Add crypto_core_curve25519_is_valid_point()

2017-11-18 17:48:56 +01:00 · 2017-11-18 17:48:56 +01:00 · 2a031b95ff
commit 2a031b95ff
parent 933b3e8ec1
5 changed files with 243 additions and 0 deletions
--- a/src/libsodium/Makefile.am
+++ b/src/libsodium/Makefile.am
@ -164,6 +164,7 @@ if !MINIMAL
 libsodium_la_SOURCES += \
 	crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c \
 	crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c \
+	crypto_core/curve25519/core_curve25519.c \
 	crypto_core/ed25519/core_ed25519.c \
 	crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c \
 	crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h \
--- a/src/libsodium/crypto_core/curve25519/core_curve25519.c
+++ b/src/libsodium/crypto_core/curve25519/core_curve25519.c
@ -0,0 +1,222 @@
+
+#include <stdio.h>
+
+#include "crypto_core_curve25519.h"
+#include "crypto_core_ed25519.h"
+#include "crypto_scalarmult_curve25519.h"
+#include "export.h"
+#include "private/common.h"
+#include "private/ed25519_ref10.h"
+
+#ifdef HAVE_TI_MODE
+# include "../ed25519/ref10/fe_51/constants.h"
+#else
+# include "../ed25519/ref10/fe_25_5/constants.h"
+#endif
+
+static int
+is_canonical(const unsigned char *s)
+{
+    unsigned char c;
+    unsigned char d;
+    unsigned int  i;
+
+    c = s[31] ^ 0x7f;
+    for (i = 30; i > 0; i--) {
+        c |= s[i] ^ 0xff;
+    }
+    c = (((unsigned int) c) - 1U) >> 8;
+    d = (0xed - 1U - (unsigned int) s[0]) >> 8;
+
+    return 1 - (c & d & 1);
+}
+
+static int
+has_small_order(const unsigned char s[32])
+{
+    CRYPTO_ALIGN(16)
+    static const unsigned char blacklist[][32] = {
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+        { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+        { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
+        { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
+        { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+        { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+        { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+        { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
+        { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
+        { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+        { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+        { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
+    };
+    unsigned char c[12] = { 0 };
+    unsigned int  k;
+    size_t        i, j;
+
+    COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]);
+    for (j = 0; j < 32; j++) {
+        for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
+            c[i] |= s[j] ^ blacklist[i][j];
+        }
+    }
+    k = 0;
+    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
+        k |= (c[i] - 1);
+    }
+    return (int) ((k >> 8) & 1);
+}
+
+static void
+fe25519_pow22523(fe25519 out, const fe25519 z)
+{
+    fe25519 t0;
+    fe25519 t1;
+    fe25519 t2;
+    int     i;
+
+    fe25519_sq(t0, z);
+    fe25519_sq(t1, t0);
+    fe25519_sq(t1, t1);
+    fe25519_mul(t1, z, t1);
+    fe25519_mul(t0, t0, t1);
+    fe25519_sq(t0, t0);
+    fe25519_mul(t0, t1, t0);
+    fe25519_sq(t1, t0);
+    for (i = 1; i < 5; ++i) {
+        fe25519_sq(t1, t1);
+    }
+    fe25519_mul(t0, t1, t0);
+    fe25519_sq(t1, t0);
+    for (i = 1; i < 10; ++i) {
+        fe25519_sq(t1, t1);
+    }
+    fe25519_mul(t1, t1, t0);
+    fe25519_sq(t2, t1);
+    for (i = 1; i < 20; ++i) {
+        fe25519_sq(t2, t2);
+    }
+    fe25519_mul(t1, t2, t1);
+    fe25519_sq(t1, t1);
+    for (i = 1; i < 10; ++i) {
+        fe25519_sq(t1, t1);
+    }
+    fe25519_mul(t0, t1, t0);
+    fe25519_sq(t1, t0);
+    for (i = 1; i < 50; ++i) {
+        fe25519_sq(t1, t1);
+    }
+    fe25519_mul(t1, t1, t0);
+    fe25519_sq(t2, t1);
+    for (i = 1; i < 100; ++i) {
+        fe25519_sq(t2, t2);
+    }
+    fe25519_mul(t1, t2, t1);
+    fe25519_sq(t1, t1);
+    for (i = 1; i < 50; ++i) {
+        fe25519_sq(t1, t1);
+    }
+    fe25519_mul(t0, t1, t0);
+    fe25519_sq(t0, t0);
+    fe25519_sq(t0, t0);
+    fe25519_mul(out, t0, z);
+}
+
+static int
+is_on_main_subgroup(const fe25519 x1)
+{
+    static const unsigned char L[32] = {
+        0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
+        0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+    };
+    fe25519      x2;
+    fe25519      z2;
+    fe25519      x3;
+    fe25519      z3;
+    fe25519      tmp0;
+    fe25519      tmp1;
+    int          pos;
+    unsigned int swap;
+    unsigned int b;
+
+    fe25519_1(x2);
+    fe25519_0(z2);
+    fe25519_copy(x3, x1);
+    fe25519_1(z3);
+    swap = 0;
+    for (pos = 252; pos >= 0; --pos) {
+        b = L[pos / 8] >> (pos & 7);
+        b &= 1;
+        swap ^= b;
+        fe25519_cswap(x2, x3, swap);
+        fe25519_cswap(z2, z3, swap);
+        swap = b;
+        fe25519_sub(tmp0, x3, z3);
+        fe25519_sub(tmp1, x2, z2);
+        fe25519_add(x2, x2, z2);
+        fe25519_add(z2, x3, z3);
+        fe25519_mul(z3, tmp0, x2);
+        fe25519_mul(z2, z2, tmp1);
+        fe25519_sq(tmp0, tmp1);
+        fe25519_sq(tmp1, x2);
+        fe25519_add(x3, z3, z2);
+        fe25519_sub(z2, z3, z2);
+        fe25519_mul(x2, tmp1, tmp0);
+        fe25519_sub(tmp1, tmp1, tmp0);
+        fe25519_sq(z2, z2);
+        fe25519_scalar_product(z3, tmp1, 121666);
+        fe25519_sq(x3, x3);
+        fe25519_add(tmp0, tmp0, z3);
+        fe25519_mul(z3, x1, z2);
+        fe25519_mul(z2, tmp1, tmp0);
+    }
+    fe25519_cswap(x2, x3, swap);
+    fe25519_cswap(z2, z3, swap);
+
+    fe25519_invert(z2, z2);
+    fe25519_mul(x2, x2, z2);
+
+    return fe25519_iszero(x2);
+}
+
+int
+crypto_core_curve25519_is_valid_point(const unsigned char *p)
+{
+    fe25519 t;
+    fe25519 x;
+    fe25519 x2;
+    fe25519 Ax;
+    fe25519 one;
+    fe25519 x2_Ax_1;
+    fe25519 y2;
+
+    if (is_canonical(p) == 0 || has_small_order(p) != 0) {
+        return 0;
+    }
+    /* y2 = x3 + Ax2 + x = x(x2 + Ax + 1) */
+    fe25519_frombytes(x, p);
+    fe25519_sq(x2, x);
+    fe25519_mul(Ax, curve25519_A, x);
+    fe25519_1(one);
+    fe25519_add(x2_Ax_1, x2, Ax);
+    fe25519_add(x2_Ax_1, x2_Ax_1, one);
+    fe25519_mul(y2, x, x2_Ax_1);
+
+    /* Legendre symbol */
+    fe25519_pow22523(t, y2);
+    fe25519_sq(t, t);
+    fe25519_sq(t, t);
+    fe25519_mul(t, t, y2);
+    fe25519_mul(t, t, y2);
+
+    /* No roots if the legendre symbol is not 1 */
+    if (fe25519_isnegative(t) == 0) {
+        return 0;
+    }
+
+    /* Multiply by the group order, check that the result is the point at infinity */
+    if (is_on_main_subgroup(x) == 0) {
+        return 0;
+    }
+    return 1;
+}
--- a/src/libsodium/include/Makefile.am
+++ b/src/libsodium/include/Makefile.am
@ -12,6 +12,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
+	sodium/crypto_core_curve25519.h \
 	sodium/crypto_core_ed25519.h \
 	sodium/crypto_core_hchacha20.h \
 	sodium/crypto_core_hsalsa20.h \
--- a/src/libsodium/include/sodium.h
+++ b/src/libsodium/include/sodium.h
@ -58,6 +58,7 @@

 #ifndef SODIUM_LIBRARY_MINIMAL
 # include "sodium/crypto_box_curve25519xchacha20poly1305.h"
+# include "sodium/crypto_core_curve25519.h"
 # include "sodium/crypto_core_ed25519.h"
 # include "sodium/crypto_scalarmult_ed25519.h"
 # include "sodium/crypto_secretbox_xchacha20poly1305.h"
--- a/src/libsodium/include/sodium/crypto_core_curve25519.h
+++ b/src/libsodium/include/sodium/crypto_core_curve25519.h
@ -0,0 +1,18 @@
+#ifndef crypto_core_curve25519_H
+#define crypto_core_curve25519_H
+
+#include <stddef.h>
+#include "export.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+SODIUM_EXPORT
+int crypto_core_curve25519_is_valid_point(const unsigned char *p);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif