|
Packit Service |
4684c1 |
/* eddsa-sign.c
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Copyright (C) 2014 Niels Möller
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This file is part of GNU Nettle.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNU Nettle is free software: you can redistribute it and/or
|
|
Packit Service |
4684c1 |
modify it under the terms of either:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
* the GNU Lesser General Public License as published by the Free
|
|
Packit Service |
4684c1 |
Software Foundation; either version 3 of the License, or (at your
|
|
Packit Service |
4684c1 |
option) any later version.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
or
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
* the GNU General Public License as published by the Free
|
|
Packit Service |
4684c1 |
Software Foundation; either version 2 of the License, or (at your
|
|
Packit Service |
4684c1 |
option) any later version.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
or both in parallel, as here.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
GNU Nettle is distributed in the hope that it will be useful,
|
|
Packit Service |
4684c1 |
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
General Public License for more details.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
You should have received copies of the GNU General Public License and
|
|
Packit Service |
4684c1 |
the GNU Lesser General Public License along with this program. If
|
|
Packit Service |
4684c1 |
not, see http://www.gnu.org/licenses/.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#if HAVE_CONFIG_H
|
|
Packit Service |
4684c1 |
# include "config.h"
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include <assert.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "eddsa.h"
|
|
Packit Service |
4684c1 |
#include "eddsa-internal.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include <nettle/ecc.h>
|
|
Packit Service |
4684c1 |
#include "ecc-internal.h"
|
|
Packit Service |
4684c1 |
#include <nettle/nettle-meta.h>
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
mp_size_t
|
|
Packit Service |
4684c1 |
_eddsa_sign_itch (const struct ecc_curve *ecc)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
assert (_eddsa_compress_itch (ecc) <= ecc->mul_g_itch);
|
|
Packit Service |
4684c1 |
return 5*ecc->p.size + ecc->mul_g_itch;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
void
|
|
Packit Service |
4684c1 |
_eddsa_sign (const struct ecc_curve *ecc,
|
|
Packit Service |
4684c1 |
const struct ecc_eddsa *eddsa,
|
|
Packit Service |
4684c1 |
void *ctx,
|
|
Packit Service |
4684c1 |
const uint8_t *pub,
|
|
Packit Service |
4684c1 |
const uint8_t *k1,
|
|
Packit Service |
4684c1 |
const mp_limb_t *k2,
|
|
Packit Service |
4684c1 |
size_t length,
|
|
Packit Service |
4684c1 |
const uint8_t *msg,
|
|
Packit Service |
4684c1 |
uint8_t *signature,
|
|
Packit Service |
4684c1 |
mp_limb_t *scratch)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
mp_size_t size;
|
|
Packit Service |
4684c1 |
size_t nbytes;
|
|
Packit Service |
4684c1 |
mp_limb_t q, cy;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#define rp scratch
|
|
Packit Service |
4684c1 |
#define hp (scratch + size)
|
|
Packit Service |
4684c1 |
#define P (scratch + 2*size)
|
|
Packit Service |
4684c1 |
#define sp (scratch + 2*size)
|
|
Packit Service |
4684c1 |
#define hash ((uint8_t *) (scratch + 3*size))
|
|
Packit Service |
4684c1 |
#define scratch_out (scratch + 5*size)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
size = ecc->p.size;
|
|
Packit Service |
4684c1 |
nbytes = 1 + ecc->p.bit_size / 8;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
eddsa->dom (ctx);
|
|
Packit Service |
4684c1 |
eddsa->update (ctx, nbytes, k1);
|
|
Packit Service |
4684c1 |
eddsa->update (ctx, length, msg);
|
|
Packit Service |
4684c1 |
eddsa->digest (ctx, 2*nbytes, hash);
|
|
Packit Service |
4684c1 |
_eddsa_hash (&ecc->q, rp, 2*nbytes, hash);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ecc->mul_g (ecc, P, rp, scratch_out);
|
|
Packit Service |
4684c1 |
_eddsa_compress (ecc, signature, P, scratch_out);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
eddsa->dom (ctx);
|
|
Packit Service |
4684c1 |
eddsa->update (ctx, nbytes, signature);
|
|
Packit Service |
4684c1 |
eddsa->update (ctx, nbytes, pub);
|
|
Packit Service |
4684c1 |
eddsa->update (ctx, length, msg);
|
|
Packit Service |
4684c1 |
eddsa->digest (ctx, 2*nbytes, hash);
|
|
Packit Service |
4684c1 |
_eddsa_hash (&ecc->q, hp, 2*nbytes, hash);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ecc_mod_mul (&ecc->q, sp, hp, k2);
|
|
Packit Service |
4684c1 |
ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */
|
|
Packit Service |
4684c1 |
if (ecc->p.bit_size == 255)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* FIXME: Special code duplicated in ecc_curve25519_modq
|
|
Packit Service |
4684c1 |
Define a suitable method for canonical reduction? */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* q is slightly larger than 2^252, underflow from below
|
|
Packit Service |
4684c1 |
mpn_submul_1 is unlikely. */
|
|
Packit Service |
4684c1 |
unsigned shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1);
|
|
Packit Service |
4684c1 |
q = sp[ecc->p.size-1] >> shift;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
else
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
unsigned shift;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
assert (ecc->p.bit_size == 448);
|
|
Packit Service |
4684c1 |
/* q is slightly smaller than 2^446 */
|
|
Packit Service |
4684c1 |
shift = 446 - GMP_NUMB_BITS * (ecc->p.size - 1);
|
|
Packit Service |
4684c1 |
/* Add one, then it's possible but unlikely that below
|
|
Packit Service |
4684c1 |
mpn_submul_1 does *not* underflow. */
|
|
Packit Service |
4684c1 |
q = (sp[ecc->p.size-1] >> shift) + 1;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q);
|
|
Packit Service |
4684c1 |
assert (cy < 2);
|
|
Packit Service |
4684c1 |
cy -= cnd_add_n (cy, sp, ecc->q.m, ecc->p.size);
|
|
Packit Service |
4684c1 |
assert (cy == 0);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size);
|
|
Packit Service |
4684c1 |
#undef rp
|
|
Packit Service |
4684c1 |
#undef hp
|
|
Packit Service |
4684c1 |
#undef P
|
|
Packit Service |
4684c1 |
#undef sp
|
|
Packit Service |
4684c1 |
#undef hash
|
|
Packit Service |
4684c1 |
}
|