Hack on the newly imported X25519 and X448 code.

[secnet] / x25519.c

diff --git a/x25519.c b/x25519.c
index 8e9649e..19f3518 100644 (file)
--- a/x25519.c
+++ b/x25519.c
@@ -1,3 +1,43 @@
+/*
+ * x25519.c: Bernstein's X25519 key-exchange function
+ */
+/*
+ * This file is Free Software.  It has been modified to as part of its
+ * incorporation into secnet.
+ *
+ * Copyright 2017 Mark Wooding
+ *
+ * You may redistribute this file and/or modify it under the terms of
+ * the permissive licence shown below.
+ *
+ * You may redistribute secnet as a whole and/or modify it under the
+ * terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see
+ * https://www.gnu.org/licenses/gpl.html.
+ */
+/*
+ * Imported from Catacomb, and modified for Secnet (2017-04-30):
+ *
+ *   * Use `fake-mLib-bits.h' in place of the real <mLib/bits.h>.
+ *
+ *   * Remove the test rig code: a replacement is in a separate source file.
+ *
+ *   * Ignore the top bit of the input public key: in Secnet, conformance
+ *     with RFC7748 is more valuable than flexibility.
+ *
+ *   * Strip out the key-management definitions.
+ *
+ * The file's original comment headers are preserved below.
+ */
 /* -*-c-*-
  *
  * The X25519 key-agreement algorithm
@@ -27,7 +67,7 @@
 
 /*----- Header files ------------------------------------------------------*/
 
-#include <mLib/bits.h>
+#include "fake-mLib-bits.h"
 
 #include "montladder.h"
 #include "f25519.h"
@@ -39,24 +79,6 @@ const octet x25519_base[32] = { 9, 0, /* ... */ };
 
 #define A0 121665
 
-/*----- Key fetching ------------------------------------------------------*/
-
-const key_fetchdef x25519_pubfetch[] = {
-  { "pub",     offsetof(x25519_pub, pub),      KENC_BINARY,    0 },
-  { 0,         0,                              0,              0 }
-};
-
-static const key_fetchdef priv[] = {
-  { "priv",    offsetof(x25519_priv, priv),    KENC_BINARY,    0 },
-  { 0,         0,                              0,              0 }
-};
-
-const key_fetchdef x25519_privfetch[] = {
-  { "pub",     offsetof(x25519_priv, pub),     KENC_BINARY,    0 },
-  { "private", 0,                              KENC_STRUCT,    priv },
-  { 0,         0,                              0,              0 }
-};
-
 /*----- Main code ---------------------------------------------------------*/
 
 /* --- @x25519@ --- *
@@ -84,6 +106,7 @@ void x25519(octet zz[X25519_OUTSZ],
            const octet qx[X25519_PUBSZ])
 {
   uint32 kw[8];
+  uint8_t b[X25519_PUBSZ];
   f25519 x1;
 
   /* Load and clamp the key.  The low bits are cleared to kill the small
@@ -96,8 +119,11 @@ void x25519(octet zz[X25519_OUTSZ],
   kw[6] = LOAD32_L(k + 24); kw[7] = LOAD32_L(k + 28);
   kw[0] &= 0xfffffff8; kw[7] = (kw[7]&0x3fffffff) | 0x40000000;
 
+  /* Copy the input point and clamp the top bit. */
+  memcpy(b, qx, sizeof(b)); b[31] &= 0x7f;
+  f25519_load(&x1, b);
+
   /* And run the ladder. */
-  f25519_load(&x1, qx);
 #define MULA0(z, x) do { f25519_mulconst((z), (x), A0); } while (0)
   MONT_LADDER(f25519, MULA0, kw, 8, 32, &x1, &x1);
 #undef MULA0