Wrapper code for an ed25519 implementation. More...

#include "orconfig.h"
#include "crypto_curve25519.h"
#include "crypto_digest.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "torlog.h"
#include "util.h"
#include "util_format.h"
#include "ed25519/ref10/ed25519_ref10.h"
#include "ed25519/donna/ed25519_donna_tor.h"

Include dependency graph for crypto_ed25519.c:

Data Structures
struct	ed25519_impl_t

Functions
int	ed25519_secret_key_generate (ed25519_secret_key_t *seckey_out, int extra_strong)

int	ed25519_secret_key_from_seed (ed25519_secret_key_t seckey_out, const uint8_t seed)

int	ed25519_public_key_generate (ed25519_public_key_t pubkey_out, const ed25519_secret_key_t seckey)

int	ed25519_keypair_generate (ed25519_keypair_t *keypair_out, int extra_strong)

int	ed25519_public_key_is_zero (const ed25519_public_key_t *pubkey)

int	ed25519_sign (ed25519_signature_t signature_out, const uint8_t msg, size_t len, const ed25519_keypair_t *keypair)

	MOCK_IMPL (int, ed25519_sign_prefixed,(ed25519_signature_t signature_out, const uint8_t msg, size_t msg_len, const char prefix_str, const ed25519_keypair_t keypair))

	MOCK_IMPL (int, ed25519_checksig,(const ed25519_signature_t signature, const uint8_t msg, size_t len, const ed25519_public_key_t *pubkey))

int	ed25519_checksig_prefixed (const ed25519_signature_t signature, const uint8_t msg, size_t msg_len, const char prefix_str, const ed25519_public_key_t pubkey)

	MOCK_IMPL (int, ed25519_checksig_batch,(int okay_out, const ed25519_checkable_t checkable, int n_checkable))

int	ed25519_keypair_from_curve25519_keypair (ed25519_keypair_t out, int signbit_out, const curve25519_keypair_t *inp)

int	ed25519_public_key_from_curve25519_public_key (ed25519_public_key_t pubkey, const curve25519_public_key_t pubkey_in, int signbit)

int	ed25519_keypair_blind (ed25519_keypair_t out, const ed25519_keypair_t inp, const uint8_t *param)

int	ed25519_public_blind (ed25519_public_key_t out, const ed25519_public_key_t inp, const uint8_t *param)

int	ed25519_seckey_write_to_file (const ed25519_secret_key_t seckey, const char filename, const char *tag)

int	ed25519_seckey_read_from_file (ed25519_secret_key_t seckey_out, char tag_out, const char filename)

int	ed25519_pubkey_write_to_file (const ed25519_public_key_t pubkey, const char filename, const char *tag)

int	ed25519_pubkey_read_from_file (ed25519_public_key_t pubkey_out, char tag_out, const char filename)

void	ed25519_keypair_free_ (ed25519_keypair_t *kp)

int	ed25519_pubkey_eq (const ed25519_public_key_t key1, const ed25519_public_key_t key2)

void	ed25519_pubkey_copy (ed25519_public_key_t dest, const ed25519_public_key_t src)

	MOCK_IMPL (STATIC int, ed25519_impl_spot_check,(void))

void	ed25519_set_impl_params (int use_donna)

void	ed25519_init (void)

int	ed25519_validate_pubkey (const ed25519_public_key_t *pubkey)

Detailed Description

Wrapper code for an ed25519 implementation.

Ed25519 is a Schnorr signature on a Twisted Edwards curve, defined by Dan Bernstein. For more information, see https://ed25519.cr.yp.to/

This module wraps our choice of Ed25519 backend, and provides a few convenience functions for checking and generating signatures. It also provides Tor-specific tools for key blinding and for converting Ed25519 keys to and from the corresponding Curve25519 keys.

Function Documentation

◆ ed25519_checksig_prefixed()

int ed25519_checksig_prefixed	(	const ed25519_signature_t *	signature,
		const uint8_t *	msg,
		size_t	msg_len,
		const char *	prefix_str,
		const ed25519_public_key_t *	pubkey
	)

Like ed2519_checksig(), but also prefix msg with prefix_str before verifying signature. prefix_str must be a NUL-terminated string.

◆ ed25519_keypair_blind()

int ed25519_keypair_blind	(	ed25519_keypair_t *	out,
		const ed25519_keypair_t *	inp,
		const uint8_t *	param
	)

Given an ed25519 keypair in inp, generate a corresponding ed25519 keypair in out, blinded by the corresponding 32-byte input in 'param'.

Tor uses key blinding for the "next-generation" hidden services design: service descriptors are encrypted with a key derived from the service's long-term public key, and then signed with (and stored at a position indexed by) a short-term key derived by blinding the long-term keys.

Return 0 if blinding was successful, else return -1.

◆ ed25519_keypair_free_()

void ed25519_keypair_free_ ( ed25519_keypair_t * kp )

Release all storage held for kp.

Here is the call graph for this function:

◆ ed25519_keypair_from_curve25519_keypair()

int ed25519_keypair_from_curve25519_keypair	(	ed25519_keypair_t *	out,
		int *	signbit_out,
		const curve25519_keypair_t *	inp
	)

Given a curve25519 keypair in inp, generate a corresponding ed25519 keypair in out, and set signbit_out to the sign bit of the X coordinate of the ed25519 key.

NOTE THAT IT IS PROBABLY NOT SAFE TO USE THE GENERATED KEY FOR ANYTHING OUTSIDE OF WHAT'S PRESENTED IN PROPOSAL 228. In particular, it's probably not a great idea to use it to sign attacker-supplied anything.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ ed25519_keypair_generate()

int ed25519_keypair_generate	(	ed25519_keypair_t *	keypair_out,
		int	extra_strong
	)

Generate a new ed25519 keypair in keypair_out. If extra_strong is set, try to mix some system entropy into the key generation process. Return 0 on success, -1 on failure.

Here is the call graph for this function:

◆ ed25519_pubkey_copy()

void ed25519_pubkey_copy	(	ed25519_public_key_t *	dest,
		const ed25519_public_key_t *	src
	)

Set dest to contain the same key as src.

◆ ed25519_pubkey_eq()

int ed25519_pubkey_eq	(	const ed25519_public_key_t *	key1,
		const ed25519_public_key_t *	key2
	)

Return true iff key1 and key2 are the same public key.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ ed25519_pubkey_read_from_file()

int ed25519_pubkey_read_from_file	(	ed25519_public_key_t *	pubkey_out,
		char **	tag_out,
		const char *	filename
	)

Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.

Here is the call graph for this function:

◆ ed25519_pubkey_write_to_file()

int ed25519_pubkey_write_to_file	(	const ed25519_public_key_t *	pubkey,
		const char *	filename,
		const char *	tag
	)

Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.

Here is the call graph for this function:

◆ ed25519_public_blind()

int ed25519_public_blind	(	ed25519_public_key_t *	out,
		const ed25519_public_key_t *	inp,
		const uint8_t *	param
	)

Given an ed25519 public key in inp, generate a corresponding blinded public key in out, blinded with the 32-byte parameter in param. Return 0 on success, -1 on railure.

◆ ed25519_public_key_from_curve25519_public_key()

int ed25519_public_key_from_curve25519_public_key	(	ed25519_public_key_t *	pubkey,
		const curve25519_public_key_t *	pubkey_in,
		int	signbit
	)

Given a curve25519 public key and sign bit of X coordinate of the ed25519 public key, generate the corresponding ed25519 public key.

◆ ed25519_public_key_generate()

int ed25519_public_key_generate	(	ed25519_public_key_t *	pubkey_out,
		const ed25519_secret_key_t *	seckey
	)

Given a secret key in seckey, expand it into an ed25519 public key. Return 0 on success, -1 on failure.

Here is the caller graph for this function:

◆ ed25519_public_key_is_zero()

int ed25519_public_key_is_zero ( const ed25519_public_key_t * pubkey )

Return true iff 'pubkey' is set to zero (eg to indicate that it is not set).

Here is the call graph for this function:

Here is the caller graph for this function:

◆ ed25519_seckey_read_from_file()

int ed25519_seckey_read_from_file	(	ed25519_secret_key_t *	seckey_out,
		char **	tag_out,
		const char *	filename
	)

Read seckey unencrypted from filename, storing it into seckey_out. Set *tag_out to the tag it was marked with. Return 0 on success, -1 on failure.

Here is the call graph for this function:

◆ ed25519_seckey_write_to_file()

int ed25519_seckey_write_to_file	(	const ed25519_secret_key_t *	seckey,
		const char *	filename,
		const char *	tag
	)

Store seckey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.

Here is the call graph for this function:

◆ ed25519_secret_key_from_seed()

int ed25519_secret_key_from_seed	(	ed25519_secret_key_t *	seckey_out,
		const uint8_t *	seed
	)

Given a 32-byte random seed in seed, expand it into an ed25519 secret key in seckey_out. Return 0 on success, -1 on failure.

◆ ed25519_secret_key_generate()

int ed25519_secret_key_generate	(	ed25519_secret_key_t *	seckey_out,
		int	extra_strong
	)

Initialize a new ed25519 secret key in seckey_out. If extra_strong, take the RNG inputs directly from the operating system. Return 0 on success, -1 on failure.

Here is the call graph for this function:

Here is the caller graph for this function:

◆ ed25519_set_impl_params()

void ed25519_set_impl_params ( int use_donna )

Force the Ed25519 implementation to a given one, without sanity checking the output. Used for testing.

◆ ed25519_sign()

int ed25519_sign	(	ed25519_signature_t *	signature_out,
		const uint8_t *	msg,
		size_t	len,
		const ed25519_keypair_t *	keypair
	)

Set signature_out to a signature of the len-byte message msg, using the secret and public key in keypair.

Return 0 if we successfully signed the message, otherwise return -1.

◆ ed25519_validate_pubkey()

int ed25519_validate_pubkey ( const ed25519_public_key_t * pubkey )

Validate pubkey to ensure that it has no torsion component. Return 0 if pubkey is valid, else return -1.

◆ MOCK_IMPL() [1/4]

MOCK_IMPL	(	int	,
		ed25519_sign_prefixed	,
		(ed25519_signature_t signature_out, const uint8_t msg, size_t msg_len, const char prefix_str, const ed25519_keypair_t keypair)
	)

Like ed25519_sign(), but also prefix msg with prefix_str before signing. prefix_str must be a NUL-terminated string.

◆ MOCK_IMPL() [2/4]

MOCK_IMPL	(	int	,
		ed25519_checksig	,
		(const ed25519_signature_t signature, const uint8_t msg, size_t len, const ed25519_public_key_t *pubkey)
	)

Check whether if signature is a valid signature for the len-byte message in msg made with the key pubkey.

Return 0 if the signature is valid; -1 if it isn't.

◆ MOCK_IMPL() [3/4]

MOCK_IMPL	(	int	,
		ed25519_checksig_batch	,
		(int okay_out, const ed25519_checkable_t checkable, int n_checkable)
	)

Validate every signature among those in checkable, which contains exactly n_checkable elements. If okay_out is non-NULL, set the i'th element of okay_out to 1 if the i'th element of checkable is valid, and to 0 otherwise. Return 0 if every signature was valid. Otherwise return -N, where N is the number of invalid signatures.

◆ MOCK_IMPL() [4/4]

MOCK_IMPL	(	STATIC	int,
		ed25519_impl_spot_check	,
		(void)
	)

Check whether the given Ed25519 implementation seems to be working. If so, return 0; otherwise return -1.

Data Structures

Functions

Detailed Description

Function Documentation

◆ ed25519_checksig_prefixed()

◆ ed25519_keypair_blind()

◆ ed25519_keypair_free_()

◆ ed25519_keypair_from_curve25519_keypair()

◆ ed25519_keypair_generate()

◆ ed25519_pubkey_copy()

◆ ed25519_pubkey_eq()

◆ ed25519_pubkey_read_from_file()

◆ ed25519_pubkey_write_to_file()

◆ ed25519_public_blind()

◆ ed25519_public_key_from_curve25519_public_key()

◆ ed25519_public_key_generate()

◆ ed25519_public_key_is_zero()

◆ ed25519_seckey_read_from_file()

◆ ed25519_seckey_write_to_file()

◆ ed25519_secret_key_from_seed()

◆ ed25519_secret_key_generate()

◆ ed25519_set_impl_params()

◆ ed25519_sign()

◆ ed25519_validate_pubkey()

◆ MOCK_IMPL() [1/4]

◆ MOCK_IMPL() [2/4]

◆ MOCK_IMPL() [3/4]

◆ MOCK_IMPL() [4/4]