re-factor some parts of the Ed25519ctx and Ed25519ph implementation

* The RFC doesn't limit the context to be a string.
  It talks about `octets` which means it could be any binary data.
* Move the context-preprocessing function out of tweetnacl.c
* Fix potential segfaults when Ed25519 signature verification fails and
  `LTC_CLEAN_STACK` is enabled.
* Fix all the warnings.
* Update documentation.

Signed-off-by: Steffen Jaeckel <[email protected]>

Author: sjaeckel

doc/crypt.tex

@@ -5909,25 +5909,49 @@ \subsection{EdDSA Cryptographic Operations}
 To sign and/or verify a message use the following functions:
 
 \index{ed25519\_sign}
+\index{ed25519ctx\_sign}
+\index{ed25519ph\_sign}
 \begin{verbatim}
-int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
-                       unsigned char  *sig, unsigned long *siglen,
+int ed25519_sign(const  unsigned char *msg, unsigned long msglen,
+                        unsigned char *sig, unsigned long *siglen,
                  const curve25519_key *private_key);
+int ed25519ctx_sign(const  unsigned char *msg, unsigned long  msglen,
+                           unsigned char *sig, unsigned long *siglen,
+                    const  unsigned char *ctx, unsigned long  ctxlen,
+                    const curve25519_key *private_key);
+int ed25519ph_sign(const  unsigned char *msg, unsigned long  msglen,
+                          unsigned char *sig, unsigned long *siglen,
+                   const  unsigned char *ctx, unsigned long  ctxlen,
+                   const curve25519_key *private_key);
 \end{verbatim}
 
-This function will EdDSA sign the message stored in the array pointed to by \textit{msg} of length \textit{msglen} octets.  The signature
-will be stored in the array pointed to by \textit{sig} of length \textit{siglen} octets.
+These functions will EdDSA sign the message stored in the array pointed to by \textit{msg} of length \textit{msglen} octets.  The signature
+will be stored in the array pointed to by \textit{sig} of length \textit{siglen} octets.  The \texttt{ctx} and \texttt{ph} variants also
+allow passing a context \textit{ctx} of length \textit{ctxlen} octets.  This context is allowed to be max. 255 octets long.
 
 \index{ed25519\_verify}
+\index{ed25519ctx\_verify}
+\index{ed25519ph\_verify}
 \begin{verbatim}
 int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
                    const  unsigned char *sig, unsigned long siglen,
-                   int *stat, const curve25519_key *public_key);
+                                    int *stat,
+                   const curve25519_key *public_key);
+int ed25519ctx_verify(const  unsigned char *msg, unsigned long msglen,
+                      const  unsigned char *sig, unsigned long siglen,
+                      const  unsigned char *ctx, unsigned long ctxlen,
+                                       int *stat,
+                      const curve25519_key *public_key);
+int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
+                     const  unsigned char *sig, unsigned long siglen,
+                     const  unsigned char *ctx, unsigned long ctxlen,
+                                      int *stat,
+                     const curve25519_key *public_key);
 \end{verbatim}
 
-This function will verify the EdDSA signature in the array pointed to by \textit{sig} of length \textit{siglen} octets, against the message
+These functions will verify the EdDSA signature in the array pointed to by \textit{sig} of length \textit{siglen} octets, against the message
 pointed to by the array \textit{msg} of length \textit{msglen}. It will store a non--zero value in \textit{stat} if the signature is valid.  Note:
-the function will not return an error if the signature is invalid. It will return an error, if the actual signature payload is an invalid format.
+the function will not return an error if the signature is invalid. It will only return an error if the actual signature payload is an invalid format.
 
 
 \chapter{Digital Signature Algorithm}

src/headers/tomcrypt_pk.h

@@ -355,25 +355,30 @@ int ed25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
                                   const void *pwd, unsigned long pwdlen,
                               curve25519_key *key);
 
-int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
-                       unsigned char  *sig, unsigned long *siglen,
+int ed25519_sign(const  unsigned char *msg, unsigned long msglen,
+                        unsigned char *sig, unsigned long *siglen,
                  const curve25519_key *private_key);
-int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
-                    unsigned char *sig, unsigned long *siglen,
-                    const char* ctx, const curve25519_key *private_key);
-int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
-                   unsigned char *sig, unsigned long *siglen,
-                   const char *ctx, const curve25519_key *private_key);
+int ed25519ctx_sign(const  unsigned char *msg, unsigned long  msglen,
+                           unsigned char *sig, unsigned long *siglen,
+                    const  unsigned char *ctx, unsigned long  ctxlen,
+                    const curve25519_key *private_key);
+int ed25519ph_sign(const  unsigned char *msg, unsigned long  msglen,
+                          unsigned char *sig, unsigned long *siglen,
+                   const  unsigned char *ctx, unsigned long  ctxlen,
+                   const curve25519_key *private_key);
 int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
                    const  unsigned char *sig, unsigned long siglen,
-                   int *stat, const curve25519_key *public_key);
+                                    int *stat,
+                   const curve25519_key *public_key);
 int ed25519ctx_verify(const  unsigned char *msg, unsigned long msglen,
                       const  unsigned char *sig, unsigned long siglen,
-                      int *stat, const char* ctx,
+                      const  unsigned char *ctx, unsigned long ctxlen,
+                                       int *stat,
                       const curve25519_key *public_key);
 int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
                      const  unsigned char *sig, unsigned long siglen,
-                     int *stat, const char* ctx,
+                     const  unsigned char *ctx, unsigned long ctxlen,
+                                      int *stat,
                      const curve25519_key *public_key);
 
 /** X25519 Key-Exchange API */

src/headers/tomcrypt_private.h

@@ -9,8 +9,6 @@
 
 #define LTC_PAD_MASK       (0xF000U)
 
-#define ED25519_CONTEXT_PREFIX "SigEd25519 no Ed25519 collisions"
-
 /*
  * Internal Enums
  */
@@ -346,8 +344,6 @@ int tweetnacl_crypto_sk_to_pk(unsigned char *pk, const unsigned char *sk);
 int tweetnacl_crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p);
 int tweetnacl_crypto_scalarmult_base(unsigned char *q,const unsigned char *n);
 int tweetnacl_crypto_ph(unsigned char *out, const unsigned char *msg, unsigned long msglen);
-int tweetnacl_crypto_ctx(unsigned char *out, unsigned long *outlen,
-                       unsigned char flag, const char *pr, const char* ctx);
 
 typedef int (*sk_to_pk)(unsigned char *pk ,const unsigned char *sk);
 int ec25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
@@ -357,6 +353,9 @@ int ec25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
 int ec25519_export(       unsigned char *out, unsigned long *outlen,
                                     int  which,
                    const curve25519_key *key);
+int ec25519_crypto_ctx(      unsigned char *out, unsigned long *outlen,
+                             unsigned char flag,
+                       const unsigned char *ctx, unsigned long  ctxlen);
 #endif /* LTC_CURVE25519 */
 
 #ifdef LTC_DER

src/pk/ec25519/ec25519_crypto_ctx.c

@@ -0,0 +1,40 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis */
+/* SPDX-License-Identifier: Unlicense */
+#include "tomcrypt_private.h"
+
+/**
+  @file ec25519_crypto_ctx.c
+  curve25519 crypto context helper
+*/
+
+#ifdef LTC_CURVE25519
+
+int ec25519_crypto_ctx(unsigned char *out, unsigned long *outlen, unsigned char flag, const unsigned char *ctx, unsigned long ctxlen)
+{
+  unsigned char *buf = out;
+
+  const char *prefix = "SigEd25519 no Ed25519 collisions";
+  const unsigned long prefix_len = XSTRLEN(prefix);
+  const unsigned char ctxlen8 = (unsigned char)ctxlen;
+
+  if (ctxlen > 255u) return CRYPT_INPUT_TOO_LONG;
+  if (*outlen < prefix_len + 2u + ctxlen) return CRYPT_BUFFER_OVERFLOW;
+
+  XMEMCPY(buf, prefix, prefix_len);
+  buf += prefix_len;
+  XMEMCPY(buf, &flag, 1);
+  buf++;
+  XMEMCPY(buf, &ctxlen8, 1);
+  buf++;
+
+  if (ctxlen > 0u) {
+    XMEMCPY(buf, ctx, ctxlen);
+    buf += ctxlen;
+  }
+
+  *outlen = buf-out;
+
+  return CRYPT_OK;
+}
+
+#endif

src/pk/ec25519/tweetnacl.c

@@ -504,40 +504,5 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
 
 int tweetnacl_crypto_ph(u8 *out,const u8 *msg,size_t msglen)
 {
-  hash_state md;
-
-  sha512_init(&md);
-
-  if(sha512_process(&md, msg, msglen) != CRYPT_OK)
-    return CRYPT_INVALID_ARG;
-
-  if(sha512_done(&md, out) != CRYPT_OK)
-    return CRYPT_INVALID_ARG;
-
-  return CRYPT_OK;
-}
-
-int tweetnacl_crypto_ctx(u8 *out,size_t *outlen,u8 flag,const char *pr, const char *ctx)
-{
-  u8 *buf = out;
-  const int ctx_prefix_len = strlen(pr);
-  const int ctxlen = ctx ? strlen(ctx) : 0;
-
-  if(ctxlen > 255) return CRYPT_INPUT_TOO_LONG;
-
-  XMEMCPY(buf, pr, ctx_prefix_len);
-  buf += ctx_prefix_len;
-  XMEMCPY(buf, &flag, 1);
-  buf++;
-  XMEMCPY(buf, &ctxlen, 1);
-  buf++;
-
-  if(ctxlen > 0) {
-    XMEMCPY(buf, ctx, ctxlen);
-    buf += ctxlen;
-  }
-
-  *outlen = buf-out;
-
-  return CRYPT_OK;
+  return tweetnacl_crypto_hash(out, msg, msglen);
 }

src/pk/ed25519/ed25519_sign.c

@@ -9,9 +9,9 @@
 
 #ifdef LTC_CURVE25519
 
-static int ed25519_sign_private(const unsigned char *msg, unsigned long msglen,
-                       unsigned char *sig, unsigned long *siglen,
-                          const char* ctx, unsigned long ctxlen,
+static int s_ed25519_sign(const unsigned char  *msg, unsigned long  msglen,
+                                unsigned char  *sig, unsigned long *siglen,
+                          const unsigned char  *ctx, unsigned long  ctxlen,
                           const curve25519_key *private_key)
 {
    unsigned char *s;
@@ -61,21 +61,21 @@ static int ed25519_sign_private(const unsigned char *msg, unsigned long msglen,
    @param private_key     The private Ed25519 key in the pair
    @return CRYPT_OK if successful
 */
-int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
-                          unsigned char *sig, unsigned long *siglen,
-                    const char* ctx, const curve25519_key *private_key)
+int ed25519ctx_sign(const  unsigned char *msg, unsigned long  msglen,
+                           unsigned char *sig, unsigned long *siglen,
+                    const  unsigned char *ctx, unsigned long  ctxlen,
+                    const curve25519_key *private_key)
 {
+   int err;
    unsigned char ctx_prefix[512] = {0};
-   unsigned long ctx_prefix_size = 0;
+   unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
    LTC_ARGCHK(ctx != NULL);
 
-   if(tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 0,
-                           ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
-      return CRYPT_INVALID_ARG;
+   if ((err = ec25519_crypto_ctx(ctx_prefix, &ctx_prefix_size, 0, ctx, ctxlen)) != CRYPT_OK)
+      return err;
 
-   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
-                               ctx_prefix_size, private_key);
+   return s_ed25519_sign(msg, msglen, sig, siglen, ctx_prefix, ctx_prefix_size, private_key);
 }
 
 /**
@@ -88,26 +88,26 @@ int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
    @param private_key     The private Ed25519 key in the pair
    @return CRYPT_OK if successful
 */
-int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
-                         unsigned char *sig, unsigned long *siglen,
-                   const char *ctx, const curve25519_key *private_key)
+int ed25519ph_sign(const  unsigned char *msg, unsigned long  msglen,
+                          unsigned char *sig, unsigned long *siglen,
+                   const  unsigned char *ctx, unsigned long  ctxlen,
+                   const curve25519_key *private_key)
 {
+   int err;
    unsigned char ctx_prefix[512] = {0};
    unsigned char msg_hash[64] = {0};
-   unsigned long ctx_prefix_size = 0;
+   unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
-   if (tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1,
-                            ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
-      return CRYPT_INVALID_ARG;
+   if ((err = ec25519_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1, ctx, ctxlen)) != CRYPT_OK)
+      return err;
 
-   if (tweetnacl_crypto_ph(msg_hash, msg, msglen) != CRYPT_OK)
-      return CRYPT_INVALID_ARG;
+   if ((err = tweetnacl_crypto_ph(msg_hash, msg, msglen)) != CRYPT_OK)
+      return err;
 
    msg = msg_hash;
    msglen = 64;
 
-   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
-                               ctx_prefix_size, private_key);
+   return s_ed25519_sign(msg, msglen, sig, siglen, ctx_prefix, ctx_prefix_size, private_key);
 }
 
 /**
@@ -119,11 +119,11 @@ int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
    @param private_key     The private Ed25519 key in the pair
    @return CRYPT_OK if successful
 */
-int ed25519_sign(const unsigned char *msg, unsigned long msglen,
-                       unsigned char *sig, unsigned long *siglen,
+int ed25519_sign(const  unsigned char *msg, unsigned long msglen,
+                        unsigned char *sig, unsigned long *siglen,
                  const curve25519_key *private_key)
 {
-   return ed25519_sign_private(msg, msglen, sig, siglen, 0, 0, private_key);
+   return s_ed25519_sign(msg, msglen, sig, siglen, NULL, 0, private_key);
 }
 
 #endif