,
int flags)
{
gpg_err_code_t rc;
int b = 256/8; /* The only size we currently support. */
gcry_mpi_t a, x, y;
mpi_point_struct Q;
gcry_random_level_t random_level;
char *dbuf;
size_t dlen;
gcry_buffer_t hvec[1];
unsigned char *hash_d = NULL;
point_init (&Q);
memset (hvec, 0, sizeof hvec);
if ((flags & PUBKEY_FLAG_TRANSIENT_KEY))
random_level = GCRY_STRONG_RANDOM;
else
random_level = GCRY_VERY_STRONG_RANDOM;
a = mpi_snew (0);
x = mpi_new (0);
y = mpi_new (0);
/* Generate a secret. */
hash_d = xtrymalloc_secure (2*b);
if (!hash_d)
{
rc = gpg_error_from_syserror ();
goto leave;
}
dlen = b;
dbuf = _gcry_random_bytes_secure (dlen, random_level);
/* Compute the A value. */
hvec[0].data = dbuf;
hvec[0].len = dlen;
rc = _gcry_md_hash_buffers (GCRY_MD_SHA512, 0, hash_d, hvec, 1);
if (rc)
goto leave;
sk->d = _gcry_mpi_set_opaque (NULL, dbuf, dlen*8);
dbuf = NULL;
reverse_buffer (hash_d, 32); /* Only the first half of the hash. */
hash_d[0] = (hash_d[0] & 0x7f) | 0x40;
hash_d[31] &= 0xf8;
_gcry_mpi_set_buffer (a, hash_d, 32, 0);
xfree (hash_d); hash_d = NULL;
/* log_printmpi ("ecgen a", a); */
/* Compute Q. */
_gcry_mpi_ec_mul_point (&Q, a, &E->G, ctx);
if (DBG_CIPHER)
log_printpnt ("ecgen pk", &Q, ctx);
/* Copy the stuff to the key structures. */
sk->E.model = E->model;
sk->E.dialect = E->dialect;
sk->E.p = mpi_copy (E->p);
sk->E.a = mpi_copy (E->a);
sk->E.b = mpi_copy (E->b);
point_init (&sk->E.G);
point_set (&sk->E.G, &E->G);
sk->E.n = mpi_copy (E->n);
point_init (&sk->Q);
point_set (&sk->Q, &Q);
leave:
point_free (&Q);
_gcry_mpi_release (a);
_gcry_mpi_release (x);
_gcry_mpi_release (y);
xfree (hash_d);
return rc;
}
/* Compute an EdDSA signature. See:
* [ed25519] 23pp. (PDF) Daniel J. Bernstein, Niels Duif, Tanja
* Lange, Peter Schwabe, Bo-Yin Yang. High-speed high-security
* signatures. Journal of Cryptographic Engineering 2 (2012), 77-89.
* Document ID: a1a62a2f76d23f65d622484ddd09caf8.
* URL: http://cr.yp.to/papers.html#ed25519. Date: 2011.09.26.
*
* Despite that this function requires the specification of a hash
* algorithm, we only support what has been specified by the paper.
* This may change in the future. Note that we don't check the used
* curve; the user is responsible to use Ed25519.
*
* Return the signature struct (r,s) from the message hash. The caller
* must have allocated R_R and S.
*/
gpg_err_code_t
_gcry_ecc_eddsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
gcry_mpi_t r_r, gcry_mpi_t s, int hashalgo, gcry_mpi_t pk)
{
int rc;
mpi_ec_t ctx = NULL;
int b;
unsigned int tmp;
unsigned char *digest;
gcry_buffer_t hvec[3];
const void *mbuf;
size_t mlen;
unsigned char *rawmpi = NULL;
unsigned int rawmpilen;
unsigned char *encpk = NULL; /* Encoded public key. */
unsigned int encpklen;
mpi_point_struct I; /* Intermediate value. */
mpi_point_struct Q; /* Public key. */
gcry_mpi_t a, x, y, r;
memset (hvec, 0, sizeof hvec);
if (!mpi_is_opaque (input))
return GPG_ERR_INV_DATA;
/* Initialize some helpers. */
point_init (&I);
point_init (&Q);
a = mpi_snew (0);
x = mpi_new (0);
y = mpi_new (0);
r = mpi_new (0);
ctx = _gcry_mpi_ec_p_internal_new (skey->E.model, skey->E.dialect, 0,
skey->E.p, skey->E.a, skey->E.b);
b = (ctx->nbits+7)/8;
if (b != 256/8)
return GPG_ERR_INTERNAL; /* We only support 256 bit. */
rc = _gcry_ecc_eddsa_compute_h_d (&digest, skey->d, ctx);
if (rc)
goto leave;
_gcry_mpi_set_buffer (a, digest, 32, 0);
/* Compute the public key if it has not been supplied as optional
parameter. */
if (pk)
{
rc = _gcry_ecc_eddsa_decodepoint (pk, ctx, &Q, &encpk, &encpklen);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printhex ("* e_pk", encpk, encpklen);
if (!_gcry_mpi_ec_curve_point (&Q, ctx))
{
rc = GPG_ERR_BROKEN_PUBKEY;
goto leave;
}
}
else
{
_gcry_mpi_ec_mul_point (&Q, a, &skey->E.G, ctx);
rc = _gcry_ecc_eddsa_encodepoint (&Q, ctx, x, y, 0, &encpk, &encpklen);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printhex (" e_pk", encpk, encpklen);
}
/* Compute R. */
mbuf = mpi_get_opaque (input, &tmp);
mlen = (tmp +7)/8;
if (DBG_CIPHER)
log_printhex (" m", mbuf, mlen);
hvec[0].data = digest;
hvec[0].off = 32;
hvec[0].len = 32;
hvec[1].data = (char*)mbuf;
hvec[1].len = mlen;
rc = _gcry_md_hash_buffers (hashalgo, 0, digest, hvec, 2);
if (rc)
goto leave;
reverse_buffer (digest, 64);
if (DBG_CIPHER)
log_printhex (" r", digest, 64);
_gcry_mpi_set_buffer (r, digest, 64, 0);
_gcry_mpi_ec_mul_point (&I, r, &skey->E.G, ctx);
if (DBG_CIPHER)
log_printpnt (" r", &I, ctx);
/* Convert R into affine coordinates and apply encoding. */
rc = _gcry_ecc_eddsa_encodepoint (&I, ctx, x, y, 0, &rawmpi, &rawmpilen);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printhex (" e_r", rawmpi, rawmpilen);
/* S = r + a * H(encodepoint(R) + encodepoint(pk) + m) mod n */
hvec[0].data = rawmpi; /* (this is R) */
hvec[0].off = 0;
hvec[0].len = rawmpilen;
hvec[1].data = encpk;
hvec[1].off = 0;
hvec[1].len = encpklen;
hvec[2].data = (char*)mbuf;
hvec[2].off = 0;
hvec[2].len = mlen;
rc = _gcry_md_hash_buffers (hashalgo, 0, digest, hvec, 3);
if (rc)
goto leave;
/* No more need for RAWMPI thus we now transfer it to R_R. */
mpi_set_opaque (r_r, rawmpi, rawmpilen*8);
rawmpi = NULL;
reverse_buffer (digest, 64);
if (DBG_CIPHER)
log_printhex (" H(R+)", digest, 64);
_gcry_mpi_set_buffer (s, digest, 64, 0);
mpi_mulm (s, s, a, skey->E.n);
mpi_addm (s, s, r, skey->E.n);
rc = eddsa_encodempi (s, b, &rawmpi, &rawmpilen);
if (rc)
goto leave;
if (DBG_CIPHER)
log_printhex (" e_s", rawmpi, rawmpilen);
mpi_set_opaque (s, rawmpi, rawmpilen*8);
rawmpi = NULL;
rc = 0;
leave:
_gcry_mpi_release (a);
_gcry_mpi_release (x);
_gcry_mpi_release (y);
_gcry_mpi_release (r);
xfree (digest);
_gcry_mpi_ec_free (ctx);
point_free (&I);
point_free (&Q);
xfree (encpk);
xfree (rawmpi);
return rc;
}
/* Verify an EdDSA signature. See sign_eddsa for the reference.
* Check if R_IN and S_IN verifies INPUT. PKEY has the curve
* parameters and PK is the EdDSA style encoded public key.
*/
gpg_err_code_t
_gcry_ecc_eddsa_verify (gcry_mpi_t input, ECC_public_key *pkey,
gcry_mpi_t r_in, gcry_mpi_t s_in, int hashalgo,
gcry_mpi_t pk)
{
int rc;
mpi_ec_t ctx = NULL;
int b;
unsigned int tmp;
mpi_point_struct Q; /* Public key. */
unsigned char *encpk = NULL; /* Encoded public key. */
unsigned int encpklen;
const void *mbuf, *rbuf;
unsigned char *tbuf = NULL;
size_t mlen, rlen;
unsigned int tlen;
unsigned char digest[64];
gcry_buffer_t hvec[3];
gcry_mpi_t h, s;
mpi_point_struct Ia, Ib;
if (!mpi_is_opaque (input) || !mpi_is_opaque (r_in) || !mpi_is_opaque (s_in))
return GPG_ERR_INV_DATA;
if (hashalgo != GCRY_MD_SHA512)
return GPG_ERR_DIGEST_ALGO;
point_init (&Q);
point_init (&Ia);
point_init (&Ib);
h = mpi_new (0);
s = mpi_new (0);
ctx = _gcry_mpi_ec_p_internal_new (pkey->E.model, pkey->E.dialect, 0,
pkey->E.p, pkey->E.a, pkey->E.b);
b = ctx->nbits/8;
if (b != 256/8)
return GPG_ERR_INTERNAL; /* We only support 256 bit. */
/* Decode and check the public key. */
rc = _gcry_ecc_eddsa_decodepoint (pk, ctx, &Q, &encpk, &encpklen);
if (rc)
goto leave;
if (!_gcry_mpi_ec_curve_point (&Q, ctx))
{
rc = GPG_ERR_BROKEN_PUBKEY;
goto leave;
}
if (DBG_CIPHER)
log_printhex (" e_pk", encpk, encpklen);
if (encpklen != b)
{
rc = GPG_ERR_INV_LENGTH;
goto leave;
}
/* Convert the other input parameters. */
mbuf = mpi_get_opaque (input, &tmp);
mlen = (tmp +7)/8;
if (DBG_CIPHER)
log_printhex (" m", mbuf, mlen);
rbuf = mpi_get_opaque (r_in, &tmp);
rlen = (tmp +7)/8;
if (DBG_CIPHER)
log_printhex (" r", rbuf, rlen);
if (rlen != b)
{
rc = GPG_ERR_INV_LENGTH;
goto leave;
}
/* h = H(encodepoint(R) + encodepoint(pk) + m) */
hvec[0].data = (char*)rbuf;
hvec[0].off = 0;
hvec[0].len = rlen;
hvec[1].data = encpk;
hvec[1].off = 0;
hvec[1].len = encpklen;
hvec[2].data = (char*)mbuf;
hvec[2].off = 0;
hvec[2].len = mlen;
rc = _gcry_md_hash_buffers (hashalgo, 0, digest, hvec, 3);
if (rc)
goto leave;
reverse_buffer (digest, 64);
if (DBG_CIPHER)
log_printhex (" H(R+)", digest, 64);
_gcry_mpi_set_buffer (h, digest, 64, 0);
/* According to the paper the best way for verification is:
encodepoint(sG - h·Q) = encodepoint(r)
because we don't need to decode R. */
{
void *sbuf;
unsigned int slen;
sbuf = _gcry_mpi_get_opaque_copy (s_in, &tmp);
slen = (tmp +7)/8;
reverse_buffer (sbuf, slen);
if (DBG_CIPHER)
log_printhex (" s", sbuf, slen);
_gcry_mpi_set_buffer (s, sbuf, slen, 0);
xfree (sbuf);
if (slen != b)
{
rc = GPG_ERR_INV_LENGTH;
goto leave;
}
}
_gcry_mpi_ec_mul_point (&Ia, s, &pkey->E.G, ctx);
_gcry_mpi_ec_mul_point (&Ib, h, &Q, ctx);
_gcry_mpi_neg (Ib.x, Ib.x);
_gcry_mpi_ec_add_points (&Ia, &Ia, &Ib, ctx);
rc = _gcry_ecc_eddsa_encodepoint (&Ia, ctx, s, h, 0, &tbuf, &tlen);
if (rc)
goto leave;
if (tlen != rlen || memcmp (tbuf, rbuf, tlen))
{
rc = GPG_ERR_BAD_SIGNATURE;
goto leave;
}
rc = 0;
leave:
xfree (encpk);
xfree (tbuf);
_gcry_mpi_ec_free (ctx);
_gcry_mpi_release (s);
_gcry_mpi_release (h);
point_free (&Ia);
point_free (&Ib);
point_free (&Q);
return rc;
}
