X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/blobdiff_plain/b7a5ecfcbac18c56d0b044975f6ed6835dd86ab4..0bcb8184cfce875a4dde57621139dd44c433f3a5:/x25519.c diff --git a/x25519.c b/x25519.c index 8e9649e..19f3518 100644 --- a/x25519.c +++ b/x25519.c @@ -1,3 +1,43 @@ +/* + * x25519.c: Bernstein's X25519 key-exchange function + */ +/* + * This file is Free Software. It has been modified to as part of its + * incorporation into secnet. + * + * Copyright 2017 Mark Wooding + * + * You may redistribute this file and/or modify it under the terms of + * the permissive licence shown below. + * + * You may redistribute secnet as a whole and/or modify it under the + * terms of the GNU General Public License as published by the Free + * Software Foundation; either version 3, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see + * https://www.gnu.org/licenses/gpl.html. + */ +/* + * Imported from Catacomb, and modified for Secnet (2017-04-30): + * + * * Use `fake-mLib-bits.h' in place of the real . + * + * * Remove the test rig code: a replacement is in a separate source file. + * + * * Ignore the top bit of the input public key: in Secnet, conformance + * with RFC7748 is more valuable than flexibility. + * + * * Strip out the key-management definitions. + * + * The file's original comment headers are preserved below. + */ /* -*-c-*- * * The X25519 key-agreement algorithm @@ -27,7 +67,7 @@ /*----- Header files ------------------------------------------------------*/ -#include +#include "fake-mLib-bits.h" #include "montladder.h" #include "f25519.h" @@ -39,24 +79,6 @@ const octet x25519_base[32] = { 9, 0, /* ... */ }; #define A0 121665 -/*----- Key fetching ------------------------------------------------------*/ - -const key_fetchdef x25519_pubfetch[] = { - { "pub", offsetof(x25519_pub, pub), KENC_BINARY, 0 }, - { 0, 0, 0, 0 } -}; - -static const key_fetchdef priv[] = { - { "priv", offsetof(x25519_priv, priv), KENC_BINARY, 0 }, - { 0, 0, 0, 0 } -}; - -const key_fetchdef x25519_privfetch[] = { - { "pub", offsetof(x25519_priv, pub), KENC_BINARY, 0 }, - { "private", 0, KENC_STRUCT, priv }, - { 0, 0, 0, 0 } -}; - /*----- Main code ---------------------------------------------------------*/ /* --- @x25519@ --- * @@ -84,6 +106,7 @@ void x25519(octet zz[X25519_OUTSZ], const octet qx[X25519_PUBSZ]) { uint32 kw[8]; + uint8_t b[X25519_PUBSZ]; f25519 x1; /* Load and clamp the key. The low bits are cleared to kill the small @@ -96,8 +119,11 @@ void x25519(octet zz[X25519_OUTSZ], kw[6] = LOAD32_L(k + 24); kw[7] = LOAD32_L(k + 28); kw[0] &= 0xfffffff8; kw[7] = (kw[7]&0x3fffffff) | 0x40000000; + /* Copy the input point and clamp the top bit. */ + memcpy(b, qx, sizeof(b)); b[31] &= 0x7f; + f25519_load(&x1, b); + /* And run the ladder. */ - f25519_load(&x1, qx); #define MULA0(z, x) do { f25519_mulconst((z), (x), A0); } while (0) MONT_LADDER(f25519, MULA0, kw, 8, 32, &x1, &x1); #undef MULA0