From 2a031b95ff6efb61ecf1aad52792f05eddfe9688 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sat, 18 Nov 2017 17:48:56 +0100 Subject: [PATCH] Add crypto_core_curve25519_is_valid_point() --- src/libsodium/Makefile.am | 1 + .../crypto_core/curve25519/core_curve25519.c | 222 ++++++++++++++++++ src/libsodium/include/Makefile.am | 1 + src/libsodium/include/sodium.h | 1 + .../include/sodium/crypto_core_curve25519.h | 18 ++ 5 files changed, 243 insertions(+) create mode 100644 src/libsodium/crypto_core/curve25519/core_curve25519.c create mode 100644 src/libsodium/include/sodium/crypto_core_curve25519.h diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 5d726545..eaea532d 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -164,6 +164,7 @@ if !MINIMAL libsodium_la_SOURCES += \ crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c \ crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c \ + crypto_core/curve25519/core_curve25519.c \ crypto_core/ed25519/core_ed25519.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h \ diff --git a/src/libsodium/crypto_core/curve25519/core_curve25519.c b/src/libsodium/crypto_core/curve25519/core_curve25519.c new file mode 100644 index 00000000..40a3cca4 --- /dev/null +++ b/src/libsodium/crypto_core/curve25519/core_curve25519.c @@ -0,0 +1,222 @@ + +#include + +#include "crypto_core_curve25519.h" +#include "crypto_core_ed25519.h" +#include "crypto_scalarmult_curve25519.h" +#include "export.h" +#include "private/common.h" +#include "private/ed25519_ref10.h" + +#ifdef HAVE_TI_MODE +# include "../ed25519/ref10/fe_51/constants.h" +#else +# include "../ed25519/ref10/fe_25_5/constants.h" +#endif + +static int +is_canonical(const unsigned char *s) +{ + unsigned char c; + unsigned char d; + unsigned int i; + + c = s[31] ^ 0x7f; + for (i = 30; i > 0; i--) { + c |= s[i] ^ 0xff; + } + c = (((unsigned int) c) - 1U) >> 8; + d = (0xed - 1U - (unsigned int) s[0]) >> 8; + + return 1 - (c & d & 1); +} + +static int +has_small_order(const unsigned char s[32]) +{ + CRYPTO_ALIGN(16) + static const unsigned char blacklist[][32] = { + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 }, + { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 }, + { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 }, + { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 }, + { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } + }; + unsigned char c[12] = { 0 }; + unsigned int k; + size_t i, j; + + COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]); + for (j = 0; j < 32; j++) { + for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { + c[i] |= s[j] ^ blacklist[i][j]; + } + } + k = 0; + for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { + k |= (c[i] - 1); + } + return (int) ((k >> 8) & 1); +} + +static void +fe25519_pow22523(fe25519 out, const fe25519 z) +{ + fe25519 t0; + fe25519 t1; + fe25519 t2; + int i; + + fe25519_sq(t0, z); + fe25519_sq(t1, t0); + fe25519_sq(t1, t1); + fe25519_mul(t1, z, t1); + fe25519_mul(t0, t0, t1); + fe25519_sq(t0, t0); + fe25519_mul(t0, t1, t0); + fe25519_sq(t1, t0); + for (i = 1; i < 5; ++i) { + fe25519_sq(t1, t1); + } + fe25519_mul(t0, t1, t0); + fe25519_sq(t1, t0); + for (i = 1; i < 10; ++i) { + fe25519_sq(t1, t1); + } + fe25519_mul(t1, t1, t0); + fe25519_sq(t2, t1); + for (i = 1; i < 20; ++i) { + fe25519_sq(t2, t2); + } + fe25519_mul(t1, t2, t1); + fe25519_sq(t1, t1); + for (i = 1; i < 10; ++i) { + fe25519_sq(t1, t1); + } + fe25519_mul(t0, t1, t0); + fe25519_sq(t1, t0); + for (i = 1; i < 50; ++i) { + fe25519_sq(t1, t1); + } + fe25519_mul(t1, t1, t0); + fe25519_sq(t2, t1); + for (i = 1; i < 100; ++i) { + fe25519_sq(t2, t2); + } + fe25519_mul(t1, t2, t1); + fe25519_sq(t1, t1); + for (i = 1; i < 50; ++i) { + fe25519_sq(t1, t1); + } + fe25519_mul(t0, t1, t0); + fe25519_sq(t0, t0); + fe25519_sq(t0, t0); + fe25519_mul(out, t0, z); +} + +static int +is_on_main_subgroup(const fe25519 x1) +{ + static const unsigned char L[32] = { + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, + 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 + }; + fe25519 x2; + fe25519 z2; + fe25519 x3; + fe25519 z3; + fe25519 tmp0; + fe25519 tmp1; + int pos; + unsigned int swap; + unsigned int b; + + fe25519_1(x2); + fe25519_0(z2); + fe25519_copy(x3, x1); + fe25519_1(z3); + swap = 0; + for (pos = 252; pos >= 0; --pos) { + b = L[pos / 8] >> (pos & 7); + b &= 1; + swap ^= b; + fe25519_cswap(x2, x3, swap); + fe25519_cswap(z2, z3, swap); + swap = b; + fe25519_sub(tmp0, x3, z3); + fe25519_sub(tmp1, x2, z2); + fe25519_add(x2, x2, z2); + fe25519_add(z2, x3, z3); + fe25519_mul(z3, tmp0, x2); + fe25519_mul(z2, z2, tmp1); + fe25519_sq(tmp0, tmp1); + fe25519_sq(tmp1, x2); + fe25519_add(x3, z3, z2); + fe25519_sub(z2, z3, z2); + fe25519_mul(x2, tmp1, tmp0); + fe25519_sub(tmp1, tmp1, tmp0); + fe25519_sq(z2, z2); + fe25519_scalar_product(z3, tmp1, 121666); + fe25519_sq(x3, x3); + fe25519_add(tmp0, tmp0, z3); + fe25519_mul(z3, x1, z2); + fe25519_mul(z2, tmp1, tmp0); + } + fe25519_cswap(x2, x3, swap); + fe25519_cswap(z2, z3, swap); + + fe25519_invert(z2, z2); + fe25519_mul(x2, x2, z2); + + return fe25519_iszero(x2); +} + +int +crypto_core_curve25519_is_valid_point(const unsigned char *p) +{ + fe25519 t; + fe25519 x; + fe25519 x2; + fe25519 Ax; + fe25519 one; + fe25519 x2_Ax_1; + fe25519 y2; + + if (is_canonical(p) == 0 || has_small_order(p) != 0) { + return 0; + } + /* y2 = x3 + Ax2 + x = x(x2 + Ax + 1) */ + fe25519_frombytes(x, p); + fe25519_sq(x2, x); + fe25519_mul(Ax, curve25519_A, x); + fe25519_1(one); + fe25519_add(x2_Ax_1, x2, Ax); + fe25519_add(x2_Ax_1, x2_Ax_1, one); + fe25519_mul(y2, x, x2_Ax_1); + + /* Legendre symbol */ + fe25519_pow22523(t, y2); + fe25519_sq(t, t); + fe25519_sq(t, t); + fe25519_mul(t, t, y2); + fe25519_mul(t, t, y2); + + /* No roots if the legendre symbol is not 1 */ + if (fe25519_isnegative(t) == 0) { + return 0; + } + + /* Multiply by the group order, check that the result is the point at infinity */ + if (is_on_main_subgroup(x) == 0) { + return 0; + } + return 1; +} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index b70c22b3..41f16f9d 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -12,6 +12,7 @@ SODIUM_EXPORT = \ sodium/crypto_box.h \ sodium/crypto_box_curve25519xchacha20poly1305.h \ sodium/crypto_box_curve25519xsalsa20poly1305.h \ + sodium/crypto_core_curve25519.h \ sodium/crypto_core_ed25519.h \ sodium/crypto_core_hchacha20.h \ sodium/crypto_core_hsalsa20.h \ diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index e7b1af46..db569f7f 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -58,6 +58,7 @@ #ifndef SODIUM_LIBRARY_MINIMAL # include "sodium/crypto_box_curve25519xchacha20poly1305.h" +# include "sodium/crypto_core_curve25519.h" # include "sodium/crypto_core_ed25519.h" # include "sodium/crypto_scalarmult_ed25519.h" # include "sodium/crypto_secretbox_xchacha20poly1305.h" diff --git a/src/libsodium/include/sodium/crypto_core_curve25519.h b/src/libsodium/include/sodium/crypto_core_curve25519.h new file mode 100644 index 00000000..b0ee2795 --- /dev/null +++ b/src/libsodium/include/sodium/crypto_core_curve25519.h @@ -0,0 +1,18 @@ +#ifndef crypto_core_curve25519_H +#define crypto_core_curve25519_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +SODIUM_EXPORT +int crypto_core_curve25519_is_valid_point(const unsigned char *p); + +#ifdef __cplusplus +} +#endif + +#endif