| blob | 5823b4e5571b8c17cfead246ca618d01e221682e |
1 /* Copyright (c) 2013-2020, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file crypto_ed25519.c
6 *
7 * \brief Wrapper code for an ed25519 implementation.
8 *
9 * Ed25519 is a Schnorr signature on a Twisted Edwards curve, defined
10 * by Dan Bernstein. For more information, see https://ed25519.cr.yp.to/
11 *
12 * This module wraps our choice of Ed25519 backend, and provides a few
13 * convenience functions for checking and generating signatures. It also
14 * provides Tor-specific tools for key blinding and for converting Ed25519
15 * keys to and from the corresponding Curve25519 keys.
16 */
18 #define CRYPTO_ED25519_PRIVATE
20 #ifdef HAVE_SYS_STAT_H
21 #include <sys/stat.h>
22 #endif
39 #include <string.h>
40 #include <errno.h>
44 /** An Ed25519 implementation, as a set of function pointers. */
72 /** The Ref10 Ed25519 implementation. This one is pure C and lightly
73 * optimized. */
75 NULL,
77 ed25519_ref10_seckey,
78 ed25519_ref10_seckey_expand,
79 ed25519_ref10_pubkey,
80 ed25519_ref10_keygen,
82 ed25519_ref10_open,
83 ed25519_ref10_sign,
84 NULL,
86 ed25519_ref10_blind_secret_key,
87 ed25519_ref10_blind_public_key,
89 ed25519_ref10_pubkey_from_curve25519_pubkey,
90 ed25519_ref10_scalarmult_with_group_order,
91 };
93 /** The Ref10 Ed25519 implementation. This one is heavily optimized, but still
94 * mostly C. The C still tends to be heavily platform-specific. */
96 ed25519_donna_selftest,
98 ed25519_donna_seckey,
99 ed25519_donna_seckey_expand,
100 ed25519_donna_pubkey,
101 ed25519_donna_keygen,
103 ed25519_donna_open,
104 ed25519_donna_sign,
107 ed25519_donna_blind_secret_key,
108 ed25519_donna_blind_public_key,
110 ed25519_donna_pubkey_from_curve25519_pubkey,
111 ed25519_donna_scalarmult_with_group_order,
112 };
114 /** Which Ed25519 implementation are we using? NULL if we haven't decided
115 * yet. */
118 /** Helper: Return our chosen Ed25519 implementation.
119 *
120 * This should only be called after we've picked an implementation, but
121 * it _does_ recover if you forget this.
122 **/
125 {
128 }
130 }
132 #ifdef TOR_UNIT_TESTS
133 /** For testing: used to remember our actual choice of Ed25519
134 * implementation */
136 /** For testing: Use the Ed25519 implementation called <b>name</b> until
137 * crypto_ed25519_testing_restore_impl is called. Recognized names are
138 * "donna" and "ref10". */
139 void
141 {
149 }
150 }
151 /** For testing: go back to whatever Ed25519 implementation we had picked
152 * before crypto_ed25519_testing_force_impl was called.
153 */
154 void
156 {
159 }
162 /**
163 * Initialize a new ed25519 secret key in <b>seckey_out</b>. If
164 * <b>extra_strong</b>, take the RNG inputs directly from the operating
165 * system. Return 0 on success, -1 on failure.
166 */
167 int
170 {
175 else
182 }
184 /**
185 * Given a 32-byte random seed in <b>seed</b>, expand it into an ed25519
186 * secret key in <b>seckey_out</b>. Return 0 on success, -1 on failure.
187 */
188 int
191 {
195 }
197 /**
198 * Given a secret key in <b>seckey</b>, expand it into an
199 * ed25519 public key. Return 0 on success, -1 on failure.
200 */
201 int
204 {
208 }
210 /** Generate a new ed25519 keypair in <b>keypair_out</b>. If
211 * <b>extra_strong</b> is set, try to mix some system entropy into the key
212 * generation process. Return 0 on success, -1 on failure. */
213 int
215 {
222 }
224 /** Return true iff 'pubkey' is set to zero (eg to indicate that it is not
225 * set). */
226 int
228 {
230 }
232 /* Return a heap-allocated array that contains <b>msg</b> prefixed by the
233 * string <b>prefix_str</b>. Set <b>final_msg_len_out</b> to the size of the
234 * final array. If an error occurred, return NULL. It's the responsibility of
235 * the caller to free the returned array. */
240 {
249 /* msg_len + strlen(prefix_str) must not overflow. */
252 }
262 }
264 /**
265 * Set <b>signature_out</b> to a signature of the <b>len</b>-byte message
266 * <b>msg</b>, using the secret and public key in <b>keypair</b>.
267 *
268 * Return 0 if we successfully signed the message, otherwise return -1.
269 */
270 int
274 {
279 }
282 }
284 /**
285 * Like ed25519_sign(), but also prefix <b>msg</b> with <b>prefix_str</b>
286 * before signing. <b>prefix_str</b> must be a NUL-terminated string.
287 */
293 {
303 /* LCOV_EXCL_START -- only possible when the message and prefix are
304 * ridiculously huge */
307 /* LCOV_EXCL_STOP */
308 }
312 keypair);
316 }
318 /**
319 * Check whether if <b>signature</b> is a valid signature for the
320 * <b>len</b>-byte message in <b>msg</b> made with the key <b>pubkey</b>.
321 *
322 * Return 0 if the signature is valid; -1 if it isn't.
323 */
328 {
329 return
331 }
333 /**
334 * Like ed2519_checksig(), but also prefix <b>msg</b> with <b>prefix_str</b>
335 * before verifying signature. <b>prefix_str</b> must be a NUL-terminated
336 * string.
337 */
338 int
343 {
351 /* LCOV_EXCL_START -- only possible when the message and prefix are
352 * ridiculously huge */
355 /* LCOV_EXCL_STOP */
356 }
360 pubkey);
364 }
366 /** Validate every signature among those in <b>checkable</b>, which contains
367 * exactly <b>n_checkable</b> elements. If <b>okay_out</b> is non-NULL, set
368 * the i'th element of <b>okay_out</b> to 1 if the i'th element of
369 * <b>checkable</b> is valid, and to 0 otherwise. Return 0 if every signature
370 * was valid. Otherwise return -N, where N is the number of invalid
371 * signatures.
372 */
377 {
382 /* No batch verification implementation available, fake it by checking the
383 * each signature individually.
384 */
393 }
395 /* ed25519-donna style batch verification available.
396 *
397 * Theoretically, this should only be called if n_checkable >= 3, since
398 * that's the threshold where the batch verification actually kicks in,
399 * but the only difference is a few mallocs/frees.
400 */
420 }
427 }
428 /* XXX: For now sanity check oks with the return value. Once we have
429 * more confidence in the code, if `all_ok == 0` we can skip iterating
430 * over oks since all the signatures were found to be valid.
431 */
440 }
443 }
445 /**
446 * Given a curve25519 keypair in <b>inp</b>, generate a corresponding
447 * ed25519 keypair in <b>out</b>, and set <b>signbit_out</b> to the
448 * sign bit of the X coordinate of the ed25519 key.
449 *
450 * NOTE THAT IT IS PROBABLY NOT SAFE TO USE THE GENERATED KEY FOR ANYTHING
451 * OUTSIDE OF WHAT'S PRESENTED IN PROPOSAL 228. In particular, it's probably
452 * not a great idea to use it to sign attacker-supplied anything.
453 */
454 int
458 {
460 ed25519_public_key_t pubkey_check;
486 }
488 /**
489 * Given a curve25519 public key and sign bit of X coordinate of the ed25519
490 * public key, generate the corresponding ed25519 public key.
491 */
492 int
496 {
499 signbit);
500 }
502 /**
503 * Given an ed25519 keypair in <b>inp</b>, generate a corresponding
504 * ed25519 keypair in <b>out</b>, blinded by the corresponding 32-byte input
505 * in 'param'.
506 *
507 * Tor uses key blinding for the "next-generation" hidden services design:
508 * service descriptors are encrypted with a key derived from the service's
509 * long-term public key, and then signed with (and stored at a position
510 * indexed by) a short-term key derived by blinding the long-term keys.
511 *
512 * Return 0 if blinding was successful, else return -1. */
513 int
517 {
518 ed25519_public_key_t pubkey_check;
525 }
533 }
535 /**
536 * Given an ed25519 public key in <b>inp</b>, generate a corresponding blinded
537 * public key in <b>out</b>, blinded with the 32-byte parameter in
538 * <b>param</b>. Return 0 on success, -1 on railure.
539 */
540 int
544 {
546 }
548 /**
549 * Store seckey unencrypted to <b>filename</b>, marking it with <b>tag</b>.
550 * Return 0 on success, -1 on failure.
551 */
552 int
556 {
559 tag,
562 }
564 /**
565 * Read seckey unencrypted from <b>filename</b>, storing it into
566 * <b>seckey_out</b>. Set *<b>tag_out</b> to the tag it was marked with.
567 * Return 0 on success, -1 on failure.
568 */
569 int
573 {
574 ssize_t len;
583 }
587 }
589 /**
590 * Store pubkey unencrypted to <b>filename</b>, marking it with <b>tag</b>.
591 * Return 0 on success, -1 on failure.
592 */
593 int
597 {
600 tag,
603 }
605 /**
606 * Store pubkey unencrypted to <b>filename</b>, marking it with <b>tag</b>.
607 * Return 0 on success, -1 on failure.
608 */
609 int
613 {
614 ssize_t len;
623 }
627 }
629 /** Release all storage held for <b>kp</b>. */
630 void
632 {
638 }
640 /** Return true iff <b>key1</b> and <b>key2</b> are the same public key. */
641 int
644 {
648 }
650 /**
651 * Set <b>dest</b> to contain the same key as <b>src</b>.
652 */
653 void
656 {
660 }
662 /** Check whether the given Ed25519 implementation seems to be working.
663 * If so, return 0; otherwise return -1. */
666 {
672 };
678 };
689 };
696 /* Some implementations (eg: The modified Ed25519-donna) have handy self-test
697 * code that sanity-checks the internals. If present, use that to screen out
698 * catastrophic errors like massive compiler failure.
699 */
703 /* Validate results versus known answer tests. People really should be
704 * running "make test" instead of relying on this, but it's better than
705 * nothing.
706 *
707 * Test vectors taken from "EdDSA & Ed25519 - 6. Test Vectors for Ed25519
708 * (TEST3)" (draft-josefsson-eddsa-ed25519-03).
709 */
711 /* Key expansion, public key derivation. */
719 /* Signing, verification. */
727 /* XXX/yawning: Someone that's more paranoid than I am, can write "Assume
728 * ref0 is canonical, and fuzz impl against it" if they want, but I doubt
729 * that will catch anything that the known answer tests won't.
730 */
733 // LCOV_EXCL_START -- We can only reach this if our ed25519 implementation is
734 // broken.
735 fail:
737 // LCOV_EXCL_STOP
738 end:
740 }
742 /** Force the Ed25519 implementation to a given one, without sanity checking
743 * the output. Used for testing.
744 */
745 void
747 {
750 else
752 }
754 /** Choose whether to use the Ed25519-donna implementation. */
755 static void
757 {
763 /* LCOV_EXCL_START
764 * unreachable unless ed25519_donna is broken */
768 /* LCOV_EXCL_STOP */
769 }
771 /* Initialize the Ed25519 implementation. This is necessary if you're
772 * going to use them in a multithreaded setting, and not otherwise. */
773 void
775 {
777 }
779 /* Return true if <b>point</b> is the identity element of the ed25519 group. */
780 static int
782 {
783 /* The identity element in ed25159 is the point with coordinates (0,1). */
791 }
793 /** Validate <b>pubkey</b> to ensure that it has no torsion component.
794 * Return 0 if <b>pubkey</b> is valid, else return -1. */
795 int
797 {
800 /* First check that we were not given the identity element */
804 }
806 /* For any point on the curve, doing l*point should give the identity element
807 * (where l is the group order). Do the computation and check that the
808 * identity element is returned. */
813 }
818 }
821 }