tor
master
|
Wrapper code for an ed25519 implementation. More...
#include "orconfig.h"
#include "crypto_curve25519.h"
#include "crypto_digest.h"
#include "crypto_ed25519.h"
#include "crypto_format.h"
#include "crypto_rand.h"
#include "crypto_util.h"
#include "torlog.h"
#include "util.h"
#include "util_format.h"
#include "ed25519/ref10/ed25519_ref10.h"
#include "ed25519/donna/ed25519_donna_tor.h"
Data Structures | |
struct | ed25519_impl_t |
Functions | |
int | ed25519_secret_key_generate (ed25519_secret_key_t *seckey_out, int extra_strong) |
int | ed25519_secret_key_from_seed (ed25519_secret_key_t *seckey_out, const uint8_t *seed) |
int | ed25519_public_key_generate (ed25519_public_key_t *pubkey_out, const ed25519_secret_key_t *seckey) |
int | ed25519_keypair_generate (ed25519_keypair_t *keypair_out, int extra_strong) |
int | ed25519_public_key_is_zero (const ed25519_public_key_t *pubkey) |
int | ed25519_sign (ed25519_signature_t *signature_out, const uint8_t *msg, size_t len, const ed25519_keypair_t *keypair) |
MOCK_IMPL (int, ed25519_sign_prefixed,(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair)) | |
MOCK_IMPL (int, ed25519_checksig,(const ed25519_signature_t *signature, const uint8_t *msg, size_t len, const ed25519_public_key_t *pubkey)) | |
int | ed25519_checksig_prefixed (const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey) |
MOCK_IMPL (int, ed25519_checksig_batch,(int *okay_out, const ed25519_checkable_t *checkable, int n_checkable)) | |
int | ed25519_keypair_from_curve25519_keypair (ed25519_keypair_t *out, int *signbit_out, const curve25519_keypair_t *inp) |
int | ed25519_public_key_from_curve25519_public_key (ed25519_public_key_t *pubkey, const curve25519_public_key_t *pubkey_in, int signbit) |
int | ed25519_keypair_blind (ed25519_keypair_t *out, const ed25519_keypair_t *inp, const uint8_t *param) |
int | ed25519_public_blind (ed25519_public_key_t *out, const ed25519_public_key_t *inp, const uint8_t *param) |
int | ed25519_seckey_write_to_file (const ed25519_secret_key_t *seckey, const char *filename, const char *tag) |
int | ed25519_seckey_read_from_file (ed25519_secret_key_t *seckey_out, char **tag_out, const char *filename) |
int | ed25519_pubkey_write_to_file (const ed25519_public_key_t *pubkey, const char *filename, const char *tag) |
int | ed25519_pubkey_read_from_file (ed25519_public_key_t *pubkey_out, char **tag_out, const char *filename) |
void | ed25519_keypair_free_ (ed25519_keypair_t *kp) |
int | ed25519_pubkey_eq (const ed25519_public_key_t *key1, const ed25519_public_key_t *key2) |
void | ed25519_pubkey_copy (ed25519_public_key_t *dest, const ed25519_public_key_t *src) |
MOCK_IMPL (STATIC int, ed25519_impl_spot_check,(void)) | |
void | ed25519_set_impl_params (int use_donna) |
void | ed25519_init (void) |
int | ed25519_validate_pubkey (const ed25519_public_key_t *pubkey) |
Wrapper code for an ed25519 implementation.
Ed25519 is a Schnorr signature on a Twisted Edwards curve, defined by Dan Bernstein. For more information, see https://ed25519.cr.yp.to/
This module wraps our choice of Ed25519 backend, and provides a few convenience functions for checking and generating signatures. It also provides Tor-specific tools for key blinding and for converting Ed25519 keys to and from the corresponding Curve25519 keys.
int ed25519_checksig_prefixed | ( | const ed25519_signature_t * | signature, |
const uint8_t * | msg, | ||
size_t | msg_len, | ||
const char * | prefix_str, | ||
const ed25519_public_key_t * | pubkey | ||
) |
Like ed2519_checksig(), but also prefix msg with prefix_str before verifying signature. prefix_str must be a NUL-terminated string.
int ed25519_keypair_blind | ( | ed25519_keypair_t * | out, |
const ed25519_keypair_t * | inp, | ||
const uint8_t * | param | ||
) |
Given an ed25519 keypair in inp, generate a corresponding ed25519 keypair in out, blinded by the corresponding 32-byte input in 'param'.
Tor uses key blinding for the "next-generation" hidden services design: service descriptors are encrypted with a key derived from the service's long-term public key, and then signed with (and stored at a position indexed by) a short-term key derived by blinding the long-term keys.
Return 0 if blinding was successful, else return -1.
void ed25519_keypair_free_ | ( | ed25519_keypair_t * | kp | ) |
Release all storage held for kp.
int ed25519_keypair_from_curve25519_keypair | ( | ed25519_keypair_t * | out, |
int * | signbit_out, | ||
const curve25519_keypair_t * | inp | ||
) |
Given a curve25519 keypair in inp, generate a corresponding ed25519 keypair in out, and set signbit_out to the sign bit of the X coordinate of the ed25519 key.
NOTE THAT IT IS PROBABLY NOT SAFE TO USE THE GENERATED KEY FOR ANYTHING OUTSIDE OF WHAT'S PRESENTED IN PROPOSAL 228. In particular, it's probably not a great idea to use it to sign attacker-supplied anything.
int ed25519_keypair_generate | ( | ed25519_keypair_t * | keypair_out, |
int | extra_strong | ||
) |
Generate a new ed25519 keypair in keypair_out. If extra_strong is set, try to mix some system entropy into the key generation process. Return 0 on success, -1 on failure.
void ed25519_pubkey_copy | ( | ed25519_public_key_t * | dest, |
const ed25519_public_key_t * | src | ||
) |
Set dest to contain the same key as src.
int ed25519_pubkey_eq | ( | const ed25519_public_key_t * | key1, |
const ed25519_public_key_t * | key2 | ||
) |
Return true iff key1 and key2 are the same public key.
int ed25519_pubkey_read_from_file | ( | ed25519_public_key_t * | pubkey_out, |
char ** | tag_out, | ||
const char * | filename | ||
) |
Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
int ed25519_pubkey_write_to_file | ( | const ed25519_public_key_t * | pubkey, |
const char * | filename, | ||
const char * | tag | ||
) |
Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
int ed25519_public_blind | ( | ed25519_public_key_t * | out, |
const ed25519_public_key_t * | inp, | ||
const uint8_t * | param | ||
) |
Given an ed25519 public key in inp, generate a corresponding blinded public key in out, blinded with the 32-byte parameter in param. Return 0 on success, -1 on railure.
int ed25519_public_key_from_curve25519_public_key | ( | ed25519_public_key_t * | pubkey, |
const curve25519_public_key_t * | pubkey_in, | ||
int | signbit | ||
) |
Given a curve25519 public key and sign bit of X coordinate of the ed25519 public key, generate the corresponding ed25519 public key.
int ed25519_public_key_generate | ( | ed25519_public_key_t * | pubkey_out, |
const ed25519_secret_key_t * | seckey | ||
) |
Given a secret key in seckey, expand it into an ed25519 public key. Return 0 on success, -1 on failure.
int ed25519_public_key_is_zero | ( | const ed25519_public_key_t * | pubkey | ) |
Return true iff 'pubkey' is set to zero (eg to indicate that it is not set).
int ed25519_seckey_read_from_file | ( | ed25519_secret_key_t * | seckey_out, |
char ** | tag_out, | ||
const char * | filename | ||
) |
Read seckey unencrypted from filename, storing it into seckey_out. Set *tag_out to the tag it was marked with. Return 0 on success, -1 on failure.
int ed25519_seckey_write_to_file | ( | const ed25519_secret_key_t * | seckey, |
const char * | filename, | ||
const char * | tag | ||
) |
Store seckey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
int ed25519_secret_key_from_seed | ( | ed25519_secret_key_t * | seckey_out, |
const uint8_t * | seed | ||
) |
Given a 32-byte random seed in seed, expand it into an ed25519 secret key in seckey_out. Return 0 on success, -1 on failure.
int ed25519_secret_key_generate | ( | ed25519_secret_key_t * | seckey_out, |
int | extra_strong | ||
) |
Initialize a new ed25519 secret key in seckey_out. If extra_strong, take the RNG inputs directly from the operating system. Return 0 on success, -1 on failure.
void ed25519_set_impl_params | ( | int | use_donna | ) |
Force the Ed25519 implementation to a given one, without sanity checking the output. Used for testing.
int ed25519_sign | ( | ed25519_signature_t * | signature_out, |
const uint8_t * | msg, | ||
size_t | len, | ||
const ed25519_keypair_t * | keypair | ||
) |
Set signature_out to a signature of the len-byte message msg, using the secret and public key in keypair.
Return 0 if we successfully signed the message, otherwise return -1.
int ed25519_validate_pubkey | ( | const ed25519_public_key_t * | pubkey | ) |
Validate pubkey to ensure that it has no torsion component. Return 0 if pubkey is valid, else return -1.
MOCK_IMPL | ( | int | , |
ed25519_sign_prefixed | , | ||
(ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair) | |||
) |
Like ed25519_sign(), but also prefix msg with prefix_str before signing. prefix_str must be a NUL-terminated string.
MOCK_IMPL | ( | int | , |
ed25519_checksig | , | ||
(const ed25519_signature_t *signature, const uint8_t *msg, size_t len, const ed25519_public_key_t *pubkey) | |||
) |
Check whether if signature is a valid signature for the len-byte message in msg made with the key pubkey.
Return 0 if the signature is valid; -1 if it isn't.
MOCK_IMPL | ( | int | , |
ed25519_checksig_batch | , | ||
(int *okay_out, const ed25519_checkable_t *checkable, int n_checkable) | |||
) |
Validate every signature among those in checkable, which contains exactly n_checkable elements. If okay_out is non-NULL, set the i'th element of okay_out to 1 if the i'th element of checkable is valid, and to 0 otherwise. Return 0 if every signature was valid. Otherwise return -N, where N is the number of invalid signatures.
MOCK_IMPL | ( | STATIC | int, |
ed25519_impl_spot_check | , | ||
(void) | |||
) |
Check whether the given Ed25519 implementation seems to be working. If so, return 0; otherwise return -1.