1 /* Copyright (c) 2012-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3 
4 /**
5  * \file crypto_ed25519.h
6  * \brief Header for crypto_ed25519.c
7  **/
8 
9 #ifndef TOR_CRYPTO_ED25519_H
10 #define TOR_CRYPTO_ED25519_H
11 
12 #include "lib/testsupport/testsupport.h"
13 #include "lib/cc/torint.h"
14 #include "lib/crypt_ops/crypto_curve25519.h"
15 #include "lib/defs/x25519_sizes.h"
16 
17 /** An Ed25519 signature. */
18 typedef struct ed25519_signature_t {
19   uint8_t sig[ED25519_SIG_LEN];
20 } ed25519_signature_t;
21 
22 /** An Ed25519 public key */
23 typedef struct ed25519_public_key_t {
24   uint8_t pubkey[ED25519_PUBKEY_LEN];
25 } ed25519_public_key_t;
26 
27 /** An Ed25519 secret key */
28 typedef struct ed25519_secret_key_t {
29   /** Note that we store secret keys in an expanded format that doesn't match
30    * the format from standard ed25519.  Ed25519 stores a 32-byte value k and
31    * expands it into a 64-byte H(k), using the first 32 bytes for a multiplier
32    * of the base point, and second 32 bytes as an input to a hash function
33    * for deriving r.  But because we implement key blinding, we need to store
34    * keys in the 64-byte expanded form. */
35   uint8_t seckey[ED25519_SECKEY_LEN];
36 } ed25519_secret_key_t;
37 
38 /** An Ed25519 keypair. */
39 typedef struct ed25519_keypair_t {
40   ed25519_public_key_t pubkey;
41   ed25519_secret_key_t seckey;
42 } ed25519_keypair_t;
43 
44 int ed25519_secret_key_generate(ed25519_secret_key_t *seckey_out,
45                             int extra_strong);
46 int ed25519_secret_key_from_seed(ed25519_secret_key_t *seckey_out,
47                                  const uint8_t *seed);
48 
49 int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out,
50                             const ed25519_secret_key_t *seckey);
51 int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong);
52 int ed25519_sign(ed25519_signature_t *signature_out,
53                  const uint8_t *msg, size_t len,
54                  const ed25519_keypair_t *key);
55 MOCK_DECL(int,ed25519_checksig,(const ed25519_signature_t *signature,
56                                 const uint8_t *msg, size_t len,
57                                 const ed25519_public_key_t *pubkey));
58 
59 MOCK_DECL(int,
60 ed25519_sign_prefixed,(ed25519_signature_t *signature_out,
61                        const uint8_t *msg, size_t len,
62                        const char *prefix_str,
63                        const ed25519_keypair_t *keypair));
64 
65 int
66 ed25519_checksig_prefixed(const ed25519_signature_t *signature,
67                           const uint8_t *msg, size_t len,
68                           const char *prefix_str,
69                           const ed25519_public_key_t *pubkey);
70 
71 int ed25519_public_key_is_zero(const ed25519_public_key_t *pubkey);
72 
73 /**
74  * A collection of information necessary to check an Ed25519 signature. Used
75  * for batch verification.
76  */
77 typedef struct {
78   /** The public key that supposedly generated the signature. */
79   const ed25519_public_key_t *pubkey;
80   /** The signature to check. */
81   ed25519_signature_t signature;
82   /** The message that the signature is supposed to have been applied to. */
83   const uint8_t *msg;
84   /** The length of the message. */
85   size_t len;
86 } ed25519_checkable_t;
87 
88 MOCK_DECL(int, ed25519_checksig_batch,(int *okay_out,
89                                        const ed25519_checkable_t *checkable,
90                                        int n_checkable));
91 
92 int ed25519_keypair_from_curve25519_keypair(ed25519_keypair_t *out,
93                                             int *signbit_out,
94                                             const curve25519_keypair_t *inp);
95 
96 int ed25519_public_key_from_curve25519_public_key(ed25519_public_key_t *pubkey,
97                                      const curve25519_public_key_t *pubkey_in,
98                                      int signbit);
99 int ed25519_keypair_blind(ed25519_keypair_t *out,
100                           const ed25519_keypair_t *inp,
101                           const uint8_t *param);
102 int ed25519_public_blind(ed25519_public_key_t *out,
103                          const ed25519_public_key_t *inp,
104                          const uint8_t *param);
105 
106 /* XXXX read encrypted, write encrypted. */
107 
108 int ed25519_seckey_write_to_file(const ed25519_secret_key_t *seckey,
109                                  const char *filename,
110                                  const char *tag);
111 int ed25519_seckey_read_from_file(ed25519_secret_key_t *seckey_out,
112                                   char **tag_out,
113                                   const char *filename);
114 int ed25519_pubkey_write_to_file(const ed25519_public_key_t *pubkey,
115                                  const char *filename,
116                                  const char *tag);
117 int ed25519_pubkey_read_from_file(ed25519_public_key_t *pubkey_out,
118                                   char **tag_out,
119                                   const char *filename);
120 
121 void ed25519_keypair_free_(ed25519_keypair_t *kp);
122 #define ed25519_keypair_free(kp) \
123   FREE_AND_NULL(ed25519_keypair_t, ed25519_keypair_free_, (kp))
124 
125 int ed25519_pubkey_eq(const ed25519_public_key_t *key1,
126                       const ed25519_public_key_t *key2);
127 void ed25519_pubkey_copy(ed25519_public_key_t *dest,
128                          const ed25519_public_key_t *src);
129 
130 void ed25519_set_impl_params(int use_donna);
131 void ed25519_init(void);
132 
133 int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey);
134 
135 #ifdef TOR_UNIT_TESTS
136 void crypto_ed25519_testing_force_impl(const char *name);
137 void crypto_ed25519_testing_restore_impl(void);
138 #endif
139 
140 #ifdef CRYPTO_ED25519_PRIVATE
141 MOCK_DECL(STATIC int, ed25519_impl_spot_check, (void));
142 #endif
143 
144 #endif /* !defined(TOR_CRYPTO_ED25519_H) */
145