void gotr_ecbd_gen_flake_key(gcry_mpi_point_t *ret, gcry_mpi_point_t y0, gcry_mpi_t r1, gcry_mpi_point_t R1, gcry_mpi_point_t R0, gcry_mpi_point_t V1) { gcry_mpi_point_t tmp = gcry_mpi_point_new(0); gcry_mpi_t n = gcry_mpi_new(0); gcry_mpi_point_release(*ret); *ret = gcry_mpi_point_new(0); gcry_mpi_mul_ui(n, r1, 4); gcry_mpi_ec_mul(*ret, n, y0, edctx); gcry_mpi_set_ui(n, 3); gcry_mpi_ec_mul(tmp, n, R1, edctx); gcry_mpi_ec_add(*ret, *ret, tmp, edctx); gcry_mpi_ec_dup(tmp, R0, edctx); gcry_mpi_ec_add(*ret, *ret, tmp, edctx); gcry_mpi_ec_add(*ret, *ret, V1, edctx); gcry_mpi_point_release(tmp); gcry_mpi_release(n); }
static char *test_serialization() { struct gotr_dhe_skey priv; struct gotr_dhe_pkey pub; gcry_mpi_t x1, x2, y1, y2; gcry_mpi_point_t p1, p2; unsigned char *ser; gotr_ecdhe_key_create(&priv); gotr_ecdhe_key_get_public(&priv, &pub); p1 = deserialize_point(pub.q_y, 32); ser = serialize_point(p1); mu_assert("ERROR: deserialization->serialization failed", memcmp(pub.q_y, ser, 32) == 0); x1 = gcry_mpi_new(0); x2 = gcry_mpi_new(0); y1 = gcry_mpi_new(0); y2 = gcry_mpi_new(0); p2 = deserialize_point(ser, 32); free(ser); gcry_mpi_ec_get_affine(x1, y1, p1, edctx); gcry_mpi_ec_get_affine(x2, y2, p2, edctx); int res = gcry_mpi_cmp(x1, x2) || gcry_mpi_cmp(y1, y2); gcry_mpi_point_release(p1); gcry_mpi_point_release(p2); mu_assert("ERROR: serialization->deserialization failed", res == 0); return 0; }
/** * Do pre-calculation for ECC discrete logarithm for small factors. * * @param max maximum value the factor can be * @param mem memory to use (should be smaller than @a max), must not be zero. * @return @a max if dlog failed, otherwise the factor */ struct GNUNET_CRYPTO_EccDlogContext * GNUNET_CRYPTO_ecc_dlog_prepare (unsigned int max, unsigned int mem) { struct GNUNET_CRYPTO_EccDlogContext *edc; unsigned int K = ((max + (mem-1)) / mem); gcry_mpi_point_t g; struct GNUNET_PeerIdentity key; gcry_mpi_point_t gKi; gcry_mpi_t fact; gcry_mpi_t n; unsigned int i; GNUNET_assert (max < INT32_MAX); edc = GNUNET_new (struct GNUNET_CRYPTO_EccDlogContext); edc->max = max; edc->mem = mem; edc->map = GNUNET_CONTAINER_multipeermap_create (mem * 2, GNUNET_NO); GNUNET_assert (0 == gcry_mpi_ec_new (&edc->ctx, NULL, CURVE)); g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); fact = gcry_mpi_new (0); gKi = gcry_mpi_point_new (0); for (i=0;i<=mem;i++) { gcry_mpi_set_ui (fact, i * K); gcry_mpi_ec_mul (gKi, fact, g, edc->ctx); extract_pk (gKi, edc->ctx, &key); GNUNET_assert (GNUNET_OK == GNUNET_CONTAINER_multipeermap_put (edc->map, &key, (void*) (long) i + max, GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); } /* negative values */ n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); for (i=1;i<mem;i++) { gcry_mpi_set_ui (fact, i * K); gcry_mpi_sub (fact, n, fact); gcry_mpi_ec_mul (gKi, fact, g, edc->ctx); extract_pk (gKi, edc->ctx, &key); GNUNET_assert (GNUNET_OK == GNUNET_CONTAINER_multipeermap_put (edc->map, &key, (void*) (long) max - i, GNUNET_CONTAINER_MULTIHASHMAPOPTION_UNIQUE_ONLY)); } gcry_mpi_release (fact); gcry_mpi_release (n); gcry_mpi_point_release (gKi); gcry_mpi_point_release (g); return edc; }
/** * Do some DLOG operations for testing. * * @param edc context for ECC operations * @param do_dlog #GNUNET_YES if we want to actually do the bencharked operation */ static void test_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, int do_dlog) { gcry_mpi_t fact; gcry_mpi_t n; gcry_ctx_t ctx; gcry_mpi_point_t q; gcry_mpi_point_t g; unsigned int i; int x; int iret; GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); g = gcry_mpi_ec_get_point ("g", ctx, 0); GNUNET_assert (NULL != g); n = gcry_mpi_ec_get_mpi ("n", ctx, 0); q = gcry_mpi_point_new (0); fact = gcry_mpi_new (0); for (i=0;i<TEST_ITER;i++) { fprintf (stderr, "."); x = GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, MAX_FACT); if (0 == GNUNET_CRYPTO_random_u32 (GNUNET_CRYPTO_QUALITY_WEAK, 2)) { gcry_mpi_set_ui (fact, x); gcry_mpi_sub (fact, n, fact); x = - x; } else { gcry_mpi_set_ui (fact, x); } gcry_mpi_ec_mul (q, fact, g, ctx); if ( (GNUNET_YES == do_dlog) && (x != (iret = GNUNET_CRYPTO_ecc_dlog (edc, q))) ) { fprintf (stderr, "DLOG failed for value %d (%d)\n", x, iret); GNUNET_assert (0); } } gcry_mpi_release (fact); gcry_mpi_release (n); gcry_mpi_point_release (g); gcry_mpi_point_release (q); gcry_ctx_release (ctx); fprintf (stderr, "\n"); }
static int x25519_mpi(unsigned char *q, const unsigned char *n, gcry_mpi_t mpi_p) { unsigned char priv_be[32]; unsigned char result_be[32]; size_t result_len = 0; gcry_mpi_t mpi = NULL; gcry_ctx_t ctx = NULL; gcry_mpi_point_t P = NULL; gcry_mpi_point_t Q = NULL; int r = -1; /* Default to infinity (all zeroes). */ memset(q, 0, 32); /* Keys are in little-endian, but gcry_mpi_scan expects big endian. Convert * keys and ensure that the result is a valid Curve25519 secret scalar. */ copy_and_reverse(priv_be, n, 32); priv_be[0] &= 127; priv_be[0] |= 64; priv_be[31] &= 248; gcry_mpi_scan(&mpi, GCRYMPI_FMT_USG, priv_be, 32, NULL); if (gcry_mpi_ec_new(&ctx, NULL, "Curve25519")) { /* Should not happen, possibly out-of-memory. */ goto leave; } /* Compute Q = nP */ Q = gcry_mpi_point_new(0); P = gcry_mpi_point_set(NULL, mpi_p, NULL, GCRYMPI_CONST_ONE); gcry_mpi_ec_mul(Q, mpi, P, ctx); /* Note: mpi is reused to store the result. */ if (gcry_mpi_ec_get_affine(mpi, NULL, Q, ctx)) { /* Infinity. */ goto leave; } if (gcry_mpi_print(GCRYMPI_FMT_USG, result_be, 32, &result_len, mpi)) { /* Should not happen, possibly out-of-memory. */ goto leave; } copy_and_reverse(q, result_be, result_len); r = 0; leave: gcry_mpi_point_release(P); gcry_mpi_point_release(Q); gcry_ctx_release(ctx); gcry_mpi_release(mpi); /* XXX erase priv_be and result_be */ return r; }
/** * Multiply the generator g of the elliptic curve by @a val * to obtain the point on the curve representing @a val. * Afterwards, point addition will correspond to integer * addition. #GNUNET_CRYPTO_ecc_dlog() can be used to * convert a point back to an integer (as long as the * integer is smaller than the MAX of the @a edc context). * * @param edc calculation context for ECC operations * @param val value to encode into a point * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ gcry_mpi_point_t GNUNET_CRYPTO_ecc_dexp (struct GNUNET_CRYPTO_EccDlogContext *edc, int val) { gcry_mpi_t fact; gcry_mpi_t n; gcry_mpi_point_t g; gcry_mpi_point_t r; g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); fact = gcry_mpi_new (0); if (val < 0) { n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); gcry_mpi_set_ui (fact, - val); gcry_mpi_sub (fact, n, fact); gcry_mpi_release (n); } else { gcry_mpi_set_ui (fact, val); } r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (r, fact, g, edc->ctx); gcry_mpi_release (fact); gcry_mpi_point_release (g); return r; }
/** * Obtain a random point on the curve and its * additive inverse. Both returned values * must be freed using #GNUNET_CRYPTO_ecc_free(). * * @param edc calculation context for ECC operations * @param[out] r set to a random point on the curve * @param[out] r_inv set to the additive inverse of @a r */ void GNUNET_CRYPTO_ecc_rnd (struct GNUNET_CRYPTO_EccDlogContext *edc, gcry_mpi_point_t *r, gcry_mpi_point_t *r_inv) { gcry_mpi_t fact; gcry_mpi_t n; gcry_mpi_point_t g; fact = GNUNET_CRYPTO_ecc_random_mod_n (edc); /* calculate 'r' */ g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); *r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (*r, fact, g, edc->ctx); /* calculate 'r_inv' */ n = gcry_mpi_ec_get_mpi ("n", edc->ctx, 1); gcry_mpi_sub (fact, n, fact); /* fact = n - fact = - fact */ *r_inv = gcry_mpi_point_new (0); gcry_mpi_ec_mul (*r_inv, fact, g, edc->ctx); gcry_mpi_release (n); gcry_mpi_release (fact); gcry_mpi_point_release (g); }
/** * Calculate ECC discrete logarithm for small factors. * * @param edc precalculated values, determine range of factors * @param input point on the curve to factor * @return `edc->max` if dlog failed, otherwise the factor */ int GNUNET_CRYPTO_ecc_dlog (struct GNUNET_CRYPTO_EccDlogContext *edc, gcry_mpi_point_t input) { unsigned int K = ((edc->max + (edc->mem-1)) / edc->mem); gcry_mpi_point_t g; struct GNUNET_PeerIdentity key; gcry_mpi_point_t q; unsigned int i; int res; void *retp; g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); q = gcry_mpi_point_new (0); res = edc->max; for (i=0;i<=edc->max/edc->mem;i++) { if (0 == i) extract_pk (input, edc->ctx, &key); else extract_pk (q, edc->ctx, &key); retp = GNUNET_CONTAINER_multipeermap_get (edc->map, &key); if (NULL != retp) { res = (((long) retp) - edc->max) * K - i; /* we continue the loop here to make the implementation "constant-time". If we do not care about this, we could just 'break' here and do fewer operations... */ } if (i == edc->max/edc->mem) break; /* q = q + g */ if (0 == i) gcry_mpi_ec_add (q, input, g, edc->ctx); else gcry_mpi_ec_add (q, q, g, edc->ctx); } gcry_mpi_point_release (g); gcry_mpi_point_release (q); return res; }
void gotr_ecbd_gen_circle_key(gcry_mpi_point_t *ret, gcry_mpi_point_t *X, gcry_mpi_point_t Z, gcry_mpi_t r) { gcry_mpi_point_t tmp = gcry_mpi_point_new(0); gcry_mpi_t n = gcry_mpi_new(0); unsigned int i; gcry_mpi_point_release(*ret); *ret = gcry_mpi_point_set(NULL, NULL, GCRYMPI_CONST_ONE, GCRYMPI_CONST_ONE); for (i = 0; X[i]; i++) { gcry_mpi_set_ui(n, i+1); gcry_mpi_ec_mul(tmp, n, X[i], edctx); gcry_mpi_ec_add(*ret, *ret, tmp, edctx); } gcry_mpi_mul_ui(n, r, i+1); gcry_mpi_ec_mul(tmp, n, Z, edctx); gcry_mpi_ec_add(*ret, *ret, tmp, edctx); gcry_mpi_release(n); gcry_mpi_point_release(tmp); }
gpg_err_code_t _gcry_mpi_ec_set_point (const char *name, gcry_mpi_point_t newvalue, gcry_ctx_t ctx) { mpi_ec_t ec = _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC); if (!strcmp (name, "g")) { gcry_mpi_point_release (ec->G); ec->G = point_copy (newvalue); } else if (!strcmp (name, "q")) { gcry_mpi_point_release (ec->Q); ec->Q = point_copy (newvalue); } else return GPG_ERR_UNKNOWN_NAME; return 0; }
static void set_get_point (void) { gcry_mpi_point_t point; gcry_mpi_t x, y, z; wherestr = "set_get_point"; show ("checking point setting functions\n"); point = gcry_mpi_point_new (0); x = gcry_mpi_set_ui (NULL, 17); y = gcry_mpi_set_ui (NULL, 42); z = gcry_mpi_set_ui (NULL, 11371); gcry_mpi_point_get (x, y, z, point); if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) fail ("new point not initialized to (0,0,0)\n"); gcry_mpi_point_snatch_get (x, y, z, point); point = NULL; if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) fail ("snatch_get failed\n"); gcry_mpi_release (x); gcry_mpi_release (y); gcry_mpi_release (z); point = gcry_mpi_point_new (0); x = gcry_mpi_set_ui (NULL, 17); y = gcry_mpi_set_ui (NULL, 42); z = gcry_mpi_set_ui (NULL, 11371); gcry_mpi_point_set (point, x, y, z); gcry_mpi_set_ui (x, 23); gcry_mpi_set_ui (y, 24); gcry_mpi_set_ui (z, 25); gcry_mpi_point_get (x, y, z, point); if (gcry_mpi_cmp_ui (x, 17) || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) fail ("point_set/point_get failed\n"); gcry_mpi_point_snatch_set (point, x, y, z); x = gcry_mpi_new (0); y = gcry_mpi_new (0); z = gcry_mpi_new (0); gcry_mpi_point_get (x, y, z, point); if (gcry_mpi_cmp_ui (x, 17) || gcry_mpi_cmp_ui (y, 42) || gcry_mpi_cmp_ui (z, 11371)) fail ("point_snatch_set/point_get failed\n"); gcry_mpi_point_release (point); gcry_mpi_release (x); gcry_mpi_release (y); gcry_mpi_release (z); }
/** * Multiply the generator g of the elliptic curve by @a val * to obtain the point on the curve representing @a val. * * @param edc calculation context for ECC operations * @param val (positive) value to encode into a point * @return representation of the value as an ECC point, * must be freed using #GNUNET_CRYPTO_ecc_free() */ gcry_mpi_point_t GNUNET_CRYPTO_ecc_dexp_mpi (struct GNUNET_CRYPTO_EccDlogContext *edc, gcry_mpi_t val) { gcry_mpi_point_t g; gcry_mpi_point_t r; g = gcry_mpi_ec_get_point ("g", edc->ctx, 0); GNUNET_assert (NULL != g); r = gcry_mpi_point_new (0); gcry_mpi_ec_mul (r, val, g, edc->ctx); gcry_mpi_point_release (g); return r; }
static void ec_deinit (void *opaque) { mpi_ec_t ctx = opaque; int i; /* Domain parameter. */ mpi_free (ctx->p); mpi_free (ctx->a); mpi_free (ctx->b); gcry_mpi_point_release (ctx->G); mpi_free (ctx->n); /* The key. */ gcry_mpi_point_release (ctx->Q); mpi_free (ctx->d); /* Private data of ec.c. */ mpi_free (ctx->t.two_inv_p); for (i=0; i< DIM(ctx->t.scratch); i++) mpi_free (ctx->t.scratch[i]); /* if (ctx->nist_nbits == 192) */ /* { */ /* for (i=0; i < 4; i++) */ /* mpi_free (ctx->s[i]); */ /* mpi_free (ctx->c); */ /* } */ /* else if (ctx->nist_nbits == 384) */ /* { */ /* for (i=0; i < 10; i++) */ /* mpi_free (ctx->s[i]); */ /* mpi_free (ctx->c); */ /* } */ }
void gotr_ecbd_gen_X_value(gcry_mpi_point_t* ret, const gcry_mpi_point_t succ, const gcry_mpi_point_t pred, const gcry_mpi_t priv) { gcry_mpi_t x = gcry_mpi_new(0); gcry_mpi_t y = gcry_mpi_new(0); gcry_mpi_t z = gcry_mpi_new(0); gcry_mpi_point_t tmpoint = gcry_mpi_point_new(0); gotr_assert(succ && pred && priv); gcry_mpi_point_release(*ret); *ret = gcry_mpi_point_new(0); ///@todo use gcry_mpi_ec_sub after it is released gcry_mpi_point_get(x, y, z, pred); gcry_mpi_neg(x, x); gcry_mpi_point_set(tmpoint, x, y, z); gcry_mpi_ec_add(tmpoint, succ, tmpoint, edctx); gcry_mpi_ec_mul(*ret, priv, tmpoint, edctx); gcry_mpi_point_release(tmpoint); gcry_mpi_release(x); gcry_mpi_release(y); gcry_mpi_release(z); }
/* * Test iterative X25519 computation through lower layer MPI routines. * * Input: K (as hex string), ITER, R (as hex string) * * where R is expected result of iterating X25519 by ITER times. * */ static void test_it (int testno, const char *k_str, int iter, const char *result_str) { gcry_ctx_t ctx; gpg_error_t err; void *buffer = NULL; size_t buflen; gcry_mpi_t mpi_k = NULL; gcry_mpi_t mpi_x = NULL; gcry_mpi_point_t P = NULL; gcry_mpi_point_t Q; int i; gcry_mpi_t mpi_kk = NULL; if (verbose > 1) info ("Running test %d: iteration=%d\n", testno, iter); gcry_mpi_ec_new (&ctx, NULL, "Curve25519"); Q = gcry_mpi_point_new (0); if (!(buffer = hex2buffer (k_str, &buflen)) || buflen != 32) { fail ("error scanning MPI for test %d, %s: %s", testno, "k", "invalid hex string"); goto leave; } reverse_buffer (buffer, buflen); if ((err = gcry_mpi_scan (&mpi_x, GCRYMPI_FMT_USG, buffer, buflen, NULL))) { fail ("error scanning MPI for test %d, %s: %s", testno, "x", gpg_strerror (err)); goto leave; } xfree (buffer); buffer = NULL; P = gcry_mpi_point_set (NULL, mpi_x, NULL, GCRYMPI_CONST_ONE); mpi_k = gcry_mpi_copy (mpi_x); if (debug) print_mpi ("k", mpi_k); for (i = 0; i < iter; i++) { /* * Another variant of decodeScalar25519 thing. */ mpi_kk = gcry_mpi_set (mpi_kk, mpi_k); gcry_mpi_set_bit (mpi_kk, 254); gcry_mpi_clear_bit (mpi_kk, 255); gcry_mpi_clear_bit (mpi_kk, 0); gcry_mpi_clear_bit (mpi_kk, 1); gcry_mpi_clear_bit (mpi_kk, 2); gcry_mpi_ec_mul (Q, mpi_kk, P, ctx); P = gcry_mpi_point_set (P, mpi_k, NULL, GCRYMPI_CONST_ONE); gcry_mpi_ec_get_affine (mpi_k, NULL, Q, ctx); if (debug) print_mpi ("k", mpi_k); } { unsigned char res[32]; char *r, *r0; gcry_mpi_print (GCRYMPI_FMT_USG, res, 32, NULL, mpi_k); reverse_buffer (res, 32); r0 = r = xmalloc (65); if (!r0) { fail ("memory allocation for test %d", testno); goto leave; } for (i=0; i < 32; i++, r += 2) snprintf (r, 3, "%02x", res[i]); if (strcmp (result_str, r0)) { fail ("curv25519 failed for test %d: %s", testno, "wrong value returned"); info (" expected: '%s'", result_str); info (" got: '%s'", r0); } xfree (r0); } leave: gcry_mpi_release (mpi_kk); gcry_mpi_release (mpi_k); gcry_mpi_point_release (P); gcry_mpi_release (mpi_x); xfree (buffer); gcry_mpi_point_release (Q); gcry_ctx_release (ctx); }
/* This is the same as basic_ec_math but uses more advanced features. */ static void basic_ec_math_simplified (void) { gpg_error_t err; gcry_ctx_t ctx; gcry_mpi_point_t G, Q; gcry_mpi_t d; gcry_mpi_t x, y, z; gcry_sexp_t sexp; wherestr = "basic_ec_math_simplified"; show ("checking basic math functions for EC (variant)\n"); d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D"); Q = gcry_mpi_point_new (0); err = gcry_mpi_ec_new (&ctx, NULL, "NIST P-192"); if (err) die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err)); G = gcry_mpi_ec_get_point ("g", ctx, 1); if (!G) die ("gcry_mpi_ec_get_point(G) failed\n"); gcry_mpi_ec_mul (Q, d, G, ctx); x = gcry_mpi_new (0); y = gcry_mpi_new (0); z = gcry_mpi_new (0); gcry_mpi_point_get (x, y, z, Q); if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66") || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8") || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F")) fail ("computed public key does not match\n"); if (debug) { print_mpi ("Q.x", x); print_mpi ("Q.y", y); print_mpi ("Q.z", z); } if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) fail ("failed to get affine coordinates\n"); if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE") || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966")) fail ("computed affine coordinates of public key do not match\n"); if (debug) { print_mpi ("q.x", x); print_mpi ("q.y", y); } gcry_mpi_release (z); gcry_mpi_release (y); gcry_mpi_release (x); /* Let us also check wheer we can update the context. */ err = gcry_mpi_ec_set_point ("g", G, ctx); if (err) die ("gcry_mpi_ec_set_point(G) failed\n"); err = gcry_mpi_ec_set_mpi ("d", d, ctx); if (err) die ("gcry_mpi_ec_set_mpi(d) failed\n"); /* FIXME: Below we need to check that the returned S-expression is as requested. For now we use manual inspection using --debug. */ /* Does get_sexp return the private key? */ err = gcry_pubkey_get_sexp (&sexp, 0, ctx); if (err) fail ("gcry_pubkey_get_sexp(0) failed: %s\n", gpg_strerror (err)); else if (verbose) print_sexp ("Result of gcry_pubkey_get_sexp (0):\n", sexp); gcry_sexp_release (sexp); /* Does get_sexp return the public key if requested? */ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_PUBKEY, ctx); if (err) fail ("gcry_pubkey_get_sexp(GET_PUBKEY) failed: %s\n", gpg_strerror (err)); else if (verbose) print_sexp ("Result of gcry_pubkey_get_sexp (GET_PUBKEY):\n", sexp); gcry_sexp_release (sexp); /* Does get_sexp return the public key if after d has been deleted? */ err = gcry_mpi_ec_set_mpi ("d", NULL, ctx); if (err) die ("gcry_mpi_ec_set_mpi(d=NULL) failed\n"); err = gcry_pubkey_get_sexp (&sexp, 0, ctx); if (err) fail ("gcry_pubkey_get_sexp(0 w/o d) failed: %s\n", gpg_strerror (err)); else if (verbose) print_sexp ("Result of gcry_pubkey_get_sexp (0 w/o d):\n", sexp); gcry_sexp_release (sexp); /* Does get_sexp return an error after d has been deleted? */ err = gcry_pubkey_get_sexp (&sexp, GCRY_PK_GET_SECKEY, ctx); if (gpg_err_code (err) != GPG_ERR_NO_SECKEY) fail ("gcry_pubkey_get_sexp(GET_SECKEY) returned wrong error: %s\n", gpg_strerror (err)); gcry_sexp_release (sexp); /* Does get_sexp return an error after d and Q have been deleted? */ err = gcry_mpi_ec_set_point ("q", NULL, ctx); if (err) die ("gcry_mpi_ec_set_point(q=NULL) failed\n"); err = gcry_pubkey_get_sexp (&sexp, 0, ctx); if (gpg_err_code (err) != GPG_ERR_BAD_CRYPT_CTX) fail ("gcry_pubkey_get_sexp(0 w/o Q,d) returned wrong error: %s\n", gpg_strerror (err)); gcry_sexp_release (sexp); gcry_mpi_point_release (Q); gcry_mpi_release (d); gcry_mpi_point_release (G); gcry_ctx_release (ctx); }
/* This tests checks that the low-level EC API yields the same result as using the high level API. The values have been taken from a test run using the high level API. */ static void basic_ec_math (void) { gpg_error_t err; gcry_ctx_t ctx; gcry_mpi_t P, A; gcry_mpi_point_t G, Q; gcry_mpi_t d; gcry_mpi_t x, y, z; wherestr = "basic_ec_math"; show ("checking basic math functions for EC\n"); P = hex2mpi ("0xfffffffffffffffffffffffffffffffeffffffffffffffff"); A = hex2mpi ("0xfffffffffffffffffffffffffffffffefffffffffffffffc"); G = make_point ("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811", "1"); d = hex2mpi ("D4EF27E32F8AD8E2A1C6DDEBB1D235A69E3CEF9BCE90273D"); Q = gcry_mpi_point_new (0); err = ec_p_new (&ctx, P, A); if (err) die ("ec_p_new failed: %s\n", gpg_strerror (err)); x = gcry_mpi_new (0); y = gcry_mpi_new (0); z = gcry_mpi_new (0); { /* A quick check that multiply by zero works. */ gcry_mpi_t tmp; tmp = gcry_mpi_new (0); gcry_mpi_ec_mul (Q, tmp, G, ctx); gcry_mpi_release (tmp); gcry_mpi_point_get (x, y, z, Q); if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 0) || gcry_mpi_cmp_ui (z, 0)) fail ("multiply a point by zero failed\n"); } gcry_mpi_ec_mul (Q, d, G, ctx); gcry_mpi_point_get (x, y, z, Q); if (cmp_mpihex (x, "222D9EC717C89D047E0898C9185B033CD11C0A981EE6DC66") || cmp_mpihex (y, "605DE0A82D70D3E0F84A127D0739ED33D657DF0D054BFDE8") || cmp_mpihex (z, "00B06B519071BC536999AC8F2D3934B3C1FC9EACCD0A31F88F")) fail ("computed public key does not match\n"); if (debug) { print_mpi ("Q.x", x); print_mpi ("Q.y", y); print_mpi ("Q.z", z); } if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) fail ("failed to get affine coordinates\n"); if (cmp_mpihex (x, "008532093BA023F4D55C0424FA3AF9367E05F309DC34CDC3FE") || cmp_mpihex (y, "00C13CA9E617C6C8487BFF6A726E3C4F277913D97117939966")) fail ("computed affine coordinates of public key do not match\n"); if (debug) { print_mpi ("q.x", x); print_mpi ("q.y", y); } gcry_mpi_release (z); gcry_mpi_release (y); gcry_mpi_release (x); gcry_mpi_point_release (Q); gcry_mpi_release (d); gcry_mpi_point_release (G); gcry_mpi_release (A); gcry_mpi_release (P); gcry_ctx_release (ctx); }
/* Check the math used with Twisted Edwards curves. */ static void twistededwards_math (void) { gpg_error_t err; gcry_ctx_t ctx; gcry_mpi_point_t G, Q; gcry_mpi_t k; gcry_mpi_t w, a, x, y, z, p, n, b, I; wherestr = "twistededwards_math"; show ("checking basic Twisted Edwards math\n"); err = gcry_mpi_ec_new (&ctx, NULL, "Ed25519"); if (err) die ("gcry_mpi_ec_new failed: %s\n", gpg_strerror (err)); k = hex2mpi ("2D3501E723239632802454EE5DDC406EFB0BDF18486A5BDE9C0390A9C2984004" "F47252B628C953625B8DEB5DBCB8DA97AA43A1892D11FA83596F42E0D89CB1B6"); G = gcry_mpi_ec_get_point ("g", ctx, 1); if (!G) die ("gcry_mpi_ec_get_point(G) failed\n"); Q = gcry_mpi_point_new (0); w = gcry_mpi_new (0); a = gcry_mpi_new (0); x = gcry_mpi_new (0); y = gcry_mpi_new (0); z = gcry_mpi_new (0); I = gcry_mpi_new (0); p = gcry_mpi_ec_get_mpi ("p", ctx, 1); n = gcry_mpi_ec_get_mpi ("n", ctx, 1); b = gcry_mpi_ec_get_mpi ("b", ctx, 1); /* Check: 2^{p-1} mod p == 1 */ gcry_mpi_sub_ui (a, p, 1); gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, p); if (gcry_mpi_cmp_ui (w, 1)) fail ("failed assertion: 2^{p-1} mod p == 1\n"); /* Check: p % 4 == 1 */ gcry_mpi_mod (w, p, GCRYMPI_CONST_FOUR); if (gcry_mpi_cmp_ui (w, 1)) fail ("failed assertion: p % 4 == 1\n"); /* Check: 2^{n-1} mod n == 1 */ gcry_mpi_sub_ui (a, n, 1); gcry_mpi_powm (w, GCRYMPI_CONST_TWO, a, n); if (gcry_mpi_cmp_ui (w, 1)) fail ("failed assertion: 2^{n-1} mod n == 1\n"); /* Check: b^{(p-1)/2} mod p == p-1 */ gcry_mpi_sub_ui (a, p, 1); gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_TWO, -1); gcry_mpi_powm (w, b, x, p); gcry_mpi_abs (w); if (gcry_mpi_cmp (w, a)) fail ("failed assertion: b^{(p-1)/2} mod p == p-1\n"); /* I := 2^{(p-1)/4} mod p */ gcry_mpi_sub_ui (a, p, 1); gcry_mpi_div (x, NULL, a, GCRYMPI_CONST_FOUR, -1); gcry_mpi_powm (I, GCRYMPI_CONST_TWO, x, p); /* Check: I^2 mod p == p-1 */ gcry_mpi_powm (w, I, GCRYMPI_CONST_TWO, p); if (gcry_mpi_cmp (w, a)) fail ("failed assertion: I^2 mod p == p-1\n"); /* Check: G is on the curve */ if (!gcry_mpi_ec_curve_point (G, ctx)) fail ("failed assertion: G is on the curve\n"); /* Check: nG == (0,1) */ gcry_mpi_ec_mul (Q, n, G, ctx); if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) fail ("failed to get affine coordinates\n"); if (gcry_mpi_cmp_ui (x, 0) || gcry_mpi_cmp_ui (y, 1)) fail ("failed assertion: nG == (0,1)\n"); /* Now two arbitrary point operations taken from the ed25519.py sample data. */ gcry_mpi_release (a); a = hex2mpi ("4f71d012df3c371af3ea4dc38385ca5bb7272f90cb1b008b3ed601c76de1d496" "e30cbf625f0a756a678d8f256d5325595cccc83466f36db18f0178eb9925edd3"); gcry_mpi_ec_mul (Q, a, G, ctx); if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) fail ("failed to get affine coordinates\n"); if (cmp_mpihex (x, ("157f7361c577aad36f67ed33e38dc7be" "00014fecc2165ca5cee9eee19fe4d2c1")) || cmp_mpihex (y, ("5a69dbeb232276b38f3f5016547bb2a2" "4025645f0b820e72b8cad4f0a909a092"))) { fail ("sample point multiply failed:\n"); print_mpi ("r", a); print_mpi ("Rx", x); print_mpi ("Ry", y); } gcry_mpi_release (a); a = hex2mpi ("2d3501e723239632802454ee5ddc406efb0bdf18486a5bde9c0390a9c2984004" "f47252b628c953625b8deb5dbcb8da97aa43a1892d11fa83596f42e0d89cb1b6"); gcry_mpi_ec_mul (Q, a, G, ctx); if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) fail ("failed to get affine coordinates\n"); if (cmp_mpihex (x, ("6218e309d40065fcc338b3127f468371" "82324bd01ce6f3cf81ab44e62959c82a")) || cmp_mpihex (y, ("5501492265e073d874d9e5b81e7f8784" "8a826e80cce2869072ac60c3004356e5"))) { fail ("sample point multiply failed:\n"); print_mpi ("r", a); print_mpi ("Rx", x); print_mpi ("Ry", y); } gcry_mpi_release (I); gcry_mpi_release (b); gcry_mpi_release (n); gcry_mpi_release (p); gcry_mpi_release (w); gcry_mpi_release (a); gcry_mpi_release (x); gcry_mpi_release (y); gcry_mpi_release (z); gcry_mpi_point_release (Q); gcry_mpi_point_release (G); gcry_mpi_release (k); gcry_ctx_release (ctx); }
/** * Destroy session state, we are done with it. * * @param session the session to free elements from */ static void destroy_service_session (struct BobServiceSession *s) { struct CadetIncomingSession *in; unsigned int i; if (GNUNET_YES == s->in_destroy) return; s->in_destroy = GNUNET_YES; if (NULL != (in = s->cadet)) { s->cadet = NULL; destroy_cadet_session (in); } if (NULL != s->client) { struct GNUNET_SERVICE_Client *c = s->client; s->client = NULL; GNUNET_SERVICE_client_drop (c); } GNUNET_assert (GNUNET_YES == GNUNET_CONTAINER_multihashmap_remove (client_sessions, &s->session_id, s)); if (NULL != s->intersected_elements) { GNUNET_CONTAINER_multihashmap_iterate (s->intersected_elements, &free_element_cb, NULL); GNUNET_CONTAINER_multihashmap_destroy (s->intersected_elements); s->intersected_elements = NULL; } if (NULL != s->intersection_op) { GNUNET_SET_operation_cancel (s->intersection_op); s->intersection_op = NULL; } if (NULL != s->intersection_set) { GNUNET_SET_destroy (s->intersection_set); s->intersection_set = NULL; } if (NULL != s->sorted_elements) { for (i=0;i<s->used_element_count;i++) gcry_mpi_release (s->sorted_elements[i].value); GNUNET_free (s->sorted_elements); s->sorted_elements = NULL; } if (NULL != s->prod_g_i_b_i) { gcry_mpi_point_release (s->prod_g_i_b_i); s->prod_g_i_b_i = NULL; } if (NULL != s->prod_h_i_b_i) { gcry_mpi_point_release (s->prod_h_i_b_i); s->prod_h_i_b_i = NULL; } GNUNET_CADET_close_port (s->port); GNUNET_free (s); }
/** * Handle a multipart-chunk of a request from another service to * calculate a scalarproduct with us. * * @param cls closure (set from #GNUNET_CADET_connect) * @param channel connection to the other end * @param channel_ctx place to store local state associated with the @a channel * @param message the actual message * @return #GNUNET_OK to keep the connection open, * #GNUNET_SYSERR to close it (signal serious error) */ static int handle_alices_cryptodata_message (void *cls, struct GNUNET_CADET_Channel *channel, void **channel_ctx, const struct GNUNET_MessageHeader *message) { struct CadetIncomingSession *in = *channel_ctx; struct BobServiceSession *s; const struct EccAliceCryptodataMessage *msg; const struct GNUNET_CRYPTO_EccPoint *payload; uint32_t contained_elements; size_t msg_length; uint16_t msize; unsigned int max; unsigned int i; const struct MpiElement *b_i; gcry_mpi_point_t tmp; gcry_mpi_point_t g_i; gcry_mpi_point_t h_i; gcry_mpi_point_t g_i_b_i; gcry_mpi_point_t h_i_b_i; /* sanity checks */ if (NULL == in) { GNUNET_break_op (0); return GNUNET_SYSERR; } s = in->s; if (NULL == s) { GNUNET_break_op (0); return GNUNET_SYSERR; } /* sort our vector for the computation */ if (NULL == s->sorted_elements) { s->sorted_elements = GNUNET_malloc (GNUNET_CONTAINER_multihashmap_size (s->intersected_elements) * sizeof (struct MpiElement)); s->used_element_count = 0; GNUNET_CONTAINER_multihashmap_iterate (s->intersected_elements, ©_element_cb, s); qsort (s->sorted_elements, s->used_element_count, sizeof (struct MpiElement), &element_cmp); } /* parse message */ msize = ntohs (message->size); if (msize <= sizeof (struct EccAliceCryptodataMessage)) { GNUNET_break_op (0); return GNUNET_SYSERR; } msg = (const struct EccAliceCryptodataMessage *) message; contained_elements = ntohl (msg->contained_element_count); /* Our intersection may still be ongoing, but this is nevertheless an upper bound on the required array size */ max = GNUNET_CONTAINER_multihashmap_size (s->intersected_elements); msg_length = sizeof (struct EccAliceCryptodataMessage) + contained_elements * sizeof (struct GNUNET_CRYPTO_EccPoint) * 2; if ( (msize != msg_length) || (0 == contained_elements) || (contained_elements > UINT16_MAX) || (max < contained_elements + s->cadet_received_element_count) ) { GNUNET_break_op (0); return GNUNET_SYSERR; } GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "Received %u crypto values from Alice\n", (unsigned int) contained_elements); payload = (const struct GNUNET_CRYPTO_EccPoint *) &msg[1]; for (i=0;i<contained_elements;i++) { b_i = &s->sorted_elements[i + s->cadet_received_element_count]; g_i = GNUNET_CRYPTO_ecc_bin_to_point (edc, &payload[i * 2]); g_i_b_i = GNUNET_CRYPTO_ecc_pmul_mpi (edc, g_i, b_i->value); gcry_mpi_point_release (g_i); h_i = GNUNET_CRYPTO_ecc_bin_to_point (edc, &payload[i * 2 + 1]); h_i_b_i = GNUNET_CRYPTO_ecc_pmul_mpi (edc, h_i, b_i->value); gcry_mpi_point_release (h_i); if (0 == i + s->cadet_received_element_count) { /* first iteration, nothing to add */ s->prod_g_i_b_i = g_i_b_i; s->prod_h_i_b_i = h_i_b_i; } else { /* further iterations, cummulate resulting value */ tmp = GNUNET_CRYPTO_ecc_add (edc, s->prod_g_i_b_i, g_i_b_i); gcry_mpi_point_release (s->prod_g_i_b_i); gcry_mpi_point_release (g_i_b_i); s->prod_g_i_b_i = tmp; tmp = GNUNET_CRYPTO_ecc_add (edc, s->prod_h_i_b_i, h_i_b_i); gcry_mpi_point_release (s->prod_h_i_b_i); gcry_mpi_point_release (h_i_b_i); s->prod_h_i_b_i = tmp; } } s->cadet_received_element_count += contained_elements; if ( (s->cadet_received_element_count == max) && (NULL == s->intersection_op) ) { /* intersection has finished also on our side, and we got the full set, so we can proceed with the CADET response(s) */ transmit_bobs_cryptodata_message (s); } GNUNET_CADET_receive_done (s->cadet->channel); return GNUNET_OK; }
/** * Free a point value returned by the API. * * @param p point to free */ void GNUNET_CRYPTO_ecc_free (gcry_mpi_point_t p) { gcry_mpi_point_release (p); }