1 /* Copyright (c) 2012-2021, The Tor Project, Inc. */ 2 /* See LICENSE for licensing information */ 3 4 /** 5 * \file crypto_ed25519.h 6 * \brief Header for crypto_ed25519.c 7 **/ 8 9 #ifndef TOR_CRYPTO_ED25519_H 10 #define TOR_CRYPTO_ED25519_H 11 12 #include "lib/testsupport/testsupport.h" 13 #include "lib/cc/torint.h" 14 #include "lib/crypt_ops/crypto_curve25519.h" 15 #include "lib/defs/x25519_sizes.h" 16 17 /** An Ed25519 signature. */ 18 typedef struct ed25519_signature_t { 19 uint8_t sig[ED25519_SIG_LEN]; 20 } ed25519_signature_t; 21 22 /** An Ed25519 public key */ 23 typedef struct ed25519_public_key_t { 24 uint8_t pubkey[ED25519_PUBKEY_LEN]; 25 } ed25519_public_key_t; 26 27 /** An Ed25519 secret key */ 28 typedef struct ed25519_secret_key_t { 29 /** Note that we store secret keys in an expanded format that doesn't match 30 * the format from standard ed25519. Ed25519 stores a 32-byte value k and 31 * expands it into a 64-byte H(k), using the first 32 bytes for a multiplier 32 * of the base point, and second 32 bytes as an input to a hash function 33 * for deriving r. But because we implement key blinding, we need to store 34 * keys in the 64-byte expanded form. */ 35 uint8_t seckey[ED25519_SECKEY_LEN]; 36 } ed25519_secret_key_t; 37 38 /** An Ed25519 keypair. */ 39 typedef struct ed25519_keypair_t { 40 ed25519_public_key_t pubkey; 41 ed25519_secret_key_t seckey; 42 } ed25519_keypair_t; 43 44 int ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out, 45 int extra_strong); 46 int ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out, 47 const uint8_t *seed); 48 49 int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out, 50 const ed25519_secret_key_t *seckey); 51 int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong); 52 int ed25519_sign(ed25519_signature_t *signature_out, 53 const uint8_t *msg, size_t len, 54 const ed25519_keypair_t *key); 55 MOCK_DECL(int,ed25519_checksig,(const ed25519_signature_t *signature, 56 const uint8_t *msg, size_t len, 57 const ed25519_public_key_t *pubkey)); 58 59 MOCK_DECL(int, 60 ed25519_sign_prefixed,(ed25519_signature_t *signature_out, 61 const uint8_t *msg, size_t len, 62 const char *prefix_str, 63 const ed25519_keypair_t *keypair)); 64 65 int 66 ed25519_checksig_prefixed(const ed25519_signature_t *signature, 67 const uint8_t *msg, size_t len, 68 const char *prefix_str, 69 const ed25519_public_key_t *pubkey); 70 71 int ed25519_public_key_is_zero(const ed25519_public_key_t *pubkey); 72 73 /** 74 * A collection of information necessary to check an Ed25519 signature. Used 75 * for batch verification. 76 */ 77 typedef struct { 78 /** The public key that supposedly generated the signature. */ 79 const ed25519_public_key_t *pubkey; 80 /** The signature to check. */ 81 ed25519_signature_t signature; 82 /** The message that the signature is supposed to have been applied to. */ 83 const uint8_t *msg; 84 /** The length of the message. */ 85 size_t len; 86 } ed25519_checkable_t; 87 88 MOCK_DECL(int, ed25519_checksig_batch,(int *okay_out, 89 const ed25519_checkable_t *checkable, 90 int n_checkable)); 91 92 int ed25519_keypair_from_curve25519_keypair(ed25519_keypair_t *out, 93 int *signbit_out, 94 const curve25519_keypair_t *inp); 95 96 int ed25519_public_key_from_curve25519_public_key(ed25519_public_key_t *pubkey, 97 const curve25519_public_key_t *pubkey_in, 98 int signbit); 99 int ed25519_keypair_blind(ed25519_keypair_t *out, 100 const ed25519_keypair_t *inp, 101 const uint8_t *param); 102 int ed25519_public_blind(ed25519_public_key_t *out, 103 const ed25519_public_key_t *inp, 104 const uint8_t *param); 105 106 /* XXXX read encrypted, write encrypted. */ 107 108 int ed25519_seckey_write_to_file(const ed25519_secret_key_t *seckey, 109 const char *filename, 110 const char *tag); 111 int ed25519_seckey_read_from_file(ed25519_secret_key_t *seckey_out, 112 char **tag_out, 113 const char *filename); 114 int ed25519_pubkey_write_to_file(const ed25519_public_key_t *pubkey, 115 const char *filename, 116 const char *tag); 117 int ed25519_pubkey_read_from_file(ed25519_public_key_t *pubkey_out, 118 char **tag_out, 119 const char *filename); 120 121 void ed25519_keypair_free_(ed25519_keypair_t *kp); 122 #define ed25519_keypair_free(kp) \ 123 FREE_AND_NULL(ed25519_keypair_t, ed25519_keypair_free_, (kp)) 124 125 int ed25519_pubkey_eq(const ed25519_public_key_t *key1, 126 const ed25519_public_key_t *key2); 127 void ed25519_pubkey_copy(ed25519_public_key_t *dest, 128 const ed25519_public_key_t *src); 129 130 void ed25519_set_impl_params(int use_donna); 131 void ed25519_init(void); 132 133 int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey); 134 135 #ifdef TOR_UNIT_TESTS 136 void crypto_ed25519_testing_force_impl(const char *name); 137 void crypto_ed25519_testing_restore_impl(void); 138 #endif 139 140 #ifdef CRYPTO_ED25519_PRIVATE 141 MOCK_DECL(STATIC int, ed25519_impl_spot_check, (void)); 142 #endif 143 144 #endif /* !defined(TOR_CRYPTO_ED25519_H) */ 145