diff options
Diffstat (limited to 'FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c')
| -rw-r--r-- | FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c | 678 |
1 files changed, 561 insertions, 117 deletions
diff --git a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c index ba0dcbe53..8057caa7c 100644 --- a/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c +++ b/FreeRTOS-Plus/Source/WolfSSL/wolfcrypt/src/ed25519.c @@ -1,8 +1,8 @@ /* ed25519.c * - * Copyright (C) 2006-2015 wolfSSL Inc. + * Copyright (C) 2006-2020 wolfSSL Inc. * - * This file is part of wolfSSL. (formerly known as CyaSSL) + * This file is part of wolfSSL. * * wolfSSL is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -16,9 +16,10 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */ #ifdef HAVE_CONFIG_H @@ -32,22 +33,67 @@ #include <wolfssl/wolfcrypt/ed25519.h> #include <wolfssl/wolfcrypt/error-crypt.h> +#include <wolfssl/wolfcrypt/hash.h> #ifdef NO_INLINE #include <wolfssl/wolfcrypt/misc.h> #else + #define WOLFSSL_MISC_INCLUDED #include <wolfcrypt/src/misc.c> #endif +#ifdef FREESCALE_LTC_ECC + #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h> +#endif -/* - generate an ed25519 key pair. - returns 0 on success - */ -int wc_ed25519_make_key(RNG* rng, int keySz, ed25519_key* key) +#if defined(HAVE_ED25519_SIGN) || defined(HAVE_ED25519_VERIFY) +#define ED25519CTX_SIZE 32 + +static const byte ed25519Ctx[ED25519CTX_SIZE+1] = + "SigEd25519 no Ed25519 collisions"; +#endif + +int wc_ed25519_make_public(ed25519_key* key, unsigned char* pubKey, + word32 pubKeySz) { - byte az[64]; - int ret; + int ret = 0; + byte az[ED25519_PRV_KEY_SIZE]; +#if !defined(FREESCALE_LTC_ECC) ge_p3 A; +#endif + + if (key == NULL || pubKeySz != ED25519_PUB_KEY_SIZE) + ret = BAD_FUNC_ARG; + + if (ret == 0) + ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az); + if (ret == 0) { + /* apply clamp */ + az[0] &= 248; + az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */ + az[31] |= 64; + + #ifdef FREESCALE_LTC_ECC + ltc_pkha_ecc_point_t publicKey = {0}; + publicKey.X = key->pointX; + publicKey.Y = key->pointY; + LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), az, + ED25519_KEY_SIZE, &publicKey, kLTC_Ed25519 /* result on Ed25519 */); + LTC_PKHA_Ed25519_Compress(&publicKey, pubKey); + #else + ge_scalarmult_base(&A, az); + ge_p3_tobytes(pubKey, &A); + #endif + } + + return ret; +} + +/* generate an ed25519 key pair. + * returns 0 on success + */ +int wc_ed25519_make_key(WC_RNG* rng, int keySz, ed25519_key* key) +{ + int ret; if (rng == NULL || key == NULL) return BAD_FUNC_ARG; @@ -56,142 +102,412 @@ int wc_ed25519_make_key(RNG* rng, int keySz, ed25519_key* key) if (keySz != ED25519_KEY_SIZE) return BAD_FUNC_ARG; - ret = 0; - ret |= wc_RNG_GenerateBlock(rng, key->k, 32); - ret |= wc_Sha512Hash(key->k, 32, az); - az[0] &= 248; - az[31] &= 63; - az[31] |= 64; + ret = wc_RNG_GenerateBlock(rng, key->k, ED25519_KEY_SIZE); + if (ret != 0) + return ret; + + ret = wc_ed25519_make_public(key, key->p, ED25519_PUB_KEY_SIZE); + if (ret != 0) { + ForceZero(key->k, ED25519_KEY_SIZE); + return ret; + } + + /* put public key after private key, on the same buffer */ + XMEMMOVE(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE); - ge_scalarmult_base(&A, az); - ge_p3_tobytes(key->p, &A); - XMEMMOVE(key->k + 32, key->p, 32); + key->pubKeySet = 1; return ret; } +#ifdef HAVE_ED25519_SIGN /* - in contains the message to sign - inlen is the length of the message to sign - out is the buffer to write the signature - outlen [in/out] input size of out buf - output gets set as the final length of out - key is the ed25519 key to use when signing + in contains the message to sign + inLen is the length of the message to sign + out is the buffer to write the signature + outLen [in/out] input size of out buf + output gets set as the final length of out + key is the ed25519 key to use when signing + type one of Ed25519, Ed25519ctx or Ed25519ph + context extra signing data + contextLen length of extra signing data return 0 on success */ -int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out, - word32 *outlen, ed25519_key* key) +static int ed25519_sign_msg(const byte* in, word32 inLen, byte* out, + word32 *outLen, ed25519_key* key, byte type, + const byte* context, byte contextLen) { +#ifdef FREESCALE_LTC_ECC + byte tempBuf[ED25519_PRV_KEY_SIZE]; +#else ge_p3 R; - byte nonce[SHA512_DIGEST_SIZE]; - byte hram[SHA512_DIGEST_SIZE]; - byte az[64]; - word32 sigSz; - Sha512 sha; - int ret = 0; +#endif + byte nonce[WC_SHA512_DIGEST_SIZE]; + byte hram[WC_SHA512_DIGEST_SIZE]; + byte az[ED25519_PRV_KEY_SIZE]; + wc_Sha512 sha; + int ret; /* sanity check on arguments */ - if (in == NULL || out == NULL || outlen == NULL || key == NULL) + if (in == NULL || out == NULL || outLen == NULL || key == NULL || + (context == NULL && contextLen != 0)) { + return BAD_FUNC_ARG; + } + if (!key->pubKeySet) return BAD_FUNC_ARG; /* check and set up out length */ - ret = 0; - sigSz = wc_ed25519_sig_size(key); - if (*outlen < sigSz) - return BAD_FUNC_ARG; - *outlen = sigSz; + if (*outLen < ED25519_SIG_SIZE) { + *outLen = ED25519_SIG_SIZE; + return BUFFER_E; + } + *outLen = ED25519_SIG_SIZE; /* step 1: create nonce to use where nonce is r in r = H(h_b, ... ,h_2b-1,M) */ - ret |= wc_Sha512Hash(key->k,32,az); + ret = wc_Sha512Hash(key->k, ED25519_KEY_SIZE, az); + if (ret != 0) + return ret; + + /* apply clamp */ az[0] &= 248; - az[31] &= 63; + az[31] &= 63; /* same than az[31] &= 127 because of az[31] |= 64 */ az[31] |= 64; - ret |= wc_InitSha512(&sha); - ret |= wc_Sha512Update(&sha, az + 32, 32); - ret |= wc_Sha512Update(&sha, in, inlen); - ret |= wc_Sha512Final(&sha, nonce); + + ret = wc_InitSha512(&sha); + if (ret != 0) + return ret; + if (type == Ed25519ctx || type == Ed25519ph) { + ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, &type, sizeof(type)); + if (ret == 0) + ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen)); + if (ret == 0 && context != NULL) + ret = wc_Sha512Update(&sha, context, contextLen); + } + if (ret == 0) + ret = wc_Sha512Update(&sha, az + ED25519_KEY_SIZE, ED25519_KEY_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, in, inLen); + if (ret == 0) + ret = wc_Sha512Final(&sha, nonce); + wc_Sha512Free(&sha); + if (ret != 0) + return ret; + +#ifdef FREESCALE_LTC_ECC + ltc_pkha_ecc_point_t ltcPoint = {0}; + ltcPoint.X = &tempBuf[0]; + ltcPoint.Y = &tempBuf[32]; + LTC_PKHA_sc_reduce(nonce); + LTC_PKHA_Ed25519_PointMul(LTC_PKHA_Ed25519_BasePoint(), nonce, + ED25519_KEY_SIZE, <cPoint, kLTC_Ed25519 /* result on Ed25519 */); + LTC_PKHA_Ed25519_Compress(<cPoint, out); +#else sc_reduce(nonce); /* step 2: computing R = rB where rB is the scalar multiplication of r and B */ ge_scalarmult_base(&R,nonce); ge_p3_tobytes(out,&R); +#endif /* step 3: hash R + public key + message getting H(R,A,M) then creating S = (r + H(R,A,M)a) mod l */ - ret |= wc_InitSha512(&sha); - ret |= wc_Sha512Update(&sha, out, 32); - ret |= wc_Sha512Update(&sha, key->p, 32); - ret |= wc_Sha512Update(&sha, in, inlen); - ret |= wc_Sha512Final(&sha, hram); + ret = wc_InitSha512(&sha); + if (ret != 0) + return ret; + if (type == Ed25519ctx || type == Ed25519ph) { + ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, &type, sizeof(type)); + if (ret == 0) + ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen)); + if (ret == 0 && context != NULL) + ret = wc_Sha512Update(&sha, context, contextLen); + } + if (ret == 0) + ret = wc_Sha512Update(&sha, out, ED25519_SIG_SIZE/2); + if (ret == 0) + ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, in, inLen); + if (ret == 0) + ret = wc_Sha512Final(&sha, hram); + wc_Sha512Free(&sha); + if (ret != 0) + return ret; + +#ifdef FREESCALE_LTC_ECC + LTC_PKHA_sc_reduce(hram); + LTC_PKHA_sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce); +#else sc_reduce(hram); - sc_muladd(out + 32, hram, az, nonce); + sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce); +#endif return ret; } +/* + in contains the message to sign + inLen is the length of the message to sign + out is the buffer to write the signature + outLen [in/out] input size of out buf + output gets set as the final length of out + key is the ed25519 key to use when signing + return 0 on success + */ +int wc_ed25519_sign_msg(const byte* in, word32 inLen, byte* out, + word32 *outLen, ed25519_key* key) +{ + return ed25519_sign_msg(in, inLen, out, outLen, key, (byte)Ed25519, NULL, 0); +} + +/* + in contains the message to sign + inLen is the length of the message to sign + out is the buffer to write the signature + outLen [in/out] input size of out buf + output gets set as the final length of out + key is the ed25519 key to use when signing + context extra signing data + contextLen length of extra signing data + return 0 on success + */ +int wc_ed25519ctx_sign_msg(const byte* in, word32 inLen, byte* out, + word32 *outLen, ed25519_key* key, + const byte* context, byte contextLen) +{ + return ed25519_sign_msg(in, inLen, out, outLen, key, Ed25519ctx, context, + contextLen); +} + +/* + hash contains the SHA-512 hash of the message to sign + hashLen is the length of the SHA-512 hash of the message to sign + out is the buffer to write the signature + outLen [in/out] input size of out buf + output gets set as the final length of out + key is the ed25519 key to use when signing + context extra signing data + contextLen length of extra signing data + return 0 on success + */ +int wc_ed25519ph_sign_hash(const byte* hash, word32 hashLen, byte* out, + word32 *outLen, ed25519_key* key, + const byte* context, byte contextLen) +{ + return ed25519_sign_msg(hash, hashLen, out, outLen, key, Ed25519ph, context, + contextLen); +} + +/* + in contains the message to sign + inLen is the length of the message to sign + out is the buffer to write the signature + outLen [in/out] input size of out buf + output gets set as the final length of out + key is the ed25519 key to use when signing + context extra signing data + contextLen length of extra signing data + return 0 on success + */ +int wc_ed25519ph_sign_msg(const byte* in, word32 inLen, byte* out, + word32 *outLen, ed25519_key* key, + const byte* context, byte contextLen) +{ + int ret; + byte hash[WC_SHA512_DIGEST_SIZE]; + + ret = wc_Sha512Hash(in, inLen, hash); + if (ret != 0) + return ret; + + return wc_ed25519ph_sign_hash(hash, sizeof(hash), out, outLen, key, context, + contextLen); +} +#endif /* HAVE_ED25519_SIGN */ + +#ifdef HAVE_ED25519_VERIFY /* sig is array of bytes containing the signature - siglen is the length of sig byte array + sigLen is the length of sig byte array msg the array of bytes containing the message - msglen length of msg array - stat will be 1 on successful verify and 0 on unsuccessful + msgLen length of msg array + res will be 1 on successful verify and 0 on unsuccessful + key Ed25519 public key + return 0 and res of 1 on success */ -int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg, - word32 msglen, int* stat, ed25519_key* key) +static int ed25519_verify_msg(const byte* sig, word32 sigLen, const byte* msg, + word32 msgLen, int* res, ed25519_key* key, + byte type, const byte* context, byte contextLen) { - byte rcheck[32]; - byte h[SHA512_DIGEST_SIZE]; + byte rcheck[ED25519_KEY_SIZE]; + byte h[WC_SHA512_DIGEST_SIZE]; +#ifndef FREESCALE_LTC_ECC ge_p3 A; ge_p2 R; - word32 sigSz; +#endif int ret; - Sha512 sha; + wc_Sha512 sha; /* sanity check on arguments */ - if (sig == NULL || msg == NULL || stat == NULL || key == NULL) + if (sig == NULL || msg == NULL || res == NULL || key == NULL || + (context == NULL && contextLen != 0)) { return BAD_FUNC_ARG; + } - ret = 0; - *stat = 0; - sigSz = wc_ed25519_size(key); + /* set verification failed by default */ + *res = 0; /* check on basics needed to verify signature */ - if (siglen < sigSz) - return BAD_FUNC_ARG; - if (sig[63] & 224) + if (sigLen < ED25519_SIG_SIZE || (sig[ED25519_SIG_SIZE-1] & 224)) return BAD_FUNC_ARG; /* uncompress A (public key), test if valid, and negate it */ +#ifndef FREESCALE_LTC_ECC if (ge_frombytes_negate_vartime(&A, key->p) != 0) return BAD_FUNC_ARG; +#endif /* find H(R,A,M) and store it as h */ - ret |= wc_InitSha512(&sha); - ret |= wc_Sha512Update(&sha, sig, 32); - ret |= wc_Sha512Update(&sha, key->p, 32); - ret |= wc_Sha512Update(&sha, msg, msglen); - ret |= wc_Sha512Final(&sha, h); + ret = wc_InitSha512(&sha); + if (ret != 0) + return ret; + if (type == Ed25519ctx || type == Ed25519ph) { + ret = wc_Sha512Update(&sha, ed25519Ctx, ED25519CTX_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, &type, sizeof(type)); + if (ret == 0) + ret = wc_Sha512Update(&sha, &contextLen, sizeof(contextLen)); + if (ret == 0 && context != NULL) + ret = wc_Sha512Update(&sha, context, contextLen); + } + if (ret == 0) + ret = wc_Sha512Update(&sha, sig, ED25519_SIG_SIZE/2); + if (ret == 0) + ret = wc_Sha512Update(&sha, key->p, ED25519_PUB_KEY_SIZE); + if (ret == 0) + ret = wc_Sha512Update(&sha, msg, msgLen); + if (ret == 0) + ret = wc_Sha512Final(&sha, h); + wc_Sha512Free(&sha); + if (ret != 0) + return ret; + +#ifdef FREESCALE_LTC_ECC + LTC_PKHA_sc_reduce(h); + LTC_PKHA_SignatureForVerify(rcheck, h, sig + (ED25519_SIG_SIZE/2), key); +#else sc_reduce(h); /* Uses a fast single-signature verification SB = R + H(R,A,M)A becomes SB - H(R,A,M)A saving decompression of R */ - ret |= ge_double_scalarmult_vartime(&R, h, &A, sig + 32); + ret = ge_double_scalarmult_vartime(&R, h, &A, sig + (ED25519_SIG_SIZE/2)); + if (ret != 0) + return ret; + ge_tobytes(rcheck, &R); +#endif /* FREESCALE_LTC_ECC */ /* comparison of R created to R in sig */ - ret |= ConstantCompare(rcheck, sig, 32); + ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2); + if (ret != 0) + return SIG_VERIFY_E; - *stat = (ret == 0)? 1: 0; + /* set the verification status */ + *res = 1; return ret; } +/* + sig is array of bytes containing the signature + sigLen is the length of sig byte array + msg the array of bytes containing the message + msgLen length of msg array + res will be 1 on successful verify and 0 on unsuccessful + key Ed25519 public key + return 0 and res of 1 on success +*/ +int wc_ed25519_verify_msg(const byte* sig, word32 sigLen, const byte* msg, + word32 msgLen, int* res, ed25519_key* key) +{ + return ed25519_verify_msg(sig, sigLen, msg, msgLen, res, key, (byte)Ed25519, + NULL, 0); +} + +/* + sig is array of bytes containing the signature + sigLen is the length of sig byte array + msg the array of bytes containing the message + msgLen length of msg array + res will be 1 on successful verify and 0 on unsuccessful + key Ed25519 public key + context extra sigining data + contextLen length of extra sigining data + return 0 and res of 1 on success +*/ +int wc_ed25519ctx_verify_msg(const byte* sig, word32 sigLen, const byte* msg, + word32 msgLen, int* res, ed25519_key* key, + const byte* context, byte contextLen) +{ + return ed25519_verify_msg(sig, sigLen, msg, msgLen, res, key, Ed25519ctx, + context, contextLen); +} + +/* + sig is array of bytes containing the signature + sigLen is the length of sig byte array + hash the array of bytes containing the SHA-512 hash of the message + hashLen length of hash array + res will be 1 on successful verify and 0 on unsuccessful + key Ed25519 public key + context extra sigining data + contextLen length of extra sigining data + return 0 and res of 1 on success +*/ +int wc_ed25519ph_verify_hash(const byte* sig, word32 sigLen, const byte* hash, + word32 hashLen, int* res, ed25519_key* key, + const byte* context, byte contextLen) +{ + return ed25519_verify_msg(sig, sigLen, hash, hashLen, res, key, Ed25519ph, + context, contextLen); +} + +/* + sig is array of bytes containing the signature + sigLen is the length of sig byte array + msg the array of bytes containing the message + msgLen length of msg array + res will be 1 on successful verify and 0 on unsuccessful + key Ed25519 public key + context extra sigining data + contextLen length of extra sigining data + return 0 and res of 1 on success +*/ +int wc_ed25519ph_verify_msg(const byte* sig, word32 sigLen, const byte* msg, + word32 msgLen, int* res, ed25519_key* key, + const byte* context, byte contextLen) +{ + int ret; + byte hash[WC_SHA512_DIGEST_SIZE]; + + ret = wc_Sha512Hash(msg, msgLen, hash); + if (ret != 0) + return ret; + + return wc_ed25519ph_verify_hash(sig, sigLen, hash, sizeof(hash), res, key, + context, contextLen); +} +#endif /* HAVE_ED25519_VERIFY */ + /* initialize information and memory for key */ int wc_ed25519_init(ed25519_key* key) @@ -201,6 +517,10 @@ int wc_ed25519_init(ed25519_key* key) XMEMSET(key, 0, sizeof(ed25519_key)); +#ifndef FREESCALE_LTC_ECC + fe_init(); +#endif + return 0; } @@ -215,6 +535,8 @@ void wc_ed25519_free(ed25519_key* key) } +#ifdef HAVE_ED25519_KEY_EXPORT + /* outLen should contain the size of out buffer when input. outLen is than set to the final output length. @@ -222,24 +544,25 @@ void wc_ed25519_free(ed25519_key* key) */ int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen) { - word32 keySz; - /* sanity check on arguments */ if (key == NULL || out == NULL || outLen == NULL) return BAD_FUNC_ARG; - keySz = wc_ed25519_size(key); - if (*outLen < keySz) { - *outLen = keySz; + if (*outLen < ED25519_PUB_KEY_SIZE) { + *outLen = ED25519_PUB_KEY_SIZE; return BUFFER_E; } - *outLen = keySz; - XMEMCPY(out, key->p, keySz); + + *outLen = ED25519_PUB_KEY_SIZE; + XMEMCPY(out, key->p, ED25519_PUB_KEY_SIZE); return 0; } +#endif /* HAVE_ED25519_KEY_EXPORT */ + +#ifdef HAVE_ED25519_KEY_IMPORT /* Imports a compressed/uncompressed public key. in the byte array containing the public key @@ -248,37 +571,65 @@ int wc_ed25519_export_public(ed25519_key* key, byte* out, word32* outLen) */ int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key) { - word32 keySz; int ret; /* sanity check on arguments */ if (in == NULL || key == NULL) return BAD_FUNC_ARG; - keySz = wc_ed25519_size(key); - - if (inLen < keySz) + if (inLen < ED25519_PUB_KEY_SIZE) return BAD_FUNC_ARG; /* compressed prefix according to draft http://www.ietf.org/id/draft-koch-eddsa-for-openpgp-02.txt */ - if (in[0] == 0x40) { + if (in[0] == 0x40 && inLen > ED25519_PUB_KEY_SIZE) { /* key is stored in compressed format so just copy in */ - XMEMCPY(key->p, (in + 1), keySz); + XMEMCPY(key->p, (in + 1), ED25519_PUB_KEY_SIZE); +#ifdef FREESCALE_LTC_ECC + /* recover X coordinate */ + ltc_pkha_ecc_point_t pubKey; + pubKey.X = key->pointX; + pubKey.Y = key->pointY; + LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey); +#endif + key->pubKeySet = 1; return 0; } /* importing uncompressed public key */ - if (in[0] == 0x04) { + if (in[0] == 0x04 && inLen > 2*ED25519_PUB_KEY_SIZE) { +#ifdef FREESCALE_LTC_ECC + /* reverse bytes for little endian byte order */ + for (int i = 0; i < ED25519_KEY_SIZE; i++) + { + key->pointX[i] = *(in + ED25519_KEY_SIZE - i); + key->pointY[i] = *(in + 2*ED25519_KEY_SIZE - i); + } + XMEMCPY(key->p, key->pointY, ED25519_KEY_SIZE); + key->pubKeySet = 1; + ret = 0; +#else /* pass in (x,y) and store compressed key */ - ret = ge_compress_key(key->p, (in+1), (in+1+keySz), keySz); + ret = ge_compress_key(key->p, in+1, + in+1+ED25519_PUB_KEY_SIZE, ED25519_PUB_KEY_SIZE); + if (ret == 0) + key->pubKeySet = 1; +#endif /* FREESCALE_LTC_ECC */ return ret; } /* if not specified compressed or uncompressed check key size if key size is equal to compressed key size copy in key */ - if (inLen == keySz) { - XMEMCPY(key->p, in, keySz); + if (inLen == ED25519_PUB_KEY_SIZE) { + XMEMCPY(key->p, in, ED25519_PUB_KEY_SIZE); +#ifdef FREESCALE_LTC_ECC + /* recover X coordinate */ + ltc_pkha_ecc_point_t pubKey; + pubKey.X = key->pointX; + pubKey.Y = key->pointY; + LTC_PKHA_Ed25519_PointDecompress(key->p, ED25519_PUB_KEY_SIZE, &pubKey); +#endif + key->pubKeySet = 1; return 0; } @@ -288,82 +639,175 @@ int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key) /* + For importing a private key. + */ +int wc_ed25519_import_private_only(const byte* priv, word32 privSz, + ed25519_key* key) +{ + /* sanity check on arguments */ + if (priv == NULL || key == NULL) + return BAD_FUNC_ARG; + + /* key size check */ + if (privSz < ED25519_KEY_SIZE) + return BAD_FUNC_ARG; + + XMEMCPY(key->k, priv, ED25519_KEY_SIZE); + + return 0; +} + +/* For importing a private key and its associated public key. */ int wc_ed25519_import_private_key(const byte* priv, word32 privSz, const byte* pub, word32 pubSz, ed25519_key* key) { - word32 keySz; int ret; /* sanity check on arguments */ if (priv == NULL || pub == NULL || key == NULL) return BAD_FUNC_ARG; - keySz = wc_ed25519_size(key); - /* key size check */ - if (privSz < keySz || pubSz < keySz) + if (privSz < ED25519_KEY_SIZE || pubSz < ED25519_PUB_KEY_SIZE) return BAD_FUNC_ARG; - XMEMCPY(key->k, priv, keySz); + /* import public key */ ret = wc_ed25519_import_public(pub, pubSz, key); - XMEMCPY((key->k + keySz), key->p, keySz); + if (ret != 0) + return ret; + + /* make the private key (priv + pub) */ + XMEMCPY(key->k, priv, ED25519_KEY_SIZE); + XMEMCPY(key->k + ED25519_KEY_SIZE, key->p, ED25519_PUB_KEY_SIZE); return ret; } +#endif /* HAVE_ED25519_KEY_IMPORT */ + + +#ifdef HAVE_ED25519_KEY_EXPORT /* - outLen should contain the size of out buffer when input. outLen is than set - to the final output length. - returns 0 on success + export private key only (secret part so 32 bytes) + outLen should contain the size of out buffer when input. outLen is than set + to the final output length. + returns 0 on success */ int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen) { - word32 keySz; + /* sanity checks on arguments */ + if (key == NULL || out == NULL || outLen == NULL) + return BAD_FUNC_ARG; + + if (*outLen < ED25519_KEY_SIZE) { + *outLen = ED25519_KEY_SIZE; + return BUFFER_E; + } + + *outLen = ED25519_KEY_SIZE; + XMEMCPY(out, key->k, ED25519_KEY_SIZE); + return 0; +} + +/* + export private key, including public part + outLen should contain the size of out buffer when input. outLen is than set + to the final output length. + returns 0 on success + */ +int wc_ed25519_export_private(ed25519_key* key, byte* out, word32* outLen) +{ /* sanity checks on arguments */ if (key == NULL || out == NULL || outLen == NULL) return BAD_FUNC_ARG; - keySz = wc_ed25519_size(key); - if (*outLen < keySz) { - *outLen = keySz; + if (*outLen < ED25519_PRV_KEY_SIZE) { + *outLen = ED25519_PRV_KEY_SIZE; return BUFFER_E; } - *outLen = keySz; - XMEMCPY(out, key->k, keySz); + + *outLen = ED25519_PRV_KEY_SIZE; + XMEMCPY(out, key->k, ED25519_PRV_KEY_SIZE); return 0; } +/* export full private key and public key + return 0 on success + */ +int wc_ed25519_export_key(ed25519_key* key, + byte* priv, word32 *privSz, + byte* pub, word32 *pubSz) +{ + int ret; + + /* export 'full' private part */ + ret = wc_ed25519_export_private(key, priv, privSz); + if (ret != 0) + return ret; -/* is the compressed key size in bytes */ -int wc_ed25519_size(ed25519_key* key) + /* export public part */ + ret = wc_ed25519_export_public(key, pub, pubSz); + + return ret; +} + +#endif /* HAVE_ED25519_KEY_EXPORT */ + +/* check the private and public keys match */ +int wc_ed25519_check_key(ed25519_key* key) { - word32 keySz; + int ret = 0; + unsigned char pubKey[ED25519_PUB_KEY_SIZE]; + + if (!key->pubKeySet) + ret = PUBLIC_KEY_E; + if (ret == 0) + ret = wc_ed25519_make_public(key, pubKey, sizeof(pubKey)); + if (ret == 0 && XMEMCMP(pubKey, key->p, ED25519_PUB_KEY_SIZE) != 0) + ret = PUBLIC_KEY_E; + return ret; +} + +/* returns the private key size (secret only) in bytes */ +int wc_ed25519_size(ed25519_key* key) +{ if (key == NULL) return BAD_FUNC_ARG; - keySz = ED25519_KEY_SIZE; + return ED25519_KEY_SIZE; +} - return keySz; +/* returns the private key size (secret + public) in bytes */ +int wc_ed25519_priv_size(ed25519_key* key) +{ + if (key == NULL) + return BAD_FUNC_ARG; + + return ED25519_PRV_KEY_SIZE; } +/* returns the compressed key size in bytes (public key) */ +int wc_ed25519_pub_size(ed25519_key* key) +{ + if (key == NULL) + return BAD_FUNC_ARG; + + return ED25519_PUB_KEY_SIZE; +} /* returns the size of signature in bytes */ int wc_ed25519_sig_size(ed25519_key* key) { - word32 sigSz; - if (key == NULL) return BAD_FUNC_ARG; - sigSz = ED25519_SIG_SIZE; - - return sigSz; + return ED25519_SIG_SIZE; } #endif /* HAVE_ED25519 */ |