mirror of
https://libwebsockets.org/repo/libwebsockets
synced 2024-11-25 09:57:53 +00:00
c9731c5f17
This is a huge patch that should be a global NOP. For unix type platforms it enables -Wconversion to issue warnings (-> error) for all automatic casts that seem less than ideal but are normally concealed by the toolchain. This is things like passing an int to a size_t argument. Once enabled, I went through all args on my default build (which build most things) and tried to make the removed default cast explicit. With that approach it neither change nor bloat the code, since it compiles to whatever it was doing before, just with the casts made explicit... in a few cases I changed some length args from int to size_t but largely left the causes alone. From now on, new code that is relying on less than ideal casting will complain and nudge me to improve it by warnings.
222 lines
4.1 KiB
C
222 lines
4.1 KiB
C
/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
|
|
|
|
/*
|
|
* Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
|
|
* Peter Schwabe, Bo-Yin Yang.
|
|
* Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
|
|
*
|
|
* Modified to use lws genhash by Andy Green <andy@warmcat.com>
|
|
*/
|
|
|
|
#include <libwebsockets.h>
|
|
#include <lws-ssh.h>
|
|
#include "ge25519.h"
|
|
|
|
int
|
|
crypto_hash_sha512(uint8_t *hash64, const uint8_t *data, size_t len)
|
|
{
|
|
struct lws_genhash_ctx ctx;
|
|
int ret;
|
|
|
|
if (lws_genhash_init(&ctx, LWS_GENHASH_TYPE_SHA512)) {
|
|
lwsl_notice("Failed to init SHA512\n");
|
|
return 0;
|
|
}
|
|
|
|
ret = lws_genhash_update(&ctx, data, len);
|
|
|
|
if (lws_genhash_destroy(&ctx, hash64))
|
|
lwsl_notice("genhash destroy failed\n");
|
|
|
|
return ret ? 0 : 64;
|
|
}
|
|
|
|
|
|
static void
|
|
get_hram(unsigned char *hram, const unsigned char *sm,
|
|
const unsigned char *pk, unsigned char *playground,
|
|
size_t smlen)
|
|
{
|
|
unsigned long long i;
|
|
|
|
for (i = 0; i < 32; ++i)
|
|
playground[i] = sm[i];
|
|
for (i = 32; i < 64; ++i)
|
|
playground[i] = pk[i-32];
|
|
for (i = 64; i < smlen; ++i)
|
|
playground[i] = sm[i];
|
|
|
|
crypto_hash_sha512(hram, playground, smlen);
|
|
}
|
|
|
|
|
|
int crypto_sign_ed25519_keypair(
|
|
struct lws_context *context,
|
|
unsigned char *pk,
|
|
unsigned char *sk
|
|
)
|
|
{
|
|
sc25519 scsk;
|
|
ge25519 gepk;
|
|
unsigned char extsk[64];
|
|
int i;
|
|
|
|
lws_get_random(context, sk, 32);
|
|
crypto_hash_sha512(extsk, sk, 32);
|
|
extsk[0] &= 248;
|
|
extsk[31] &= 127;
|
|
extsk[31] |= 64;
|
|
|
|
sc25519_from32bytes(&scsk,extsk);
|
|
|
|
ge25519_scalarmult_base(&gepk, &scsk);
|
|
ge25519_pack(pk, &gepk);
|
|
for(i=0;i<32;i++)
|
|
sk[32 + i] = pk[i];
|
|
return 0;
|
|
}
|
|
|
|
int crypto_sign_ed25519(
|
|
unsigned char *sm,
|
|
unsigned long long *smlen,
|
|
const unsigned char *m, size_t mlen,
|
|
const unsigned char *sk
|
|
)
|
|
{
|
|
sc25519 sck, scs, scsk;
|
|
ge25519 ger;
|
|
unsigned char r[32];
|
|
unsigned char s[32];
|
|
unsigned char extsk[64];
|
|
unsigned long long i;
|
|
unsigned char hmg[crypto_hash_sha512_BYTES];
|
|
unsigned char hram[crypto_hash_sha512_BYTES];
|
|
|
|
crypto_hash_sha512(extsk, sk, 32);
|
|
extsk[0] &= 248;
|
|
extsk[31] &= 127;
|
|
extsk[31] |= 64;
|
|
|
|
*smlen = mlen+64;
|
|
for(i=0;i<mlen;i++)
|
|
sm[64 + i] = m[i];
|
|
for(i=0;i<32;i++)
|
|
sm[32 + i] = extsk[32+i];
|
|
|
|
crypto_hash_sha512(hmg, sm+32, mlen+32);
|
|
/* Generate k as h(extsk[32],...,extsk[63],m) */
|
|
|
|
/* Computation of R */
|
|
sc25519_from64bytes(&sck, hmg);
|
|
ge25519_scalarmult_base(&ger, &sck);
|
|
ge25519_pack(r, &ger);
|
|
|
|
/* Computation of s */
|
|
for (i = 0; i < 32; i++)
|
|
sm[i] = r[i];
|
|
|
|
get_hram(hram, sm, sk + 32, sm, (size_t)mlen + 64);
|
|
|
|
sc25519_from64bytes(&scs, hram);
|
|
sc25519_from32bytes(&scsk, extsk);
|
|
sc25519_mul(&scs, &scs, &scsk);
|
|
|
|
sc25519_add(&scs, &scs, &sck);
|
|
|
|
sc25519_to32bytes(s,&scs); /* cat s */
|
|
for (i = 0; i < 32; i++)
|
|
sm[32 + i] = s[i];
|
|
|
|
return 0;
|
|
}
|
|
|
|
int crypto_verify_32(const unsigned char *x,const unsigned char *y)
|
|
{
|
|
unsigned int differentbits = 0;
|
|
#define F(i) differentbits |= x[i] ^ y[i];
|
|
F(0)
|
|
F(1)
|
|
F(2)
|
|
F(3)
|
|
F(4)
|
|
F(5)
|
|
F(6)
|
|
F(7)
|
|
F(8)
|
|
F(9)
|
|
F(10)
|
|
F(11)
|
|
F(12)
|
|
F(13)
|
|
F(14)
|
|
F(15)
|
|
F(16)
|
|
F(17)
|
|
F(18)
|
|
F(19)
|
|
F(20)
|
|
F(21)
|
|
F(22)
|
|
F(23)
|
|
F(24)
|
|
F(25)
|
|
F(26)
|
|
F(27)
|
|
F(28)
|
|
F(29)
|
|
F(30)
|
|
F(31)
|
|
return (int)((1 & ((differentbits - 1) >> 8)) - 1);
|
|
}
|
|
|
|
int crypto_sign_ed25519_open(
|
|
unsigned char *m,unsigned long long *mlen,
|
|
const unsigned char *sm,unsigned long long smlen,
|
|
const unsigned char *pk
|
|
)
|
|
{
|
|
unsigned int i;
|
|
int ret;
|
|
unsigned char t2[32];
|
|
ge25519 get1, get2;
|
|
sc25519 schram, scs;
|
|
unsigned char hram[crypto_hash_sha512_BYTES];
|
|
|
|
*mlen = (unsigned long long) -1;
|
|
if (smlen < 64) {
|
|
lwsl_notice("a\n");
|
|
|
|
return -1;
|
|
}
|
|
|
|
if (ge25519_unpackneg_vartime(&get1, pk)) {
|
|
lwsl_notice("b\n");
|
|
return -1;
|
|
}
|
|
|
|
get_hram(hram,sm,pk,m, (size_t)smlen);
|
|
|
|
sc25519_from64bytes(&schram, hram);
|
|
|
|
sc25519_from32bytes(&scs, sm+32);
|
|
|
|
ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
|
|
ge25519_pack(t2, &get2);
|
|
|
|
ret = crypto_verify_32(sm, t2);
|
|
lwsl_notice("vf says %d\n", ret);
|
|
|
|
if (!ret)
|
|
{
|
|
for(i=0;i<smlen-64;i++)
|
|
m[i] = sm[i + 64];
|
|
*mlen = smlen-64;
|
|
}
|
|
else
|
|
{
|
|
for(i=0;i<smlen-64;i++)
|
|
m[i] = 0;
|
|
}
|
|
return ret;
|
|
}
|