From 46cda485bce60894d3128dcd42831a8c6cc7bcb4 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 25 Sep 2014 15:03:55 -0400 Subject: [PATCH] Comments and tweaks based on review by asn Add some documentation Rename "derive" -> "blind" Check for failure on randombytes(). --- src/common/crypto_curve25519.c | 14 ++++++++++++-- src/common/crypto_ed25519.c | 6 ++++-- src/ext/ed25519/ref10/blinding.c | 9 +++++---- src/ext/ed25519/ref10/crypto_hash_sha512.h | 7 +++++++ src/ext/ed25519/ref10/ed25519_ref10.h | 4 ++-- src/ext/ed25519/ref10/keypair.c | 5 +++-- src/ext/ed25519/ref10/open.c | 2 ++ src/ext/ed25519/ref10/sign.c | 1 + 8 files changed, 36 insertions(+), 12 deletions(-) diff --git a/src/common/crypto_curve25519.c b/src/common/crypto_curve25519.c index 484dd76930..44b280a346 100644 --- a/src/common/crypto_curve25519.c +++ b/src/common/crypto_curve25519.c @@ -128,7 +128,13 @@ curve25519_keypair_generate(curve25519_keypair_t *keypair_out, return 0; } -/** DOCDOC */ +/** Write the datalen bytes from data to the file named + * fname in the tagged-data format. This format contains a + * 32-byte header, followed by the data itself. The header is the + * NUL-padded string "== typestring: tag ==". The length + * of typestring and tag must therefore be no more than + * 24. + **/ int crypto_write_tagged_contents_to_file(const char *fname, const char *typestring, @@ -159,7 +165,11 @@ crypto_write_tagged_contents_to_file(const char *fname, return r; } -/** DOCDOC */ +/** Read a tagged-data file from fname into the + * data_out_len-byte buffer in data_out. Check that the + * typestring matches typestring; store the tag into a newly allocated + * string in tag_out. Return -1 on failure, and the number of bytes of + * data on success. */ ssize_t crypto_read_tagged_contents_from_file(const char *fname, const char *typestring, diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index a545cad9f5..408c12b4fd 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -138,6 +138,8 @@ ed25519_checksig_batch(int *okay_out, } #if 0 + /* This is how we'd do it if we were using ed25519_donna. I'll keep this + * code around here in case we ever do that. */ const uint8_t **ms; size_t *lens; const uint8_t **pks; @@ -249,7 +251,7 @@ ed25519_keypair_blind(ed25519_keypair_t *out, { ed25519_public_key_t pubkey_check; - ed25519_ref10_derive_secret_key(out->seckey.seckey, + ed25519_ref10_blind_secret_key(out->seckey.seckey, inp->seckey.seckey, param); ed25519_public_blind(&pubkey_check, &inp->pubkey, param); @@ -272,7 +274,7 @@ ed25519_public_blind(ed25519_public_key_t *out, const ed25519_public_key_t *inp, const uint8_t *param) { - ed25519_ref10_derive_public_key(out->pubkey, inp->pubkey, param); + ed25519_ref10_blind_public_key(out->pubkey, inp->pubkey, param); return 0; } diff --git a/src/ext/ed25519/ref10/blinding.c b/src/ext/ed25519/ref10/blinding.c index f0154e098f..4d9a9cbbe7 100644 --- a/src/ext/ed25519/ref10/blinding.c +++ b/src/ext/ed25519/ref10/blinding.c @@ -19,7 +19,7 @@ gettweak(unsigned char *out, const unsigned char *param) out[31] |= 64; } -int ed25519_ref10_derive_secret_key(unsigned char *out, +int ed25519_ref10_blind_secret_key(unsigned char *out, const unsigned char *inp, const unsigned char *param) { @@ -40,7 +40,7 @@ int ed25519_ref10_derive_secret_key(unsigned char *out, return 0; } -int ed25519_ref10_derive_public_key(unsigned char *out, +int ed25519_ref10_blind_public_key(unsigned char *out, const unsigned char *inp, const unsigned char *param) { @@ -58,7 +58,8 @@ int ed25519_ref10_derive_public_key(unsigned char *out, * strongly that I'm about to code my own ge_scalarmult_vartime). */ /* We negate the public key first, so that we can pass it to - * frombytes_negate_vartime, which negates it again. */ + * frombytes_negate_vartime, which negates it again. If there were a + * "ge_frombytes", we'd use that, but there isn't. */ memcpy(pkcopy, inp, 32); pkcopy[31] ^= (1<<7); ge_frombytes_negate_vartime(&A, pkcopy); @@ -69,7 +70,7 @@ int ed25519_ref10_derive_public_key(unsigned char *out, memwipe(tweak, 0, sizeof(tweak)); memwipe(&A, 0, sizeof(A)); memwipe(&Aprime, 0, sizeof(Aprime)); - memwipe(&pkcopy, 0, sizeof(pkcopy)); + memwipe(pkcopy, 0, sizeof(pkcopy)); return 0; } diff --git a/src/ext/ed25519/ref10/crypto_hash_sha512.h b/src/ext/ed25519/ref10/crypto_hash_sha512.h index c819b8d0d3..0278571522 100644 --- a/src/ext/ed25519/ref10/crypto_hash_sha512.h +++ b/src/ext/ed25519/ref10/crypto_hash_sha512.h @@ -1,8 +1,12 @@ /* Added for Tor. */ #include + +/* Set 'out' to the 512-bit SHA512 hash of the 'len'-byte string in 'inp' */ #define crypto_hash_sha512(out, inp, len) \ SHA512((inp), (len), (out)) +/* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1', + * concatenated with the 'len2'-byte string in 'inp2'. */ #define crypto_hash_sha512_2(out, inp1, len1, inp2, len2) \ do { \ SHA512_CTX sha_ctx_; \ @@ -12,6 +16,9 @@ SHA512_Final((out), &sha_ctx_); \ } while(0) +/* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1', + * concatenated with the 'len2'-byte string in 'inp2', concatenated with + * the 'len3'-byte string in 'len3'. */ #define crypto_hash_sha512_3(out, inp1, len1, inp2, len2, inp3, len3) \ do { \ SHA512_CTX sha_ctx_; \ diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h index f4a76e621c..8c77b0e56b 100644 --- a/src/ext/ed25519/ref10/ed25519_ref10.h +++ b/src/ext/ed25519/ref10/ed25519_ref10.h @@ -20,10 +20,10 @@ int ed25519_ref10_sign( int ed25519_ref10_pubkey_from_curve25519_pubkey(unsigned char *out, const unsigned char *inp, int signbit); -int ed25519_ref10_derive_secret_key(unsigned char *out, +int ed25519_ref10_blind_secret_key(unsigned char *out, const unsigned char *inp, const unsigned char *param); -int ed25519_ref10_derive_public_key(unsigned char *out, +int ed25519_ref10_blind_public_key(unsigned char *out, const unsigned char *inp, const unsigned char *param); diff --git a/src/ext/ed25519/ref10/keypair.c b/src/ext/ed25519/ref10/keypair.c index e861998071..7ddbaa971e 100644 --- a/src/ext/ed25519/ref10/keypair.c +++ b/src/ext/ed25519/ref10/keypair.c @@ -1,4 +1,4 @@ -/* Modified for Tor: new API, 32-byte secret keys. */ +/* Modified for Tor: new API, 64-byte secret keys. */ #include #include "randombytes.h" #include "crypto_sign.h" @@ -10,7 +10,8 @@ crypto_sign_seckey(unsigned char *sk) { unsigned char seed[32]; - randombytes(seed,32); + if (randombytes(seed,32) < 0) + return -1; crypto_sign_seckey_expand(sk, seed); diff --git a/src/ext/ed25519/ref10/open.c b/src/ext/ed25519/ref10/open.c index 790f668f94..0e7abba138 100644 --- a/src/ext/ed25519/ref10/open.c +++ b/src/ext/ed25519/ref10/open.c @@ -1,3 +1,4 @@ +/* (Modified by Tor to verify signature separately from message) */ #include #include "crypto_sign.h" #include "crypto_hash_sha512.h" @@ -5,6 +6,7 @@ #include "ge.h" #include "sc.h" +/* 'signature' must be 64-bytes long. */ int crypto_sign_open( const unsigned char *signature, const unsigned char *m,uint64_t mlen, diff --git a/src/ext/ed25519/ref10/sign.c b/src/ext/ed25519/ref10/sign.c index c11fca9122..e37b0d192d 100644 --- a/src/ext/ed25519/ref10/sign.c +++ b/src/ext/ed25519/ref10/sign.c @@ -1,3 +1,4 @@ +/* (Modified by Tor to generate detached signatures.) */ #include #include "crypto_sign.h" #include "crypto_hash_sha512.h"