+/*
+ * x25519.c: Bernstein's X25519 key-exchange function
+ */
+/*
+ * This file is Free Software. It has been modified to as part of its
+ * incorporation into secnet.
+ *
+ * Copyright 2017 Mark Wooding
+ *
+ * You may redistribute this file and/or modify it under the terms of
+ * the permissive licence shown below.
+ *
+ * You may redistribute secnet as a whole and/or modify it under the
+ * terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 3, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see
+ * https://www.gnu.org/licenses/gpl.html.
+ */
+/*
+ * Imported from Catacomb, and modified for Secnet (2017-04-30):
+ *
+ * * Use `fake-mLib-bits.h' in place of the real <mLib/bits.h>.
+ *
+ * * Remove the test rig code: a replacement is in a separate source file.
+ *
+ * * Ignore the top bit of the input public key: in Secnet, conformance
+ * with RFC7748 is more valuable than flexibility.
+ *
+ * * Strip out the key-management definitions.
+ *
+ * The file's original comment headers are preserved below.
+ */
/* -*-c-*-
*
* The X25519 key-agreement algorithm
/*----- Header files ------------------------------------------------------*/
-#include <mLib/bits.h>
+#include "fake-mLib-bits.h"
#include "montladder.h"
#include "f25519.h"
#define A0 121665
-/*----- Key fetching ------------------------------------------------------*/
-
-const key_fetchdef x25519_pubfetch[] = {
- { "pub", offsetof(x25519_pub, pub), KENC_BINARY, 0 },
- { 0, 0, 0, 0 }
-};
-
-static const key_fetchdef priv[] = {
- { "priv", offsetof(x25519_priv, priv), KENC_BINARY, 0 },
- { 0, 0, 0, 0 }
-};
-
-const key_fetchdef x25519_privfetch[] = {
- { "pub", offsetof(x25519_priv, pub), KENC_BINARY, 0 },
- { "private", 0, KENC_STRUCT, priv },
- { 0, 0, 0, 0 }
-};
-
/*----- Main code ---------------------------------------------------------*/
/* --- @x25519@ --- *
const octet qx[X25519_PUBSZ])
{
uint32 kw[8];
+ uint8_t b[X25519_PUBSZ];
f25519 x1;
/* Load and clamp the key. The low bits are cleared to kill the small
kw[6] = LOAD32_L(k + 24); kw[7] = LOAD32_L(k + 28);
kw[0] &= 0xfffffff8; kw[7] = (kw[7]&0x3fffffff) | 0x40000000;
+ /* Copy the input point and clamp the top bit. */
+ memcpy(b, qx, sizeof(b)); b[31] &= 0x7f;
+ f25519_load(&x1, b);
+
/* And run the ladder. */
- f25519_load(&x1, qx);
#define MULA0(z, x) do { f25519_mulconst((z), (x), A0); } while (0)
MONT_LADDER(f25519, MULA0, kw, 8, 32, &x1, &x1);
#undef MULA0