/**
* @brief Calculate the EP_UID from the IMS (correct version)
*
* This is the EP_UID calculation, correctly implemented - usable
* on post-ES3 chips
*
* @param ims_value A pointer to the 35-byte IMS value
* @param ep_uid A pointer to the octet EP_UID output value
*/
void calculate_epuid(uint8_t * ims_value,
mcl_octet * ep_uid) {
/* same code used in ES3 boot ROM to generate the EUID */
int i;
static uint8_t ep_uid_calc[SHA256_HASH_DIGEST_SIZE];
static uint8_t y1[SHA256_HASH_DIGEST_SIZE];
static uint8_t z0[SHA256_HASH_DIGEST_SIZE];
uint32_t temp;
uint32_t *pims = (uint32_t *)ims_value;
hash_start();
/* grab IMS 4 bytes at a time and feed that to hash_update */
for (i = 0; i < 4; i++) {
temp = pims[i] ^ 0x3d3d3d3d;
hash_update((uint8_t *)&temp, sizeof(temp));
}
hash_final(y1);
hash_start();
hash_update(y1, SHA256_HASH_DIGEST_SIZE);
temp = 0x01010101;
for (i = 0; i < 8; i++) {;
hash_update((uint8_t *)&temp, sizeof(temp));
}
hash_final(z0);
hash_it(z0, SHA256_HASH_DIGEST_SIZE, ep_uid_calc);
memcpy(ep_uid->val, ep_uid_calc, EP_UID_SIZE);
ep_uid->len = EP_UID_SIZE;
}
/* Returns the hash of the 'n' 32-bit words at 'p', starting from 'basis'.
* 'p' must be properly aligned. */
uint32_t
hash_words(const uint32_t *p, size_t n, uint32_t basis)
{
uint32_t a, b, c;
a = b = c = 0xdeadbeef + (((uint32_t) n) << 2) + basis;
while (n > 3) {
a += p[0];
b += p[1];
c += p[2];
hash_mix(&a, &b, &c);
n -= 3;
p += 3;
}
switch (n) {
case 3:
c += p[2];
/* fall through */
case 2:
b += p[1];
/* fall through */
case 1:
a += p[0];
hash_final(&a, &b, &c);
/* fall through */
case 0:
break;
}
return c;
}
/* Returns the hash of the 'n' bytes at 'p', starting from 'basis'. */
uint32_t
hash_bytes(const void *p_, size_t n, uint32_t basis)
{
const uint8_t *p = p_;
uint32_t a, b, c;
a = b = c = 0xdeadbeef + n + basis;
while (n >= 12) {
a += get_unaligned_u32((uint32_t *) p);
b += get_unaligned_u32((uint32_t *) (p + 4));
c += get_unaligned_u32((uint32_t *) (p + 8));
hash_mix(&a, &b, &c);
n -= 12;
p += 12;
}
if (n) {
uint32_t tmp[3];
tmp[0] = tmp[1] = tmp[2] = 0;
memcpy(tmp, p, n);
a += tmp[0];
b += tmp[1];
c += tmp[2];
hash_final(&a, &b, &c);
}
return c;
}
int
ikev2_msg_integr(struct iked *env, struct iked_sa *sa, struct ibuf *src)
{
int ret = -1;
size_t integrlen, tmplen;
struct ibuf *integr, *prf, *tmp = NULL;
u_int8_t *ptr;
log_debug("%s: message length %d", __func__, ibuf_size(src));
print_hex(ibuf_data(src), 0, ibuf_size(src));
if (sa == NULL ||
sa->sa_integr == NULL) {
log_debug("%s: invalid SA", __func__);
return (-1);
}
if (sa->sa_hdr.sh_initiator) {
integr = sa->sa_key_iauth;
prf = sa->sa_key_iprf;
} else {
integr = sa->sa_key_rauth;
prf = sa->sa_key_rprf;
}
integrlen = hash_length(sa->sa_integr);
log_debug("%s: integrity checksum length %d", __func__,
integrlen);
/*
* Validate packet checksum
*/
if ((tmp = ibuf_new(NULL, hash_keylength(sa->sa_integr))) == NULL)
goto done;
hash_setkey(sa->sa_integr, ibuf_data(integr), ibuf_size(integr));
hash_init(sa->sa_integr);
hash_update(sa->sa_integr, ibuf_data(src),
ibuf_size(src) - integrlen);
hash_final(sa->sa_integr, ibuf_data(tmp), &tmplen);
if (tmplen != integrlen) {
log_debug("%s: hash failure", __func__);
goto done;
}
if ((ptr = ibuf_seek(src,
ibuf_size(src) - integrlen, integrlen)) == NULL)
goto done;
memcpy(ptr, ibuf_data(tmp), tmplen);
print_hex(ibuf_data(tmp), 0, ibuf_size(tmp));
ret = 0;
done:
ibuf_release(tmp);
return (ret);
}
static SRP_Result calculate_M(SRP_HashAlgorithm alg, NGConstant *ng, unsigned char *dest,
const char *I, const unsigned char *s_bytes, size_t s_len, const mpz_t A,
const mpz_t B, const unsigned char *K)
{
unsigned char H_N[SHA512_DIGEST_LENGTH];
unsigned char H_g[SHA512_DIGEST_LENGTH];
unsigned char H_I[SHA512_DIGEST_LENGTH];
unsigned char H_xor[SHA512_DIGEST_LENGTH];
HashCTX ctx;
size_t i = 0;
size_t hash_len = hash_length(alg);
if (!hash_num(alg, ng->N, H_N)) return SRP_ERR;
if (!hash_num(alg, ng->g, H_g)) return SRP_ERR;
hash(alg, (const unsigned char *)I, strlen(I), H_I);
for (i = 0; i < hash_len; i++)
H_xor[i] = H_N[i] ^ H_g[i];
hash_init(alg, &ctx);
hash_update(alg, &ctx, H_xor, hash_len);
hash_update(alg, &ctx, H_I, hash_len);
hash_update(alg, &ctx, s_bytes, s_len);
if (!update_hash_n(alg, &ctx, A)) return SRP_ERR;
if (!update_hash_n(alg, &ctx, B)) return SRP_ERR;
hash_update(alg, &ctx, K, hash_len);
hash_final(alg, &ctx, dest);
return SRP_OK;
}
static void calculate_M( SRP_HashAlgorithm alg, NGConstant *ng, unsigned char * dest, const char * I, const BIGNUM * s,
const BIGNUM * A, const BIGNUM * B, const unsigned char * K )
{
unsigned char H_N[ SHA256_DIGEST_LENGTH ];
unsigned char H_g[ SHA256_DIGEST_LENGTH ];
unsigned char H_I[ SHA256_DIGEST_LENGTH ];
unsigned char H_xor[ SHA256_DIGEST_LENGTH ];
HashCTX ctx;
int i = 0;
int hash_len = hash_length(alg);
hash_num( alg, ng->N, H_N );
hash_num( alg, ng->g, H_g );
hash(alg, (const unsigned char *)I, strlen(I), H_I);
for (i=0; i < hash_len; i++ )
H_xor[i] = H_N[i] ^ H_g[i];
hash_init( alg, &ctx );
hash_update( alg, &ctx, H_xor, hash_len );
hash_update( alg, &ctx, H_I, hash_len );
update_hash_n( alg, &ctx, s );
update_hash_n( alg, &ctx, A );
update_hash_n( alg, &ctx, B );
hash_update( alg, &ctx, K, hash_len );
hash_final( alg, &ctx, dest );
}
//----------------------------------------------------------------------
void h_init(const void* key, size_t key_len)
{
memset(g_k_opad, 0, sizeof(g_k_opad));
// Key scheduling
if (key_len > sizeof(g_k_opad)) {
printf("Hashing the key\n");
// Hash the key
hash_init();
hash_update(key, key_len);
hash_final(g_k_opad);
} else {
// Copy the key
memcpy(g_k_opad, key, key_len);
}
// Start the inner hash thread
hash_init();
// Inner padding (ipad)
for (size_t n = 0; n < sizeof(g_k_opad); ++n) {
g_k_opad[n] ^= 0x36;
}
hash_update(g_k_opad, sizeof(g_k_opad));
}
static void hash_bytes(const byte t, const byte * const b, const size_t l,
hash hash) {
hash_ctx ctx;
hash_init(&ctx, t);
hash_update(&ctx, b, l);
hash_final(&ctx, hash);
}
struct ibuf *
ikev2_msg_auth(struct iked *env, struct iked_sa *sa, int response)
{
struct ibuf *authmsg = NULL, *nonce, *prfkey, *buf;
uint8_t *ptr;
struct iked_id *id;
size_t tmplen;
/*
* Create the payload to be signed/MAC'ed for AUTH
*/
if (!response) {
if ((nonce = sa->sa_rnonce) == NULL ||
(sa->sa_iid.id_type == 0) ||
(prfkey = sa->sa_key_iprf) == NULL ||
(buf = sa->sa_1stmsg) == NULL)
return (NULL);
id = &sa->sa_iid;
} else {
if ((nonce = sa->sa_inonce) == NULL ||
(sa->sa_rid.id_type == 0) ||
(prfkey = sa->sa_key_rprf) == NULL ||
(buf = sa->sa_2ndmsg) == NULL)
return (NULL);
id = &sa->sa_rid;
}
if ((authmsg = ibuf_dup(buf)) == NULL)
return (NULL);
if (ibuf_cat(authmsg, nonce) != 0)
goto fail;
if ((hash_setkey(sa->sa_prf, ibuf_data(prfkey),
ibuf_size(prfkey))) == NULL)
goto fail;
if ((ptr = ibuf_advance(authmsg,
hash_length(sa->sa_prf))) == NULL)
goto fail;
hash_init(sa->sa_prf);
hash_update(sa->sa_prf, ibuf_data(id->id_buf), ibuf_size(id->id_buf));
hash_final(sa->sa_prf, ptr, &tmplen);
if (tmplen != hash_length(sa->sa_prf))
goto fail;
log_debug("%s: %s auth data length %zu",
__func__, response ? "responder" : "initiator",
ibuf_size(authmsg));
print_hex(ibuf_data(authmsg), 0, ibuf_size(authmsg));
return (authmsg);
fail:
ibuf_release(authmsg);
return (NULL);
}
bool verify(const epoch_context& context, const hash256& header_hash, const hash256& mix_hash, uint64_t nonce, const hash256& boundary) noexcept
{
const hash512 seed = hash_seed(header_hash, nonce);
if (!is_less_or_equal(hash_final(seed, mix_hash), boundary))
return false;
const hash256 expected_mix_hash = hash_kernel(context, seed, calculate_dataset_item);
return std::memcmp(expected_mix_hash.bytes, mix_hash.bytes, sizeof(mix_hash)) == 0;
}
static __inline u32_t makehash(u32_t p1, u64_t p2)
{
u32_t offlo = ex64lo(p2), offhi = ex64hi(p2),
v = 0x12345678;
hash_mix(p1, offlo, offhi);
hash_final(offlo, offhi, v);
return v % HASHSIZE;
}
/* Returns the hash of 'a', 'b', and 'c'. */
uint32_t
hash_3words(uint32_t a, uint32_t b, uint32_t c)
{
a += 0xdeadbeef;
b += 0xdeadbeef;
c += 0xdeadbeef;
hash_final(&a, &b, &c);
return c;
}
//----------------------------------------------------------------------
void h_final(unsigned char hmac[HASH_DIGEST_SIZE])
{
// Finish inner hash
hash_final(hmac);
// Outer hash
hash_init();
// Outer padding (opad) from inner padding
for (size_t n = 0; n < sizeof(g_k_opad); ++n) {
g_k_opad[n] ^= (0x36 ^ 0x5C);
}
hash_update(g_k_opad, sizeof(g_k_opad));
// Finish HMAC
hash_update(hmac, HASH_DIGEST_SIZE);
hash_final(hmac);
// Cleanup
memset(g_k_opad, 0, sizeof(g_k_opad));
}
static void calculate_H_AMK( SRP_HashAlgorithm alg, unsigned char *dest, const BIGNUM * A, const unsigned char * M, const unsigned char * K )
{
HashCTX ctx;
hash_init( alg, &ctx );
update_hash_n( alg, &ctx, A );
hash_update( alg, &ctx, M, hash_length(alg) );
hash_update( alg, &ctx, K, hash_length(alg) );
hash_final( alg, &ctx, dest );
}
void HashData( char *_data, char *_result )
{
hash_context c;
hash_initial(&c);
hash_process(&c, (unsigned char *) _data, strlen(_data));
uint32 hash[5];
hash_final(&c, hash);
sprintf(_result, "hsh%04x%04x%04x%04x%04x", hash[0], hash[1], hash[2], hash[3], hash[4]);
}
int MD5_testRun(void)
{
int i;
MD5_Context context;
MD5_init(&context);
hash_begin(&context.h);
hash_update(&context.h, "abc", 3);
ASSERT(memcmp(hash_final(&context.h), "\x90\x01\x50\x98\x3C\xD2\x4F\xB0\xD6\x96\x3F\x7D\x28\xE1\x7F\x72", 16) == 0);
hash_begin(&context.h);
hash_update(&context.h, "aaa", 3);
ASSERT(memcmp(hash_final(&context.h), "\x47\xBC\xE5\xC7\x4F\x58\x9F\x48\x67\xDB\xD5\x7E\x9C\xA9\xF8\x08", 16) == 0);
hash_begin(&context.h);
hash_update(&context.h, "abcdefghijklmnopqrstuvwxyz", 26);
ASSERT(memcmp(hash_final(&context.h), "\xC3\xFC\xD3\xD7\x61\x92\xE4\x00\x7D\xFB\x49\x6C\xCA\x67\xE1\x3B", 16) == 0);
hash_begin(&context.h);
hash_update(&context.h, "0123456789", 10);
ASSERT(memcmp(hash_final(&context.h), "\x78\x1E\x5E\x24\x5D\x69\xB5\x66\x97\x9B\x86\xE2\x8D\x23\xF2\xC7", 16) == 0);
hash_begin(&context.h);
for (i = 0; i < 1000; i++)
hash_update(&context.h, "a", 1);
ASSERT(memcmp(hash_final(&context.h), "\xCA\xBE\x45\xDC\xC9\xAE\x5B\x66\xBA\x86\x60\x0C\xCA\x6B\x8B\xA8", 16) == 0);
hash_begin(&context.h);
for (i = 0; i < 1000000; i++)
hash_update(&context.h, "a", 1);
ASSERT(memcmp(hash_final(&context.h), "\x77\x07\xd6\xae\x4e\x02\x7c\x70\xee\xa2\xa9\x35\xc2\x29\x6f\x21", 16) == 0);
return 0;
}
cryptonite_decaf_error_t cryptonite_decaf_ed448_verify (
const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(point_t) pk_point, r_point;
cryptonite_decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);
if (CRYPTONITE_DECAF_SUCCESS != error) { return error; }
error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(r_point,signature);
if (CRYPTONITE_DECAF_SUCCESS != error) { return error; }
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,pubkey,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
cryptonite_decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);
API_NS(scalar_t) response_scalar;
API_NS(scalar_decode_long)(
response_scalar,
&signature[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],
CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES
);
#if EDDSA_BASE_POINT_RATIO == 2
API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);
#endif
/* pk_point = -c(x(P)) + (cx + k)G = kG */
API_NS(base_double_scalarmul_non_secret)(
pk_point,
response_scalar,
pk_point,
challenge_scalar
);
return cryptonite_decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}
static SRP_Result calculate_H_AMK(SRP_HashAlgorithm alg, unsigned char *dest,
const mpz_t A, const unsigned char *M, const unsigned char *K)
{
HashCTX ctx;
hash_init(alg, &ctx);
if (!update_hash_n(alg, &ctx, A)) return SRP_ERR;
hash_update(alg, &ctx, M, hash_length(alg));
hash_update(alg, &ctx, K, hash_length(alg));
hash_final(alg, &ctx, dest);
return SRP_OK;
}
static void calculate_y2(uint8_t *ims, uint8_t *y2) {
/* Y2 = sha256(IMS[0:31] xor copy(0x5a, 32)) */
uint32_t i;
uint32_t temp;
uint32_t *pims = (uint32_t *)ims;
hash_start();
/* grab IMS 4bytes at a time and feed that to hash_update */
for (i = 0; i < 8; i++) {
temp = pims[i] ^ 0x5a5a5a5a;
hash_update((unsigned char *)&temp, sizeof(temp));
}
hash_final(y2);
}
static BIGNUM * calculate_x( SRP_HashAlgorithm alg, const BIGNUM * salt, const char * username, const unsigned char * password, int password_len )
{
unsigned char ucp_hash[SHA512_DIGEST_LENGTH];
HashCTX ctx;
hash_init( alg, &ctx );
hash_update( alg, &ctx, username, strlen(username) );
hash_update( alg, &ctx, ":", 1 );
hash_update( alg, &ctx, password, password_len );
hash_final( alg, &ctx, ucp_hash );
return H_ns( alg, salt, ucp_hash, hash_length(alg) );
}
void HashData( char *_data, int _hashToken, char *_result )
{
hash_context c;
hash_initial(&c);
char fullString[512];
sprintf( fullString, "%s-%d", _data, _hashToken );
hash_process(&c, (unsigned char *) fullString, strlen(fullString));
uint32 hash[5];
hash_final(&c, hash);
sprintf(_result, "hsh%04x%04x%04x%04x%04x", hash[0], hash[1], hash[2], hash[3], hash[4]);
}
static int calculate_x(mpz_t result, SRP_HashAlgorithm alg, const unsigned char *salt, size_t salt_len, const char *username, const unsigned char *password, size_t password_len)
{
unsigned char ucp_hash[SHA512_DIGEST_LENGTH];
HashCTX ctx;
hash_init(alg, &ctx);
srp_dbg_data((char*) username, strlen(username), "Username for x: ");
srp_dbg_data((char*) password, password_len, "Password for x: ");
hash_update(alg, &ctx, username, strlen(username));
hash_update(alg, &ctx, ":", 1);
hash_update(alg, &ctx, password, password_len);
hash_final(alg, &ctx, ucp_hash);
return H_ns(result, alg, salt, salt_len, ucp_hash, hash_length(alg));
}
unsigned char GenerateSyncValue()
{
START_PROFILE( "GenerateSyncValue" );
//
// Generate a number between 0 and 255 that represents every unit in game
// So if a single one is different, we will know immediately
unsigned char result = 0;
//
// Objects
hash_context c;
hash_initial(&c);
#ifdef TRACK_SYNC_RAND
for( int i = 0; i < g_app->GetWorld()->m_objects.Size(); ++i )
{
if( g_app->GetWorld()->m_objects.ValidIndex(i) )
{
WorldObject *obj = g_app->GetWorld()->m_objects[i];
Hash( c, obj->m_longitude );
Hash( c, obj->m_latitude );
Hash( c, obj->m_vel.x );
Hash( c, obj->m_vel.y );
Hash( c, obj->m_currentState );
}
}
#endif
//
// Random value
Hash( c, syncfrand(255) );
uint32 hashResult[5];
hash_final(&c, hashResult);
result = hashResult[0] & 0xFF;
END_PROFILE( "GenerateSyncValue" );
return result;
}
result hash(const epoch_context_full& context, const hash256& header_hash, uint64_t nonce) noexcept
{
static const auto lazy_lookup = [](const epoch_context& context, uint32_t index) noexcept
{
auto full_dataset = static_cast<const epoch_context_full&>(context).full_dataset;
hash1024& item = full_dataset[index];
if (item.words[0] == 0)
{
// TODO: Copy elision here makes it thread-safe?
item = calculate_dataset_item(context, index);
}
return item;
};
const hash512 seed = hash_seed(header_hash, nonce);
const hash256 mix_hash = hash_kernel(context, seed, lazy_lookup);
return {hash_final(seed, mix_hash), mix_hash};
}
void cryptonite_decaf_ed448_sign_prehash (
uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],
const cryptonite_decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
cryptonite_decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
cryptonite_decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
cryptonite_decaf_bzero(hash_output,sizeof(hash_output));
}
cryptonite_decaf_error_t cryptonite_decaf_ed448_verify_prehash (
const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],
const cryptonite_decaf_ed448_prehash_ctx_t hash,
const uint8_t *context,
uint8_t context_len
) {
cryptonite_decaf_error_t ret;
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
cryptonite_decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
ret = cryptonite_decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
return ret;
}
void cryptonite_decaf_ed448_sign (
uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t *message,
size_t message_len,
uint8_t prehashed,
const uint8_t *context,
uint8_t context_len
) {
API_NS(scalar_t) secret_scalar;
hash_ctx_t hash;
{
/* Schedule the secret key */
struct {
uint8_t secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];
uint8_t seed[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];
} __attribute__((packed)) expanded;
hash_hash(
(uint8_t *)&expanded,
sizeof(expanded),
privkey,
CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES
);
clamp(expanded.secret_scalar_ser);
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
cryptonite_decaf_bzero(&expanded, sizeof(expanded));
}
/* Decode the nonce */
API_NS(scalar_t) nonce_scalar;
{
uint8_t nonce[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,nonce,sizeof(nonce));
API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));
cryptonite_decaf_bzero(nonce, sizeof(nonce));
}
uint8_t nonce_point[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES] = {0};
{
/* Scalarmul to create the nonce-point */
API_NS(scalar_t) nonce_scalar_2;
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);
for (unsigned int c = 2*EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {
API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);
}
API_NS(point_t) p;
API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);
API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(nonce_point, p);
API_NS(point_destroy)(p);
API_NS(scalar_destroy)(nonce_scalar_2);
}
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
uint8_t challenge[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];
hash_final(hash,challenge,sizeof(challenge));
hash_destroy(hash);
API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));
cryptonite_decaf_bzero(challenge,sizeof(challenge));
}
API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);
API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);
cryptonite_decaf_bzero(signature,CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES);
memcpy(signature,nonce_point,sizeof(nonce_point));
API_NS(scalar_encode)(&signature[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);
API_NS(scalar_destroy)(secret_scalar);
API_NS(scalar_destroy)(nonce_scalar);
API_NS(scalar_destroy)(challenge_scalar);
}
CK_RV C_Digest(CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* data to be digested */
CK_ULONG ulDataLen, /* bytes of data to be digested */
CK_BYTE_PTR pDigest, /* receives the message digest */
CK_ULONG_PTR pulDigestLen) /* receives byte length of digest */
{
CK_RV ret;
P11_SESSION *pSession = NULL;
P11_DIGEST_DATA *pDigestData = NULL;
if (p11_get_init() != BEIDP11_INITIALIZED)
{
log_trace(WHERE, "I: leave, CKR_CRYPTOKI_NOT_INITIALIZED");
return (CKR_CRYPTOKI_NOT_INITIALIZED);
}
p11_lock();
log_trace(WHERE, "I: enter, hSession = %i",hSession);
ret = p11_get_session(hSession, &pSession);
if (ret)
{
log_trace(WHERE, "E: Invalid session handle (%d)", hSession);
goto cleanup;
}
//is there an active search operation for this session
if ((pSession->Operation[P11_OPERATION_DIGEST].active) == 0)
{
log_trace(WHERE, "E: Session %d: no digest operation initialized", hSession);
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
/* get digest operation */
if((pDigestData = pSession->Operation[P11_OPERATION_DIGEST].pData) == NULL)
{
log_trace(WHERE, "E: no digest operation initialized");
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
if(pDigestData->update)
{
log_trace(WHERE, "E: C_Digest() cannot be used to finalize C_DigestUpdate()");
ret = CKR_FUNCTION_FAILED;
goto cleanup;
}
if (pDigest == NULL)
{
*pulDigestLen = pDigestData->l_hash;
/* return ok without terminating digest params */
ret = CKR_OK;
goto cleanup;
}
if (*pulDigestLen < pDigestData->l_hash)
{
*pulDigestLen = pDigestData->l_hash;
ret = CKR_BUFFER_TOO_SMALL;
goto cleanup;
}
ret = hash_update(pDigestData->phash, (char*)pData, ulDataLen);
if(ret == 0)
ret = hash_final(pDigestData->phash, pDigest, pulDigestLen);
if(ret)
{
log_trace(WHERE, "E: hash failed()");
ret = CKR_FUNCTION_FAILED;
//don't goto cleanup here
}
/* terminate digest operation */
free(pDigestData);
pSession->Operation[P11_OPERATION_DIGEST].pData = NULL;
pSession->Operation[P11_OPERATION_DIGEST].active = 0;
cleanup:
p11_unlock();
log_trace(WHERE, "I: leave, ret = 0x%08x",ret);
return ret;
}
CK_RV C_SignFinal(CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pSignature, /* receives the signature */
CK_ULONG_PTR pulSignatureLen) /* receives byte count of signature */
{
CK_RV ret;
P11_SESSION *pSession = NULL;
P11_SIGN_DATA *pSignData = NULL;
unsigned char *pDigest = NULL;
unsigned long ulDigestLen = 0;
if (p11_get_init() != BEIDP11_INITIALIZED)
{
log_trace(WHERE, "I: leave, CKR_CRYPTOKI_NOT_INITIALIZED");
return (CKR_CRYPTOKI_NOT_INITIALIZED);
}
p11_lock();
log_trace(WHERE, "I: enter");
ret = p11_get_session(hSession, &pSession);
if (ret)
{
log_trace(WHERE, "E: Invalid session handle (%d)", hSession);
goto cleanup;
}
//is there an active search operation for this session
if (pSession->Operation[P11_OPERATION_SIGN].active == 0)
{
log_trace(WHERE, "E: Session %d: no sign operation initialized", hSession);
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
/* get sign operation */
if((pSignData = pSession->Operation[P11_OPERATION_SIGN].pData) == NULL)
{
log_trace( WHERE, "E: no sign operation initialized");
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
if(pSignature == NULL)
{
*pulSignatureLen = pSignData->l_sign;
ret = CKR_OK;
goto cleanup;
}
if(*pulSignatureLen < pSignData->l_sign)
{
*pulSignatureLen = pSignData->l_sign;
ret = CKR_BUFFER_TOO_SMALL;
goto cleanup;
}
if (pSignData->phash)
{
/* get hash */
pDigest = (unsigned char*) malloc(pSignData->l_hash);
if (pDigest == NULL)
{
ret = CKR_HOST_MEMORY;
goto cleanup;
}
ret = hash_final(pSignData->phash, pDigest, &ulDigestLen);
if(ret)
{
log_trace(WHERE, "E: hash_final failed()");
ret = CKR_FUNCTION_FAILED;
goto cleanup;
}
}
else
{
/* no hash: get buffer to sign directly */
pDigest = (unsigned char*) malloc(pSignData->lbuf);
if (pDigest == NULL)
{
ret = CKR_HOST_MEMORY;
goto cleanup;
}
memcpy(pDigest, pSignData->pbuf, pSignData->lbuf);
ulDigestLen = pSignData->lbuf;
}
ret = cal_sign(pSession->hslot, pSignData, pDigest, ulDigestLen, pSignature, pulSignatureLen);
if (ret != CKR_OK)
log_trace(WHERE, "E: cal_sign() returned %s", log_map_error(ret));
//terminate sign operation
free(pSignData);
pSession->Operation[P11_OPERATION_SIGN].pData = NULL;
pSession->Operation[P11_OPERATION_SIGN].active = 0;
cleanup:
if (pDigest)
free(pDigest);
p11_unlock();
log_trace(WHERE, "I: leave, ret = 0x%08x",ret);
return ret;
}
CK_RV C_Sign(CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* the data to be signed */
CK_ULONG ulDataLen, /* count of bytes to be signed */
CK_BYTE_PTR pSignature, /* receives the signature */
CK_ULONG_PTR pulSignatureLen) /* receives byte count of signature */
{
CK_RV ret = CKR_OK;
P11_SESSION* pSession = NULL;
P11_SIGN_DATA* pSignData = NULL;
unsigned char* pDigest = NULL;
unsigned long ulDigestLen = 0;
// unsigned int ulSignatureLen = *pulSignatureLen;
if (p11_get_init() != BEIDP11_INITIALIZED)
{
log_trace(WHERE, "I: leave, CKR_CRYPTOKI_NOT_INITIALIZED");
return (CKR_CRYPTOKI_NOT_INITIALIZED);
}
p11_lock();
log_trace(WHERE, "I: enter");
ret = p11_get_session(hSession, &pSession);
if (ret)
{
log_trace(WHERE, "E: Invalid session handle (%d)", hSession);
goto cleanup;
}
//is there an active search operation for this session
if (pSession->Operation[P11_OPERATION_SIGN].active == 0)
{
log_trace(WHERE, "E: Session %d: no sign operation initialized", hSession);
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
/* get sign operation */
if((pSignData = pSession->Operation[P11_OPERATION_SIGN].pData) == NULL)
{
log_trace( WHERE, "E: no sign operation initialized");
ret = CKR_OPERATION_NOT_INITIALIZED;
goto cleanup;
}
if(pSignData->update)
{
log_trace(WHERE, "E: C_Sign() cannot be used to finalize a C_SignUpdate() function");
ret = CKR_FUNCTION_FAILED;
goto cleanup;
}
if (pSignature == NULL)
{
/* just return the signature size */
*pulSignatureLen = pSignData->l_sign;
ret = CKR_OK;
goto cleanup;
}
if (pSignData->l_sign > *pulSignatureLen)
{
*pulSignatureLen = pSignData->l_sign;
ret = CKR_BUFFER_TOO_SMALL;
goto cleanup;
}
/* do we have to hash first? */
if (pSignData->phash)
{
/* reserve space for data to sign */
pDigest = (unsigned char*) malloc(pSignData->l_hash);
if (pDigest == NULL)
{
ret = CKR_HOST_MEMORY;
goto cleanup;
}
ret = hash_update(pSignData->phash, (char*)pData, ulDataLen);
if(ret == 0)
ret = hash_final(pSignData->phash, pDigest, &ulDigestLen);
if(ret)
{
log_trace(WHERE, "E: hash failed()");
ret = CKR_FUNCTION_FAILED;
goto terminate;
}
}
else
{
/* reserve space for data to sign */
pDigest = (unsigned char*) malloc(ulDataLen);
if (pDigest == NULL)
{
ret = CKR_HOST_MEMORY;
goto cleanup;
}
memcpy(pDigest, pData, ulDataLen);
ulDigestLen = ulDataLen;
}
/* do the signing (and add pkcs headers first if needed) */
ret = cal_sign(pSession->hslot, pSignData, pDigest, ulDigestLen, pSignature, pulSignatureLen);
if (ret != CKR_OK)
log_trace(WHERE, "E: cal_sign() returned %s", log_map_error(ret));
terminate:
//terminate sign operation
free(pSignData);
pSession->Operation[P11_OPERATION_SIGN].pData = NULL;
pSession->Operation[P11_OPERATION_SIGN].active = 0;
cleanup:
if (pDigest)
free(pDigest);
p11_unlock();
log_trace(WHERE, "I: leave, ret = 0x%08x",ret);
return ret;
}
