Add ed25519ctx and ed25519ph support

Valerii Chubar · sjaeckel · commit b761cc0f6711 · 2022-08-20T14:38:43.000+02:00
Signed-off-by: Valerii Chubar &lt;valerii_chubar@epam.com&gt;
Signed-off-by: Sergiy Kibrik &lt;Sergiy_Kibrik@epam.com&gt;
diff --git a/src/headers/tomcrypt_pk.h b/src/headers/tomcrypt_pk.h
@@ -358,10 +358,23 @@ int ed25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
 int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
                        unsigned char  *sig, unsigned long *siglen,
                  const curve25519_key *private_key);
-
+int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
+                    unsigned char *sig, unsigned long *siglen,
+                    const char* ctx, const curve25519_key *private_key);
+int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
+                   unsigned char *sig, unsigned long *siglen,
+                   const char *ctx, const curve25519_key *private_key);
 int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
                    const  unsigned char *sig, unsigned long siglen,
                    int *stat, const curve25519_key *public_key);
+int ed25519ctx_verify(const  unsigned char *msg, unsigned long msglen,
+                      const  unsigned char *sig, unsigned long siglen,
+                      int *stat, const char* ctx,
+                      const curve25519_key *public_key);
+int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
+                     const  unsigned char *sig, unsigned long siglen,
+                     int *stat, const char* ctx,
+                     const curve25519_key *public_key);
 
 /** X25519 Key-Exchange API */
 int x25519_make_key(prng_state *prng, int wprng, curve25519_key *key);
diff --git a/src/headers/tomcrypt_private.h b/src/headers/tomcrypt_private.h
@@ -9,6 +9,8 @@
 
 #define LTC_PAD_MASK       (0xF000U)
 
+#define ED25519_CONTEXT_PREFIX "SigEd25519 no Ed25519 collisions"
+
 /*
  * Internal Enums
  */
@@ -331,16 +333,21 @@ int dsa_int_validate_primes(const dsa_key *key, int *stat);
 int tweetnacl_crypto_sign(
   unsigned char *sm,unsigned long long *smlen,
   const unsigned char *m,unsigned long long mlen,
-  const unsigned char *sk, const unsigned char *pk);
+  const unsigned char *sk,const unsigned char *pk,
+  const unsigned char *ctx,unsigned long long cs);
 int tweetnacl_crypto_sign_open(
   int *stat,
   unsigned char *m,unsigned long long *mlen,
   const unsigned char *sm,unsigned long long smlen,
+  const unsigned char *ctx, unsigned long cs,
   const unsigned char *pk);
 int tweetnacl_crypto_sign_keypair(prng_state *prng, int wprng, unsigned char *pk,unsigned char *sk);
 int tweetnacl_crypto_sk_to_pk(unsigned char *pk, const unsigned char *sk);
 int tweetnacl_crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p);
 int tweetnacl_crypto_scalarmult_base(unsigned char *q,const unsigned char *n);
+int tweetnacl_crypto_ph(unsigned char *out, const unsigned char *msg, unsigned long msglen);
+int tweetnacl_crypto_ctx(unsigned char *out, unsigned long *outlen,
+                       unsigned char flag, const char *pr, const char* ctx);
 
 typedef int (*sk_to_pk)(unsigned char *pk ,const unsigned char *sk);
 int ec25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
diff --git a/src/pk/ec25519/tweetnacl.c b/src/pk/ec25519/tweetnacl.c
@@ -235,6 +235,27 @@ static int tweetnacl_crypto_hash(u8 *out,const u8 *m,u64 n)
   return 0;
 }
 
+static int tweetnacl_crypto_hash_ctx(u8 *out,const u8 *m,u64 n,const u8 *ctx,u32 cs)
+{
+  unsigned long len;
+  int err;
+  u8 buf[512];
+
+  if(cs == 0)
+    return tweetnacl_crypto_hash(out,m,n);
+
+  len = n + cs;
+  if (len > 512) return CRYPT_HASH_OVERFLOW;
+
+  XMEMCPY(buf,ctx,cs);
+  XMEMCPY(buf+cs,m,n);
+
+  err = tweetnacl_crypto_hash(out,buf,len);
+  zeromem(buf, len);
+
+  return err;
+}
+
 sv add(gf p[4],gf q[4])
 {
   gf a,b,c,d,t,e,f,g,h;
@@ -376,7 +397,7 @@ sv reduce(u8 *r)
   modL(r,x);
 }
 
-int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,const u8 *pk)
+int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,const u8 *pk, const u8 *ctx, u64 cs)
 {
   u8 d[64],h[64],r[64];
   i64 i,j,x[64];
@@ -391,13 +412,13 @@ int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,co
   FOR(i,(i64)mlen) sm[64 + i] = m[i];
   FOR(i,32) sm[32 + i] = d[32 + i];
 
-  tweetnacl_crypto_hash(r, sm+32, mlen+32);
+  tweetnacl_crypto_hash_ctx(r, sm+32, mlen+32,ctx,cs);
   reduce(r);
   scalarbase(p,r);
   pack(sm,p);
 
   FOR(i,32) sm[i+32] = pk[i];
-  tweetnacl_crypto_hash(h,sm,mlen + 64);
+  tweetnacl_crypto_hash_ctx(h,sm,mlen + 64,ctx,cs);
   reduce(h);
 
   FOR(i,64) x[i] = 0;
@@ -444,7 +465,7 @@ static int unpackneg(gf r[4],const u8 p[32])
   return 0;
 }
 
-int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *pk)
+int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *ctx,size_t cs,const u8 *pk)
 {
   u64 i;
   u8 s[32],t[32],h[64];
@@ -460,7 +481,7 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
   XMEMMOVE(m,sm,smlen);
   XMEMMOVE(s,m + 32,32);
   XMEMMOVE(m + 32,pk,32);
-  tweetnacl_crypto_hash(h,m,smlen);
+  tweetnacl_crypto_hash_ctx(h,m,smlen,ctx,cs);
   reduce(h);
   scalarmult(p,q,h);
 
@@ -480,3 +501,43 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
   *mlen = smlen;
   return CRYPT_OK;
 }
+
+int tweetnacl_crypto_ph(u8 *out,const u8 *msg,size_t msglen)
+{
+  hash_state md;
+
+  sha512_init(&md);
+
+  if(sha512_process(&md, msg, msglen) != CRYPT_OK)
+    return CRYPT_INVALID_ARG;
+
+  if(sha512_done(&md, out) != CRYPT_OK)
+    return CRYPT_INVALID_ARG;
+
+  return CRYPT_OK;
+}
+
+int tweetnacl_crypto_ctx(u8 *out,size_t *outlen,u8 flag,const char *pr, const char *ctx)
+{
+  u8 *buf = out;
+  const int ctx_prefix_len = strlen(pr);
+  const int ctxlen = ctx ? strlen(ctx) : 0;
+
+  if(ctxlen > 255) return CRYPT_INPUT_TOO_LONG;
+
+  XMEMCPY(buf, pr, ctx_prefix_len);
+  buf += ctx_prefix_len;
+  XMEMCPY(buf, &flag, 1);
+  buf++;
+  XMEMCPY(buf, &ctxlen, 1);
+  buf++;
+
+  if(ctxlen > 0) {
+    XMEMCPY(buf, ctx, ctxlen);
+    buf += ctxlen;
+  }
+
+  *outlen = buf-out;
+
+  return CRYPT_OK;
+}
diff --git a/src/pk/ed25519/ed25519_sign.c b/src/pk/ed25519/ed25519_sign.c
@@ -9,17 +9,10 @@
 
 #ifdef LTC_CURVE25519
 
-/**
-   Create an Ed25519 signature.
-   @param private_key     The private Ed25519 key in the pair
-   @param public_key      The public Ed25519 key in the pair
-   @param out             [out] The destination of the shared data
-   @param outlen          [in/out] The max size and resulting size of the shared data.
-   @return CRYPT_OK if successful
-*/
-int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
-                       unsigned char  *sig, unsigned long *siglen,
-                 const curve25519_key *private_key)
+static int ed25519_sign_private(const unsigned char *msg, unsigned long msglen,
+                       unsigned char *sig, unsigned long *siglen,
+                          const char* ctx, unsigned long ctxlen,
+                          const curve25519_key *private_key)
 {
    unsigned char *s;
    unsigned long long smlen;
@@ -44,7 +37,8 @@ int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
 
    err = tweetnacl_crypto_sign(s, &smlen,
                                msg, msglen,
-                               private_key->priv, private_key->pub);
+                               private_key->priv, private_key->pub,
+                               ctx, ctxlen);
 
    XMEMCPY(sig, s, 64uL);
    *siglen = 64uL;
@@ -57,4 +51,79 @@ int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
    return err;
 }
 
+/**
+   Create an Ed25519ctx signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param ctx             [in] The context is a constant null terminated string
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
+                          unsigned char *sig, unsigned long *siglen,
+                    const char* ctx, const curve25519_key *private_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   LTC_ARGCHK(ctx != NULL);
+
+   if(tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 0,
+                           ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
+                               ctx_prefix_size, private_key);
+}
+
+/**
+   Create an Ed25519ph signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param ctx             [in] The context is a constant null terminated string
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
+                         unsigned char *sig, unsigned long *siglen,
+                   const char *ctx, const curve25519_key *private_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned char msg_hash[64] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   if (tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1,
+                            ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   if (tweetnacl_crypto_ph(msg_hash, msg, msglen) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   msg = msg_hash;
+   msglen = 64;
+
+   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
+                               ctx_prefix_size, private_key);
+}
+
+/**
+   Create an Ed25519 signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519_sign(const unsigned char *msg, unsigned long msglen,
+                       unsigned char *sig, unsigned long *siglen,
+                 const curve25519_key *private_key)
+{
+   return ed25519_sign_private(msg, msglen, sig, siglen, 0, 0, private_key);
+}
+
 #endif
diff --git a/src/pk/ed25519/ed25519_verify.c b/src/pk/ed25519/ed25519_verify.c
diff --git a/tests/ed25519_test.c b/tests/ed25519_test.c
