On Sat, Jan 14, 2023 at 04:29:04PM +1100, Damien Miller wrote:
>
>
> On Fri, 13 Jan 2023, Damien Miller wrote:
>
> > Hi,
> >
> > Forewarning: this is a big, noisy diff. Also on Github at
> > https://github.com/djmdjm/openssh-wip/pull/18
> >
> > This updates the ED25519 code to the latest version of SUPERCOP (20221122),
> > but the real motivation for this is to move the ED25519 code to the same
> > approach we use for the Streamlined NTRUPrime code: using a shell-script
> > to extract the bits we want from SUPERCOP and squish them all into a
> > single file.
> >
> > This removes a bunch of exported function names, a bit of unused
> > code and means that all the ED25519 code is in a single file rather
> > than eight.
> >
> > To review this, it's probably best to run the shellscript locally
> > (use sh ed25519.sh /path/to/directory/with/supercop) and inspect the
> > output. Apart from the original ed25519.c (assembled from the keypair.c,
> > sign.c and open.c files in SUPERCOP) there are no substantial changes.
>
> Here's a better way to look at the substantive changes:
>
> 1. Assemble the existing ed25519 code in the same order as how this
> patch arranges things:
>
> cat verify.c fe25519.h fe25519.c sc25519.h sc25519.c \
> ge25519.h ge25519.c ed25519.c | \
> sed -e '/#include "ge25519_base.data"/r ge25519_base.data' \
> -e '/#include.*/d' > ed25519.c.old
>
> 2. Apply the patch
>
> 3. Diff the original and new code (below)
>
> This isn't completely without noise, but it lets you see the substantive
> changes clearly.
>
> -d
works and looks a lot cleaner than before.
ok tobhe@
>
> ----
>
>
> --- /tmp/ed25519.c Sat Jan 14 16:25:09 2023
> +++ ed25519.c Sat Jan 14 16:25:41 2023
> @@ -1,12 +1,30 @@
> -/* $OpenBSD: verify.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> +/* $OpenBSD: $ */
>
> /*
> - * Public Domain, Author: Daniel J. Bernstein
> - * Copied from nacl-20110221/crypto_verify/32/ref/verify.c
> + * Public Domain, Authors:
> + * - Daniel J. Bernstein
> + * - Niels Duif
> + * - Tanja Lange
> + * - lead: Peter Schwabe
> + * - Bo-Yin Yang
> */
>
> +#include <string.h>
>
> -int crypto_verify_32(const unsigned char *x,const unsigned char *y)
> +#include "crypto_api.h"
> +
> +#define int8 crypto_int8
> +#define uint8 crypto_uint8
> +#define int16 crypto_int16
> +#define uint16 crypto_uint16
> +#define int32 crypto_int32
> +#define uint32 crypto_uint32
> +#define int64 crypto_int64
> +#define uint64 crypto_uint64
> +
> +/* from supercop-20221122/crypto_verify/32/ref/verify.c */
> +
> +static int crypto_verify_32(const unsigned char *x,const unsigned char *y)
> {
> unsigned int differentbits = 0;
> #define F(i) differentbits |= x[i] ^ y[i];
> @@ -44,14 +62,7 @@
> F(31)
> return (1 & ((differentbits - 1) >> 8)) - 1;
> }
> -/* $OpenBSD: fe25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> -
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.h
> - */
> -
> +/* from supercop-20221122/crypto_sign/ed25519/ref/fe25519.h */
> #ifndef FE25519_H
> #define FE25519_H
>
> @@ -80,52 +91,45 @@
> }
> fe25519;
>
> -void fe25519_freeze(fe25519 *r);
> +static void fe25519_freeze(fe25519 *r);
>
> -void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
> +static void fe25519_unpack(fe25519 *r, const unsigned char x[32]);
>
> -void fe25519_pack(unsigned char r[32], const fe25519 *x);
> +static void fe25519_pack(unsigned char r[32], const fe25519 *x);
>
> -int fe25519_iszero(const fe25519 *x);
> +static int fe25519_iszero(const fe25519 *x);
>
> -int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y);
> +static int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y);
>
> -void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
> +static void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b);
>
> -void fe25519_setone(fe25519 *r);
> +static void fe25519_setone(fe25519 *r);
>
> -void fe25519_setzero(fe25519 *r);
> +static void fe25519_setzero(fe25519 *r);
>
> -void fe25519_neg(fe25519 *r, const fe25519 *x);
> +static void fe25519_neg(fe25519 *r, const fe25519 *x);
>
> unsigned char fe25519_getparity(const fe25519 *x);
>
> -void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
> +static void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y);
>
> -void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
> +static void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y);
>
> -void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
> +static void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y);
>
> -void fe25519_square(fe25519 *r, const fe25519 *x);
> +static void fe25519_square(fe25519 *r, const fe25519 *x);
>
> -void fe25519_invert(fe25519 *r, const fe25519 *x);
> +static void fe25519_invert(fe25519 *r, const fe25519 *x);
>
> -void fe25519_pow2523(fe25519 *r, const fe25519 *x);
> +static void fe25519_pow2523(fe25519 *r, const fe25519 *x);
>
> #endif
> -/* $OpenBSD: fe25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> -
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/fe25519.c
> - */
> -
> +/* from supercop-20221122/crypto_sign/ed25519/ref/fe25519.c */
> #define WINDOWSIZE 1 /* Should be 1,2, or 4 */
> #define WINDOWMASK ((1<<WINDOWSIZE)-1)
>
>
> -static crypto_uint32 equal(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs
> */
> +static crypto_uint32 fe25519_equal(crypto_uint32 a,crypto_uint32 b) /*
> 16-bit inputs */
> {
> crypto_uint32 x = a ^ b; /* 0: yes; 1..65535: no */
> x -= 1; /* 4294967295: yes; 0..65534: no */
> @@ -152,7 +156,7 @@
> return (a << 5) + (a << 2) + (a << 1);
> }
>
> -static void reduce_add_sub(fe25519 *r)
> +static void fe25519_reduce_add_sub(fe25519 *r)
> {
> crypto_uint32 t;
> int i,rep;
> @@ -193,12 +197,12 @@
> }
>
> /* reduction modulo 2^255-19 */
> -void fe25519_freeze(fe25519 *r)
> +static void fe25519_freeze(fe25519 *r)
> {
> int i;
> - crypto_uint32 m = equal(r->v[31],127);
> + crypto_uint32 m = fe25519_equal(r->v[31],127);
> for(i=30;i>0;i--)
> - m &= equal(r->v[i],255);
> + m &= fe25519_equal(r->v[i],255);
> m &= ge(r->v[0],237);
>
> m = -m;
> @@ -209,7 +213,7 @@
> r->v[0] -= m&237;
> }
>
> -void fe25519_unpack(fe25519 *r, const unsigned char x[32])
> +static void fe25519_unpack(fe25519 *r, const unsigned char x[32])
> {
> int i;
> for(i=0;i<32;i++) r->v[i] = x[i];
> @@ -217,7 +221,7 @@
> }
>
> /* Assumes input x being reduced below 2^255 */
> -void fe25519_pack(unsigned char r[32], const fe25519 *x)
> +static void fe25519_pack(unsigned char r[32], const fe25519 *x)
> {
> int i;
> fe25519 y = *x;
> @@ -226,19 +230,19 @@
> r[i] = y.v[i];
> }
>
> -int fe25519_iszero(const fe25519 *x)
> +static int fe25519_iszero(const fe25519 *x)
> {
> int i;
> int r;
> fe25519 t = *x;
> fe25519_freeze(&t);
> - r = equal(t.v[0],0);
> + r = fe25519_equal(t.v[0],0);
> for(i=1;i<32;i++)
> - r &= equal(t.v[i],0);
> + r &= fe25519_equal(t.v[i],0);
> return r;
> }
>
> -int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y)
> +static int fe25519_iseq_vartime(const fe25519 *x, const fe25519 *y)
> {
> int i;
> fe25519 t1 = *x;
> @@ -250,7 +254,7 @@
> return 1;
> }
>
> -void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
> +static void fe25519_cmov(fe25519 *r, const fe25519 *x, unsigned char b)
> {
> int i;
> crypto_uint32 mask = b;
> @@ -265,20 +269,20 @@
> return t.v[0] & 1;
> }
>
> -void fe25519_setone(fe25519 *r)
> +static void fe25519_setone(fe25519 *r)
> {
> int i;
> r->v[0] = 1;
> for(i=1;i<32;i++) r->v[i]=0;
> }
>
> -void fe25519_setzero(fe25519 *r)
> +static void fe25519_setzero(fe25519 *r)
> {
> int i;
> for(i=0;i<32;i++) r->v[i]=0;
> }
>
> -void fe25519_neg(fe25519 *r, const fe25519 *x)
> +static void fe25519_neg(fe25519 *r, const fe25519 *x)
> {
> fe25519 t;
> int i;
> @@ -287,14 +291,14 @@
> fe25519_sub(r, r, &t);
> }
>
> -void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
> +static void fe25519_add(fe25519 *r, const fe25519 *x, const fe25519 *y)
> {
> int i;
> for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
> - reduce_add_sub(r);
> + fe25519_reduce_add_sub(r);
> }
>
> -void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
> +static void fe25519_sub(fe25519 *r, const fe25519 *x, const fe25519 *y)
> {
> int i;
> crypto_uint32 t[32];
> @@ -302,10 +306,10 @@
> t[31] = x->v[31] + 0xfe;
> for(i=1;i<31;i++) t[i] = x->v[i] + 0x1fe;
> for(i=0;i<32;i++) r->v[i] = t[i] - y->v[i];
> - reduce_add_sub(r);
> + fe25519_reduce_add_sub(r);
> }
>
> -void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
> +static void fe25519_mul(fe25519 *r, const fe25519 *x, const fe25519 *y)
> {
> int i,j;
> crypto_uint32 t[63];
> @@ -322,12 +326,12 @@
> reduce_mul(r);
> }
>
> -void fe25519_square(fe25519 *r, const fe25519 *x)
> +static void fe25519_square(fe25519 *r, const fe25519 *x)
> {
> fe25519_mul(r, x, x);
> }
>
> -void fe25519_invert(fe25519 *r, const fe25519 *x)
> +static void fe25519_invert(fe25519 *r, const fe25519 *x)
> {
> fe25519 z2;
> fe25519 z9;
> @@ -394,7 +398,7 @@
> /* 2^255 - 21 */ fe25519_mul(r,&t1,&z11);
> }
>
> -void fe25519_pow2523(fe25519 *r, const fe25519 *x)
> +static void fe25519_pow2523(fe25519 *r, const fe25519 *x)
> {
> fe25519 z2;
> fe25519 z9;
> @@ -447,14 +451,7 @@
> /* 2^252 - 2^2 */ fe25519_square(&t,&t);
> /* 2^252 - 3 */ fe25519_mul(r,&t,x);
> }
> -/* $OpenBSD: sc25519.h,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> -
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.h
> - */
> -
> +/* from supercop-20221122/crypto_sign/ed25519/ref/sc25519.h */
> #ifndef SC25519_H
> #define SC25519_H
>
> @@ -462,19 +459,11 @@
> #define sc25519 crypto_sign_ed25519_ref_sc25519
> #define shortsc25519 crypto_sign_ed25519_ref_shortsc25519
> #define sc25519_from32bytes crypto_sign_ed25519_ref_sc25519_from32bytes
> -#define shortsc25519_from16bytes
> crypto_sign_ed25519_ref_shortsc25519_from16bytes
> #define sc25519_from64bytes crypto_sign_ed25519_ref_sc25519_from64bytes
> -#define sc25519_from_shortsc crypto_sign_ed25519_ref_sc25519_from_shortsc
> #define sc25519_to32bytes crypto_sign_ed25519_ref_sc25519_to32bytes
> -#define sc25519_iszero_vartime
> crypto_sign_ed25519_ref_sc25519_iszero_vartime
> -#define sc25519_isshort_vartime
> crypto_sign_ed25519_ref_sc25519_isshort_vartime
> -#define sc25519_lt_vartime crypto_sign_ed25519_ref_sc25519_lt_vartime
> #define sc25519_add crypto_sign_ed25519_ref_sc25519_add
> -#define sc25519_sub_nored crypto_sign_ed25519_ref_sc25519_sub_nored
> #define sc25519_mul crypto_sign_ed25519_ref_sc25519_mul
> -#define sc25519_mul_shortsc crypto_sign_ed25519_ref_sc25519_mul_shortsc
> #define sc25519_window3 crypto_sign_ed25519_ref_sc25519_window3
> -#define sc25519_window5 crypto_sign_ed25519_ref_sc25519_window5
> #define sc25519_2interleave2 crypto_sign_ed25519_ref_sc25519_2interleave2
>
> typedef struct
> @@ -489,58 +478,43 @@
> }
> shortsc25519;
>
> -void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
> +static void sc25519_from32bytes(sc25519 *r, const unsigned char x[32]);
>
> -void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16]);
>
> -void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
> +static void sc25519_from64bytes(sc25519 *r, const unsigned char x[64]);
>
> -void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x);
>
> -void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
> +static void sc25519_to32bytes(unsigned char r[32], const sc25519 *x);
>
> -int sc25519_iszero_vartime(const sc25519 *x);
>
> -int sc25519_isshort_vartime(const sc25519 *x);
>
> -int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y);
>
> -void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
> +static void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y);
>
> -void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y);
>
> -void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
> +static void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y);
>
> -void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519
> *y);
>
> /* Convert s into a representation of the form \sum_{i=0}^{84}r[i]2^3
> * with r[i] in {-4,...,3}
> */
> -void sc25519_window3(signed char r[85], const sc25519 *s);
> +static void sc25519_window3(signed char r[85], const sc25519 *s);
>
> /* Convert s into a representation of the form \sum_{i=0}^{50}r[i]2^5
> * with r[i] in {-16,...,15}
> */
> -void sc25519_window5(signed char r[51], const sc25519 *s);
>
> -void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const
> sc25519 *s2);
> +static void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1,
> const sc25519 *s2);
>
> #endif
> -/* $OpenBSD: sc25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> +/* from supercop-20221122/crypto_sign/ed25519/ref/sc25519.c */
>
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/sc25519.c
> - */
> -
> -
> /*Arithmetic modulo the group order m = 2^252 +
> 27742317777372353535851937790883648493 =
> 7237005577332262213973186563042994240857116359379907606001950938285454250989
> */
>
> -static const crypto_uint32 m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63,
> 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
> +static const crypto_uint32 sc25519_m[32] = {0xED, 0xD3, 0xF5, 0x5C, 0x1A,
> 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2, 0xDE, 0xF9, 0xDE, 0x14,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
>
> -static const crypto_uint32 mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3, 0xE5,
> 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
> +static const crypto_uint32 sc25519_mu[33] = {0x1B, 0x13, 0x2C, 0x0A, 0xA3,
> 0xE5, 0x9C, 0xED, 0xA7, 0x29, 0x63, 0x08, 0x5D, 0x21, 0x06, 0x21,
> 0xEB, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
> 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F};
>
> static crypto_uint32 lt(crypto_uint32 a,crypto_uint32 b) /* 16-bit inputs */
> @@ -551,8 +525,8 @@
> return x;
> }
>
> -/* Reduce coefficients of r before calling reduce_add_sub */
> -static void reduce_add_sub(sc25519 *r)
> +/* Reduce coefficients of r before calling sc25519_reduce_add_sub */
> +static void sc25519_reduce_add_sub(sc25519 *r)
> {
> crypto_uint32 pb = 0;
> crypto_uint32 b;
> @@ -562,7 +536,7 @@
>
> for(i=0;i<32;i++)
> {
> - pb += m[i];
> + pb += sc25519_m[i];
> b = lt(r->v[i],pb);
> t[i] = r->v[i]-pb+(b<<8);
> pb = b;
> @@ -590,7 +564,7 @@
>
> for(i=0;i<33;i++)
> for(j=0;j<33;j++)
> - if(i+j >= 31) q2[i+j] += mu[i]*x[j+31];
> + if(i+j >= 31) q2[i+j] += sc25519_mu[i]*x[j+31];
> carry = q2[31] >> 8;
> q2[32] += carry;
> carry = q2[32] >> 8;
> @@ -599,7 +573,7 @@
> for(i=0;i<33;i++)r1[i] = x[i];
> for(i=0;i<32;i++)
> for(j=0;j<33;j++)
> - if(i+j < 33) r2[i+j] += m[i]*q3[j];
> + if(i+j < 33) r2[i+j] += sc25519_m[i]*q3[j];
>
> for(i=0;i<32;i++)
> {
> @@ -620,11 +594,11 @@
> * If so: Handle it here!
> */
>
> - reduce_add_sub(r);
> - reduce_add_sub(r);
> + sc25519_reduce_add_sub(r);
> + sc25519_reduce_add_sub(r);
> }
>
> -void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
> +static void sc25519_from32bytes(sc25519 *r, const unsigned char x[32])
> {
> int i;
> crypto_uint32 t[64];
> @@ -633,13 +607,8 @@
> barrett_reduce(r, t);
> }
>
> -void shortsc25519_from16bytes(shortsc25519 *r, const unsigned char x[16])
> -{
> - int i;
> - for(i=0;i<16;i++) r->v[i] = x[i];
> -}
>
> -void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
> +static void sc25519_from64bytes(sc25519 *r, const unsigned char x[64])
> {
> int i;
> crypto_uint32 t[64];
> @@ -647,49 +616,17 @@
> barrett_reduce(r, t);
> }
>
> -void sc25519_from_shortsc(sc25519 *r, const shortsc25519 *x)
> -{
> - int i;
> - for(i=0;i<16;i++)
> - r->v[i] = x->v[i];
> - for(i=0;i<16;i++)
> - r->v[16+i] = 0;
> -}
>
> -void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
> +static void sc25519_to32bytes(unsigned char r[32], const sc25519 *x)
> {
> int i;
> for(i=0;i<32;i++) r[i] = x->v[i];
> }
>
> -int sc25519_iszero_vartime(const sc25519 *x)
> -{
> - int i;
> - for(i=0;i<32;i++)
> - if(x->v[i] != 0) return 0;
> - return 1;
> -}
>
> -int sc25519_isshort_vartime(const sc25519 *x)
> -{
> - int i;
> - for(i=31;i>15;i--)
> - if(x->v[i] != 0) return 0;
> - return 1;
> -}
>
> -int sc25519_lt_vartime(const sc25519 *x, const sc25519 *y)
> -{
> - int i;
> - for(i=31;i>=0;i--)
> - {
> - if(x->v[i] < y->v[i]) return 1;
> - if(x->v[i] > y->v[i]) return 0;
> - }
> - return 0;
> -}
>
> -void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
> +static void sc25519_add(sc25519 *r, const sc25519 *x, const sc25519 *y)
> {
> int i, carry;
> for(i=0;i<32;i++) r->v[i] = x->v[i] + y->v[i];
> @@ -699,23 +636,11 @@
> r->v[i+1] += carry;
> r->v[i] &= 0xff;
> }
> - reduce_add_sub(r);
> + sc25519_reduce_add_sub(r);
> }
>
> -void sc25519_sub_nored(sc25519 *r, const sc25519 *x, const sc25519 *y)
> -{
> - crypto_uint32 b = 0;
> - crypto_uint32 t;
> - int i;
> - for(i=0;i<32;i++)
> - {
> - t = x->v[i] - y->v[i] - b;
> - r->v[i] = t & 255;
> - b = (t >> 8) & 1;
> - }
> -}
>
> -void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
> +static void sc25519_mul(sc25519 *r, const sc25519 *x, const sc25519 *y)
> {
> int i,j,carry;
> crypto_uint32 t[64];
> @@ -736,14 +661,8 @@
> barrett_reduce(r, t);
> }
>
> -void sc25519_mul_shortsc(sc25519 *r, const sc25519 *x, const shortsc25519 *y)
> -{
> - sc25519 t;
> - sc25519_from_shortsc(&t, y);
> - sc25519_mul(r, x, &t);
> -}
>
> -void sc25519_window3(signed char r[85], const sc25519 *s)
> +static void sc25519_window3(signed char r[85], const sc25519 *s)
> {
> char carry;
> int i;
> @@ -780,45 +699,9 @@
> r[84] += carry;
> }
>
> -void sc25519_window5(signed char r[51], const sc25519 *s)
> -{
> - char carry;
> - int i;
> - for(i=0;i<6;i++)
> - {
> - r[8*i+0] = s->v[5*i+0] & 31;
> - r[8*i+1] = (s->v[5*i+0] >> 5) & 31;
> - r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
> - r[8*i+2] = (s->v[5*i+1] >> 2) & 31;
> - r[8*i+3] = (s->v[5*i+1] >> 7) & 31;
> - r[8*i+3] ^= (s->v[5*i+2] << 1) & 31;
> - r[8*i+4] = (s->v[5*i+2] >> 4) & 31;
> - r[8*i+4] ^= (s->v[5*i+3] << 4) & 31;
> - r[8*i+5] = (s->v[5*i+3] >> 1) & 31;
> - r[8*i+6] = (s->v[5*i+3] >> 6) & 31;
> - r[8*i+6] ^= (s->v[5*i+4] << 2) & 31;
> - r[8*i+7] = (s->v[5*i+4] >> 3) & 31;
> - }
> - r[8*i+0] = s->v[5*i+0] & 31;
> - r[8*i+1] = (s->v[5*i+0] >> 5) & 31;
> - r[8*i+1] ^= (s->v[5*i+1] << 3) & 31;
> - r[8*i+2] = (s->v[5*i+1] >> 2) & 31;
>
> - /* Making it signed */
> - carry = 0;
> - for(i=0;i<50;i++)
> +static void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1,
> const sc25519 *s2)
> {
> - r[i] += carry;
> - r[i+1] += r[i] >> 5;
> - r[i] &= 31;
> - carry = r[i] >> 4;
> - r[i] -= carry<<5;
> - }
> - r[50] += carry;
> -}
> -
> -void sc25519_2interleave2(unsigned char r[127], const sc25519 *s1, const
> sc25519 *s2)
> -{
> int i;
> for(i=0;i<31;i++)
> {
> @@ -831,14 +714,7 @@
> r[125] = ((s1->v[31] >> 2) & 3) ^ (((s2->v[31] >> 2) & 3) << 2);
> r[126] = ((s1->v[31] >> 4) & 3) ^ (((s2->v[31] >> 4) & 3) << 2);
> }
> -/* $OpenBSD: ge25519.h,v 1.4 2015/02/16 18:26:26 miod Exp $ */
> -
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.h
> - */
> -
> +/* from supercop-20221122/crypto_sign/ed25519/ref/ge25519.h */
> #ifndef GE25519_H
> #define GE25519_H
>
> @@ -859,29 +735,22 @@
> fe25519 t;
> } ge25519;
>
> -extern const ge25519 ge25519_base;
> +const ge25519 ge25519_base;
>
> int ge25519_unpackneg_vartime(ge25519 *r, const unsigned char p[32]);
>
> -void ge25519_pack(unsigned char r[32], const ge25519 *p);
> +static void ge25519_pack(unsigned char r[32], const ge25519 *p);
>
> int ge25519_isneutral_vartime(const ge25519 *p);
>
> -void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1, const
> sc25519 *s1, const ge25519 *p2, const sc25519 *s2);
> +static void ge25519_double_scalarmult_vartime(ge25519 *r, const ge25519 *p1,
> const sc25519 *s1, const ge25519 *p2, const sc25519 *s2);
>
> -void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
> +static void ge25519_scalarmult_base(ge25519 *r, const sc25519 *s);
>
> #endif
> -/* $OpenBSD: ge25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> +/* from supercop-20221122/crypto_sign/ed25519/ref/ge25519.c */
>
> /*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519.c
> - */
> -
> -
> -/*
> * Arithmetic on the twisted Edwards curve -x^2 + y^2 = 1 + dx^2y^2
> * with d = -(121665/121666) =
> 37095705934669439343138083508754565189542113879843219016388785533085940283555
> * Base point:
> (15112221349535400772501151409588531511454012693041857206046113283949847762202,46316835694926478169428394003475163141307993866256225615783033603165251855960);
> @@ -933,14 +802,6 @@
>
> /* Multiples of the base point in affine representation */
> static const ge25519_aff ge25519_base_multiples_affine[425] = {
> -/* $OpenBSD: ge25519_base.data,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> -
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/ge25519_base.data
> - */
> -
> {{{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
> {{0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}},
> {{{0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
> 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, 0xfe,
> 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21}} ,
> @@ -1966,7 +1827,7 @@
> return 0;
> }
>
> -void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
> +static void ge25519_pack(unsigned char r[32], const ge25519_p3 *p)
> {
> fe25519 tx, ty, zi;
> fe25519_invert(&zi, &p->z);
> @@ -1985,7 +1846,7 @@
> }
>
> /* computes [s1]p1 + [s2]p2 */
> -void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const ge25519_p3 *p1,
> const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2)
> +static void ge25519_double_scalarmult_vartime(ge25519_p3 *r, const
> ge25519_p3 *p1, const sc25519 *s1, const ge25519_p3 *p2, const sc25519 *s2)
> {
> ge25519_p1p1 tp1p1;
> ge25519_p3 pre[16];
> @@ -2029,7 +1890,7 @@
> }
> }
>
> -void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
> +static void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
> {
> signed char b[85];
> int i;
> @@ -2045,52 +1906,28 @@
> ge25519_mixadd2(r, &t);
> }
> }
> -/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
> +/* from supercop-20221122/crypto_sign/ed25519/ref/keypair.c */
>
> -/*
> - * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
> - * Peter Schwabe, Bo-Yin Yang.
> - * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
> - */
> -
> -
> -
> -static void get_hram(unsigned char *hram, const unsigned char *sm, const
> unsigned char *pk, unsigned char *playground, unsigned long long smlen)
> +int crypto_sign_ed25519_keypair(unsigned char *pk,unsigned char *sk)
> {
> - unsigned long long i;
> -
> - for (i = 0;i < 32;++i) playground[i] = sm[i];
> - for (i = 32;i < 64;++i) playground[i] = pk[i-32];
> - for (i = 64;i < smlen;++i) playground[i] = sm[i];
> -
> - crypto_hash_sha512(hram,playground,smlen);
> -}
> -
> -
> -int crypto_sign_ed25519_keypair(
> - unsigned char *pk,
> - unsigned char *sk
> - )
> -{
> + unsigned char az[64];
> sc25519 scsk;
> ge25519 gepk;
> - unsigned char extsk[64];
> - int i;
>
> randombytes(sk, 32);
> - crypto_hash_sha512(extsk, sk, 32);
> - extsk[0] &= 248;
> - extsk[31] &= 127;
> - extsk[31] |= 64;
> + crypto_hash_sha512(az,sk,32);
> + az[0] &= 248;
> + az[31] &= 127;
> + az[31] |= 64;
>
> - sc25519_from32bytes(&scsk,extsk);
> + sc25519_from32bytes(&scsk,az);
>
> ge25519_scalarmult_base(&gepk, &scsk);
> ge25519_pack(pk, &gepk);
> - for(i=0;i<32;i++)
> - sk[32 + i] = pk[i];
> + memmove(sk + 32,pk,32);
> return 0;
> }
> +/* from supercop-20221122/crypto_sign/ed25519/ref/sign.c */
>
> int crypto_sign_ed25519(
> unsigned char *sm,unsigned long long *smlen,
> @@ -2098,51 +1935,53 @@
> const unsigned char *sk
> )
> {
> + unsigned char pk[32];
> + unsigned char az[64];
> + unsigned char nonce[64];
> + unsigned char hram[64];
> sc25519 sck, scs, scsk;
> ge25519 ger;
> - unsigned char r[32];
> - unsigned char s[32];
> - unsigned char extsk[64];
> - unsigned long long i;
> - unsigned char hmg[crypto_hash_sha512_BYTES];
> - unsigned char hram[crypto_hash_sha512_BYTES];
>
> - crypto_hash_sha512(extsk, sk, 32);
> - extsk[0] &= 248;
> - extsk[31] &= 127;
> - extsk[31] |= 64;
> + memmove(pk,sk + 32,32);
> + /* pk: 32-byte public key A */
>
> + crypto_hash_sha512(az,sk,32);
> + az[0] &= 248;
> + az[31] &= 127;
> + az[31] |= 64;
> + /* az: 32-byte scalar a, 32-byte randomizer z */
> +
> *smlen = mlen+64;
> - for(i=0;i<mlen;i++)
> - sm[64 + i] = m[i];
> - for(i=0;i<32;i++)
> - sm[32 + i] = extsk[32+i];
> + memmove(sm + 64,m,mlen);
> + memmove(sm + 32,az + 32,32);
> + /* sm: 32-byte uninit, 32-byte z, mlen-byte m */
>
> - crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as
> h(extsk[32],...,extsk[63],m) */
> + crypto_hash_sha512(nonce, sm+32, mlen+32);
> + /* nonce: 64-byte H(z,m) */
>
> - /* Computation of R */
> - sc25519_from64bytes(&sck, hmg);
> + sc25519_from64bytes(&sck, nonce);
> ge25519_scalarmult_base(&ger, &sck);
> - ge25519_pack(r, &ger);
> + ge25519_pack(sm, &ger);
> + /* sm: 32-byte R, 32-byte z, mlen-byte m */
>
> - /* Computation of s */
> - for(i=0;i<32;i++)
> - sm[i] = r[i];
> + memmove(sm + 32,pk,32);
> + /* sm: 32-byte R, 32-byte A, mlen-byte m */
>
> - get_hram(hram, sm, sk+32, sm, mlen+64);
> + crypto_hash_sha512(hram,sm,mlen + 64);
> + /* hram: 64-byte H(R,A,m) */
>
> sc25519_from64bytes(&scs, hram);
> - sc25519_from32bytes(&scsk, extsk);
> + sc25519_from32bytes(&scsk, az);
> sc25519_mul(&scs, &scs, &scsk);
> -
> sc25519_add(&scs, &scs, &sck);
> + /* scs: S = nonce + H(R,A,m)a */
>
> - sc25519_to32bytes(s,&scs); /* cat s */
> - for(i=0;i<32;i++)
> - sm[32 + i] = s[i];
> + sc25519_to32bytes(sm + 32,&scs);
> + /* sm: 32-byte R, 32-byte S, mlen-byte m */
>
> return 0;
> }
> +/* from supercop-20221122/crypto_sign/ed25519/ref/open.c */
>
> int crypto_sign_ed25519_open(
> unsigned char *m,unsigned long long *mlen,
> @@ -2150,39 +1989,40 @@
> const unsigned char *pk
> )
> {
> - unsigned int i;
> - int ret;
> - unsigned char t2[32];
> + unsigned char pkcopy[32];
> + unsigned char rcopy[32];
> + unsigned char hram[64];
> + unsigned char rcheck[32];
> ge25519 get1, get2;
> sc25519 schram, scs;
> - unsigned char hram[crypto_hash_sha512_BYTES];
>
> - *mlen = (unsigned long long) -1;
> - if (smlen < 64) return -1;
> + if (smlen < 64) goto badsig;
> + if (sm[63] & 224) goto badsig;
> + if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig;
>
> - if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
> + memmove(pkcopy,pk,32);
> + memmove(rcopy,sm,32);
>
> - get_hram(hram,sm,pk,m,smlen);
> + sc25519_from32bytes(&scs, sm+32);
>
> + memmove(m,sm,smlen);
> + memmove(m + 32,pkcopy,32);
> + crypto_hash_sha512(hram,m,smlen);
> +
> sc25519_from64bytes(&schram, hram);
>
> - sc25519_from32bytes(&scs, sm+32);
> -
> ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base,
> &scs);
> - ge25519_pack(t2, &get2);
> + ge25519_pack(rcheck, &get2);
>
> - ret = crypto_verify_32(sm, t2);
> -
> - if (!ret)
> - {
> - for(i=0;i<smlen-64;i++)
> - m[i] = sm[i + 64];
> + if (crypto_verify_32(rcopy,rcheck) == 0) {
> + memmove(m,m + 64,smlen - 64);
> + memset(m + smlen - 64,0,64);
> *mlen = smlen - 64;
> + return 0;
> }
> - else
> - {
> - for(i=0;i<smlen-64;i++)
> - m[i] = 0;
> - }
> - return ret;
> +
> +badsig:
> + *mlen = (unsigned long long) -1;
> + memset(m,0,smlen);
> + return -1;
> }
>
