/** Perform the curve25519 ECDH handshake with <b>skey</b> and <b>pkey</b>, * writing CURVE25519_OUTPUT_LEN bytes of output into <b>output</b>. */ void curve25519_handshake(uint8_t *output, const curve25519_secret_key_t *skey, const curve25519_public_key_t *pkey) { curve25519_impl(output, skey->secret_key, pkey->public_key); }
STATIC int curve25519_basepoint_impl(uint8_t *output, const uint8_t *secret) { int r = 0; if (PREDICT_UNLIKELY(curve25519_use_ed == -1)) { pick_curve25519_basepoint_impl(); } /* TODO: Someone should benchmark curved25519_scalarmult_basepoint versus * an optimized NaCl build to see which should be used when compiled with * NaCl available. I suspected that the ed25519 optimization always wins. */ if (PREDICT_LIKELY(curve25519_use_ed == 1)) { curved25519_scalarmult_basepoint_donna(output, secret); r = 0; } else { static const uint8_t basepoint[32] = {9}; r = curve25519_impl(output, secret, basepoint); } return r; }
static void test_crypto_curve25519_impl(void *arg) { /* adapted from curve25519_donna, which adapted it from test-curve25519 version 20050915, by D. J. Bernstein, Public domain. */ const int randomize_high_bit = (arg != NULL); #ifdef SLOW_CURVE25519_TEST const int loop_max=10000; const char e1_expected[] = "4faf81190869fd742a33691b0e0824d5" "7e0329f4dd2819f5f32d130f1296b500"; const char e2k_expected[] = "05aec13f92286f3a781ccae98995a3b9" "e0544770bc7de853b38f9100489e3e79"; const char e1e2k_expected[] = "cd6e8269104eb5aaee886bd2071fba88" "bd13861475516bc2cd2b6e005e805064"; #else const int loop_max=200; const char e1_expected[] = "bc7112cde03f97ef7008cad1bdc56be3" "c6a1037d74cceb3712e9206871dcf654"; const char e2k_expected[] = "dd8fa254fb60bdb5142fe05b1f5de44d" "8e3ee1a63c7d14274ea5d4c67f065467"; const char e1e2k_expected[] = "7ddb98bd89025d2347776b33901b3e7e" "c0ee98cb2257a4545c0cfb2ca3e1812b"; #endif unsigned char e1k[32]; unsigned char e2k[32]; unsigned char e1e2k[32]; unsigned char e2e1k[32]; unsigned char e1[32] = {3}; unsigned char e2[32] = {5}; unsigned char k[32] = {9}; int loop, i; char *mem_op_hex_tmp = NULL; for (loop = 0; loop < loop_max; ++loop) { curve25519_impl(e1k,e1,k); curve25519_impl(e2e1k,e2,e1k); curve25519_impl(e2k,e2,k); if (randomize_high_bit) { /* We require that the high bit of the public key be ignored. So if * we're doing this variant test, we randomize the high bit of e2k, and * make sure that the handshake still works out the same as it would * otherwise. */ uint8_t byte; crypto_rand((char*)&byte, 1); e2k[31] |= (byte & 0x80); } curve25519_impl(e1e2k,e1,e2k); test_memeq(e1e2k, e2e1k, 32); if (loop == loop_max-1) { break; } for (i = 0;i < 32;++i) e1[i] ^= e2k[i]; for (i = 0;i < 32;++i) e2[i] ^= e1k[i]; for (i = 0;i < 32;++i) k[i] ^= e1e2k[i]; } test_memeq_hex(e1, e1_expected); test_memeq_hex(e2k, e2k_expected); test_memeq_hex(e1e2k, e1e2k_expected); done: tor_free(mem_op_hex_tmp); }