/* * Encrypt a block or less of data. Caller malloc's cipherText. */ feeReturn feeFEEDExpEncryptBlock(feeFEEDExp feed, const unsigned char *plainText, unsigned plainTextLen, unsigned char *cipherText, unsigned *cipherTextLen, // RETURNED int finalBlock) { feedInst *finst = (feedInst *) feed; int index; /* which curve (+/- 1) */ char g = 0; /* parity, which_curve bits in ciphertext */ key B; unsigned char *ptext; /* for final block */ unsigned ctextLen; feeReturn frtn = FR_Success; giant x1; unsigned randLen; curveParams *cp = finst->cp; randLen = cp->minBytes+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" if(plainTextLen > finst->plainBlockSize) { return FR_IllegalArg; } else if ((plainTextLen < finst->plainBlockSize) && !finalBlock) { return FR_IllegalArg; } /* * Init only on first encrypt */ if((finst->randFcn == NULL) && (finst->rand == NULL)) { finst->rand = feeRandAlloc(); } if(finst->randData == NULL) { finst->randData = (unsigned char*) fmalloc(randLen); } /* * plaintext as giant xp */ if(finalBlock) { ptext = (unsigned char*) fmalloc(finst->plainBlockSize); bzero(ptext, finst->plainBlockSize); if(plainTextLen) { /* * 0 for empty block with resid length 0 */ bcopy(plainText, ptext, plainTextLen); } if(plainTextLen < finst->plainBlockSize) { if(plainTextLen == 0) { /* * Special case - can't actually write zero here; * it screws up deserializing the giant during * decrypt */ ptext[finst->plainBlockSize - 1] = RESID_ZERO; } else { ptext[finst->plainBlockSize - 1] = plainTextLen; } #if FEED_DEBUG printf("encrypt: resid 0x%x\n", ptext[finst->plainBlockSize - 1]); #endif } /* * else handle evenly aligned case below... */ deserializeGiant(ptext, finst->xp, finst->plainBlockSize); ffree(ptext); } else { deserializeGiant(plainText, finst->xp, plainTextLen); } #if FEED_DEBUG printf("encrypt:\n"); printf(" xp : "); PRINT_GIANT(finst->xp); #endif // FEED_DEBUG /* * pick curve B? that data lies upon */ index = which_curve(finst->xp, finst->cp); if(index == CURVE_PLUS) { B = finst->plus; x1 = finst->cp->x1Plus; } else { B = finst->minus; x1 = finst->cp->x1Minus; } #if FEED_DEBUG printf(" which_curve: %s\n", (index == CURVE_PLUS) ? "CURVE_PLUS" : "CURVE_MINUS"); #endif /* * random number as giant xaux */ if(finst->randFcn != NULL) { finst->randFcn(finst->randRef, finst->randData, randLen); } else { feeRandBytes(finst->rand, finst->randData, randLen); } deserializeGiant(finst->randData, finst->xaux, randLen); #if FEE_DEBUG if(isZero(finst->xaux)) { printf("feeFEEDExpEncryptBlock: random xaux = 0!\n"); } #endif // FEE_DEBUG /* * Justify random # to be in [2, minimumX1Order]. */ lesserX1OrderJustify(finst->xaux, cp); #if FEED_DEBUG printf(" xaux: "); PRINT_GIANT(finst->xaux); #endif // FEED_DEBUG gtog(B->x, finst->xq); // xq = pubB? elliptic_simple(finst->xq, finst->xaux, cp); // xq = r(pubB?) #if FEED_DEBUG printf(" r(pubB?): "); PRINT_GIANT(finst->xq); #endif elliptic_add(finst->xp, finst->xq, finst->xm, cp, SIGN_PLUS); // xm = data + r(pubB?) gtog(x1, finst->xc); elliptic_simple(finst->xc, finst->xaux, cp); // xc = r(P1?) elliptic_add(finst->xm, finst->xq, finst->xaux, cp, SIGN_PLUS); // xaux = xm + xq (for curve +1) // = (data + r(pubB?)) + r(pubB?) if(gcompg(finst->xaux, finst->xp) == 0) { g |= CLUE_ELL_ADD_SIGN_PLUS; } else { g |= CLUE_ELL_ADD_SIGN_MINUS; #if FEED_DEBUG /* this better be true.... */ elliptic_add(finst->xm, finst->xq, finst->xaux, cp, SIGN_MINUS); if(gcompg(finst->xaux, finst->xp)) { printf("*******elliptic_add(xm, xq, -1) != xp! *************\n"); printf(" xq : "); PRINT_GIANT(finst->xq); printf(" ell_add(xm, xq, -1) : "); PRINT_GIANT(finst->xaux); } #endif } // g = (xaux == data) ? add : subtract /* * Ciphertext = (xm, xc, g) */ serializeGiant(finst->xm, cipherText, cp->minBytes); cipherText += cp->minBytes; serializeGiant(finst->xc, cipherText, cp->minBytes); cipherText += cp->minBytes; *cipherText++ = g; ctextLen = finst->cipherBlockSize; #if FEED_DEBUG printf(" xm : "); PRINT_GIANT(finst->xm); printf(" xc : "); PRINT_GIANT(finst->xc); printf(" g : %d\n", g); #endif // FEED_DEBUG if(finalBlock && (plainTextLen == finst->plainBlockSize)) { /* * Special case: finalBlock true, plainTextLen == blockSize. * In this case we generate one more block of ciphertext, * with a resid length of zero. */ unsigned moreCipher; // additional cipherLen #if FEED_DEBUG printf("encrypt: one more empty block\n"); #endif frtn = feeFEEDExpEncryptBlock(feed, NULL, // plainText not used 0, // resid cipherText, // append... &moreCipher, 1); if(frtn == FR_Success) { ctextLen += moreCipher; } } *cipherTextLen = ctextLen; return frtn; }
/* * Alloc and init a feeFEED object associated with specified public and * private keys. */ feeFEED feeFEEDNewWithPubKey(feePubKey myPrivKey, feePubKey theirPubKey, int forEncrypt, // 0 ==> decrypt 1 ==> encrypt feeRandFcn randFcn, // optional void *randRef) { feedInst *finst; giant privGiant; key k; unsigned expPlainSize; unsigned expCipherSize; unsigned expBlocks; if(!curveParamsEquivalent(feePubKeyCurveParams(theirPubKey), feePubKeyCurveParams(myPrivKey))) { dbgLog(("feeFEEDNewWithPubKey: Incompatible Keys\n")); return NULL; } finst = (feedInst*) fmalloc(sizeof(feedInst)); bzero(finst, sizeof(feedInst)); finst->forEncrypt = forEncrypt; finst->cp = curveParamsCopy(feePubKeyCurveParams(theirPubKey)); finst->rsBlockCount = 0; finst->xp = newGiant(finst->cp->maxDigits); finst->xm = newGiant(finst->cp->maxDigits); finst->tmp1 = newGiant(finst->cp->maxDigits); if(forEncrypt) { finst->tmp2 = newGiant(finst->cp->maxDigits); } /* * cluePlus = ourPriv * theirPub+ * clueMinus = ourPriv * theirPub- */ finst->cluePlus = newGiant(finst->cp->maxDigits); finst->clueMinus = newGiant(finst->cp->maxDigits); privGiant = feePubKeyPrivData(myPrivKey); if(privGiant == NULL) { dbgLog(("feeFEEDNewWithPubKey: no private key\n")); goto abort; } k = feePubKeyPlusCurve(theirPubKey); gtog(k->x, finst->cluePlus); // cluePlus = theirPub+ elliptic_simple(finst->cluePlus, privGiant, finst->cp); k = feePubKeyMinusCurve(theirPubKey); gtog(k->x, finst->clueMinus); // theirPub- elliptic_simple(finst->clueMinus, privGiant, finst->cp); /* * Set up block sizes. */ if(finst->cp->primeType == FPT_General) { unsigned blen = bitlen(finst->cp->basePrime); finst->plainBlockSize = blen / 8; if((blen & 0x7) == 0) { /* * round down some more... */ finst->plainBlockSize--; } } else { finst->plainBlockSize = finst->cp->q / 8; if(((finst->cp->q & 0x7) == 0) && (finst->cp->k > 0)) { /* * Special case, with q mod 8 == 0. Here we have to * trim back the plainBlockSize by one byte. */ finst->plainBlockSize--; } } finst->cipherBlockSize = finst->cp->minBytes + 1; /* * the size of initialRS is subject to tweaking - if we make it * not a multiple of plainBlockSize, we save one FEEDExp cipherBlock * in our ciphertext. */ finst->initialRSSize = finst->plainBlockSize * 2; if(finst->initialRSSize > RS_MIN_SIZE) { unsigned minPlainBlocks; unsigned maxSize; /* * How many plainblocks to hold RS_MIN_SIZE? */ minPlainBlocks = (RS_MIN_SIZE + finst->plainBlockSize - 1) / finst->plainBlockSize; /* * Max size = that many plainblocks, less 2 bytes (to avoid * extra residue block). */ maxSize = minPlainBlocks * finst->plainBlockSize - 2; /* * But don't bother with more than 2 plainblocks worth */ if(finst->initialRSSize > maxSize) { finst->initialRSSize = maxSize; } } /* else leave it alone, that's small enough */ if(forEncrypt) { feeRand frand = NULL; /* * Encrypt-capable FEEDExp object */ finst->feedExp = feeFEEDExpNewWithPubKey(theirPubKey, randFcn, randRef); if(finst->feedExp == NULL) { goto abort; } /* * Generate initial r and s data. */ finst->initialRS = (unsigned char*) fmalloc(finst->initialRSSize); if(randFcn != NULL) { randFcn(randRef, finst->initialRS, finst->initialRSSize); } else { frand = feeRandAlloc(); feeRandBytes(frand, finst->initialRS, finst->initialRSSize); feeRandFree(frand); } if(initFromRS(finst)) { goto abort; } } else { /* * Decrypt-capable FEEDExp object */ finst->feedExp = feeFEEDExpNewWithPubKey(myPrivKey, randFcn, randRef); if(finst->feedExp == NULL) { goto abort; } } /* * Figure out how many of our cipherblocks it takes to hold * a FEEDExp-encrypted initialRS. If initialRSSize is an exact * multiple of expPlainSize, we get an additional feedExp * residue block. */ expPlainSize = feeFEEDExpPlainBlockSize(finst->feedExp); expCipherSize = feeFEEDExpCipherBlockSize(finst->feedExp); expBlocks = (finst->initialRSSize + expPlainSize - 1) / expPlainSize; if((finst->initialRSSize % expPlainSize) == 0) { expBlocks++; } /* * Total meaningful bytes of encrypted initialRS */ finst->rsCtextSize = expBlocks * expCipherSize; /* * Number of our cipherblocks it takes to hold rsCtextSize */ finst->rsSizeCipherBlocks = (finst->rsCtextSize + finst->cipherBlockSize - 1) / finst->cipherBlockSize; if(!forEncrypt) { finst->rsCtext = (unsigned char*) fmalloc(finst->rsSizeCipherBlocks * finst->cipherBlockSize); } /* * Sanity check... */ #if FEED_DEBUG { unsigned fexpBlockSize = feeFEEDExpCipherBlockSize(finst->feedExp); /* * FEEDExp has one more giant in ciphertext, plaintext is * same size */ if((finst->cipherBlockSize + finst->cp->minBytes) != fexpBlockSize) { dbgLog(("feeFEEDNewWithPubKey: FEEDExp CBlock Size " "screwup\n")); goto abort; } fexpBlockSize = feeFEEDExpPlainBlockSize(finst->feedExp); if(fexpBlockSize != finst->plainBlockSize) { dbgLog(("feeFEEDNewWithPubKey: FEEDExp PBlock Size " "screwup\n")); goto abort; } } #endif // FEED_DEBUG return finst; abort: feeFEEDFree(finst); return NULL; }
/* * Create new feeSig object, including a random large integer 'randGiant' for * possible use in salting a feeHash object, and 'PmX', equal to * randGiant 'o' P1. Note that this is not called when *verifying* a * signature, only when signing. */ feeSig feeSigNewWithKey( feePubKey pubKey, feeRandFcn randFcn, /* optional */ void *randRef) { sigInst *sinst = sinstAlloc(); feeRand frand; unsigned char *randBytes; unsigned randBytesLen; curveParams *cp; if(pubKey == NULL) { return NULL; } cp = feePubKeyCurveParams(pubKey); if(cp == NULL) { return NULL; } /* * Generate random m, a little larger than key size, save as randGiant */ randBytesLen = (feePubKeyBitsize(pubKey) / 8) + 1; randBytes = (unsigned char*) fmalloc(randBytesLen); if(randFcn) { randFcn(randRef, randBytes, randBytesLen); } else { frand = feeRandAlloc(); feeRandBytes(frand, randBytes, randBytesLen); feeRandFree(frand); } sinst->randGiant = giant_with_data(randBytes, randBytesLen); memset(randBytes, 0, randBytesLen); ffree(randBytes); #if FEE_DEBUG if(isZero(sinst->randGiant)) { printf("feeSigNewWithKey: randGiant = 0!\n"); } #endif // FEE_DEBUG /* * Justify randGiant to be in [2, x1OrderPlus] */ x1OrderPlusJustify(sinst->randGiant, cp); /* PmX := randGiant 'o' P1 */ sinst->PmX = newGiant(cp->maxDigits); #if CRYPTKIT_ELL_PROJ_ENABLE if(cp->curveType == FCT_Weierstrass) { pointProjStruct pt0; sinst->PmY = newGiant(cp->maxDigits); /* cook up pt0 as P1 */ pt0.x = sinst->PmX; pt0.y = sinst->PmY; pt0.z = borrowGiant(cp->maxDigits); gtog(cp->x1Plus, pt0.x); gtog(cp->y1Plus, pt0.y); int_to_giant(1, pt0.z); /* pt0 := P1 'o' randGiant */ ellMulProjSimple(&pt0, sinst->randGiant, cp); returnGiant(pt0.z); } else { if(SIG_CURVE == CURVE_PLUS) { gtog(cp->x1Plus, sinst->PmX); } else { gtog(cp->x1Minus, sinst->PmX); } elliptic_simple(sinst->PmX, sinst->randGiant, cp); } #else /* CRYPTKIT_ELL_PROJ_ENABLE */ if(SIG_CURVE == CURVE_PLUS) { gtog(cp->x1Plus, sinst->PmX); } else { gtog(cp->x1Minus, sinst->PmX); } elliptic_simple(sinst->PmX, sinst->randGiant, cp); #endif /* CRYPTKIT_ELL_PROJ_ENABLE */ return sinst; }
feeReturn feeECDSASign( feePubKey pubKey, feeSigFormat format, // Signature format DER 9.62 / RAW const unsigned char *data, // data to be signed unsigned dataLen, // in bytes feeRandFcn randFcn, // optional void *randRef, // optional unsigned char **sigData, // malloc'd and RETURNED unsigned *sigDataLen) // RETURNED { curveParams *cp; /* giant integers per IEEE P1363 notation */ giant c; // both 1363 'c' and 'i' // i.e., x-coord of u's pub key giant d; giant u; // random private key giant s; // private key as giant giant f; // data (message) as giant feeReturn frtn = FR_Success; feeRand frand; unsigned char *randBytes; unsigned randBytesLen; unsigned groupBytesLen; giant privGiant; #if ECDSA_SIGN_USE_PROJ pointProjStruct pt; // pt->x = c giant pty; // pt->y giant ptz; // pt->z #endif // ECDSA_SIGN_USE_PROJ if(pubKey == NULL) { return FR_BadPubKey; } cp = feePubKeyCurveParams(pubKey); if(cp == NULL) { return FR_BadPubKey; } if(cp->curveType != FCT_Weierstrass) { return FR_IllegalCurve; } CKASSERT(!isZero(cp->x1OrderPlus)); /* * Private key and message to be signed as giants */ privGiant = feePubKeyPrivData(pubKey); if(privGiant == NULL) { dbgLog(("Attempt to Sign without private data\n")); return FR_IllegalArg; } s = borrowGiant(cp->maxDigits); gtog(privGiant, s); if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) { f = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen)); } else { f = borrowGiant(cp->maxDigits); } deserializeGiant(data, f, dataLen); /* * Certicom SEC1 states that if the digest is larger than the modulus, * use the left q bits of the digest. */ unsigned hashBits = dataLen * 8; if(hashBits > cp->q) { gshiftright(hashBits - cp->q, f); } sigDbg(("ECDSA sign:\n")); sigLogGiant(" s : ", s); sigLogGiant(" f : ", f); c = borrowGiant(cp->maxDigits); d = borrowGiant(cp->maxDigits); u = borrowGiant(cp->maxDigits); if(randFcn == NULL) { frand = feeRandAlloc(); } else { frand = NULL; } /* * Random size is just larger than base prime */ groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8); randBytesLen = groupBytesLen+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" randBytes = (unsigned char*) fmalloc(randBytesLen); #if ECDSA_SIGN_USE_PROJ /* quick temp pointProj */ pty = borrowGiant(cp->maxDigits); ptz = borrowGiant(cp->maxDigits); pt.x = c; pt.y = pty; pt.z = ptz; #endif // ECDSA_SIGN_USE_PROJ while(1) { /* Repeat this loop until we have a non-zero c and d */ /* * 1) Obtain random u in [2, x1OrderPlus-2] */ SIGPROF_START; if(randFcn) { randFcn(randRef, randBytes, randBytesLen); } else { feeRandBytes(frand, randBytes, randBytesLen); } deserializeGiant(randBytes, u, randBytesLen); sigLogGiant(" raw u : ", u); sigLogGiant(" order : ", cp->x1OrderPlus); x1OrderPlusJustify(u, cp); SIGPROF_END(signStep1); sigLogGiant(" in range u : ", u); /* * note 'o' indicates elliptic multiply, * is integer mult. * * 2) Compute x coordinate, call it c, of u 'o' G * 3) Reduce: c := c mod x1OrderPlus; * 4) If c == 0, goto (1); */ SIGPROF_START; gtog(cp->x1Plus, c); #if ECDSA_SIGN_USE_PROJ /* projective coordinates */ gtog(cp->y1Plus, pty); int_to_giant(1, ptz); ellMulProjSimple(&pt, u, cp); #else /* ECDSA_SIGN_USE_PROJ */ /* the FEE way */ elliptic_simple(c, u, cp); #endif /* ECDSA_SIGN_USE_PROJ */ SIGPROF_END(signStep2); SIGPROF_START; x1OrderPlusMod(c, cp); SIGPROF_END(signStep34); if(isZero(c)) { dbgLog(("feeECDSASign: zero modulo (1)\n")); continue; } /* * 5) Compute u^(-1) mod x1OrderPlus; */ SIGPROF_START; gtog(u, d); binvg_x1OrderPlus(cp, d); SIGPROF_END(signStep5); sigLogGiant(" u^(-1) : ", d); /* * 6) Compute signature d as: * d = [u^(-1) (f + s*c)] (mod x1OrderPlus) */ SIGPROF_START; mulg(c, s); // s *= c x1OrderPlusMod(s, cp); addg(f, s); // s := f + (s * c) x1OrderPlusMod(s, cp); mulg(s, d); // d := u^(-1) (f + (s * c)) x1OrderPlusMod(d, cp); SIGPROF_END(signStep67); /* * 7) If d = 0, goto (1); */ if(isZero(d)) { dbgLog(("feeECDSASign: zero modulo (2)\n")); continue; } sigLogGiant(" c : ", c); sigLogGiant(" d : ", d); break; // normal successful exit } /* * 8) signature is now the integer pair (c, d). */ /* * Cook up raw data representing the signature. */ SIGPROF_START; ECDSA_encode(format,groupBytesLen, c, d, sigData, sigDataLen); SIGPROF_END(signStep8); if(frand != NULL) { feeRandFree(frand); } ffree(randBytes); returnGiant(u); returnGiant(d); returnGiant(c); returnGiant(f); returnGiant(s); #if ECDSA_SIGN_USE_PROJ returnGiant(pty); returnGiant(ptz); #endif /* ECDSA_SIGN_USE_PROJ */ return frtn; }