jmg
/
ed448goldilocks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

add EdDSA C prehash routines

master
Michael Hamburg 9 years ago
parent
28086a96d1
commit
2c605ea46e
13 changed files with 545 additions and 146 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +76
    -4
      src/GENERATED/c/curve25519/eddsa.c
  2. +76
    -4
      src/GENERATED/c/ed448goldilocks/eddsa.c
  3. +76
    -1
      src/GENERATED/include/decaf/ed255.h
  4. +17
    -31
      src/GENERATED/include/decaf/ed255.hxx
  5. +76
    -1
      src/GENERATED/include/decaf/ed448.h
  6. +17
    -31
      src/GENERATED/include/decaf/ed448.hxx
  7. +7
    -7
      src/GENERATED/include/decaf/sha512.hxx
  8. +12
    -12
      src/GENERATED/include/decaf/shake.hxx
  9. +76
    -4
      src/per_curve/eddsa.tmpl.c
  10. +76
    -1
      src/per_curve/eddsa.tmpl.h
  11. +17
    -31
      src/per_curve/eddsa.tmpl.hxx
  12. +7
    -7
      src/public_include/decaf/sha512.hxx
  13. +12
    -12
      src/public_include/decaf/shake.hxx

+ 76
- 4
src/GENERATED/c/curve25519/eddsa.c View File

@@ -56,6 +56,7 @@ static void clamp (
static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
) {
@@ -63,12 +64,13 @@ static void hash_init_with_dom(
#if SUPPORTS_CONTEXTS
const char *dom_s = "";
const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
@@ -76,6 +78,20 @@ static void hash_init_with_dom(
#endif
}

void decaf_ed25519_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
}

void decaf_ed25519_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES]
@@ -149,7 +165,7 @@ void decaf_ed25519_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -183,7 +199,7 @@ void decaf_ed25519_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -207,6 +223,33 @@ void decaf_ed25519_sign (
}


void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed25519_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed25519_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif
decaf_bzero(hash_output,sizeof(hash_output));
}

decaf_error_t decaf_ed25519_verify (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
@@ -233,7 +276,7 @@ decaf_error_t decaf_ed25519_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_25519_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -265,3 +308,32 @@ decaf_error_t decaf_ed25519_verify (
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}


decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed25519_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed25519_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
return ret;
}

+ 76
- 4
src/GENERATED/c/ed448goldilocks/eddsa.c View File

@@ -56,6 +56,7 @@ static void clamp (
static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
) {
@@ -63,12 +64,13 @@ static void hash_init_with_dom(
#if SUPPORTS_CONTEXTS
const char *dom_s = "SigEd448";
const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
@@ -76,6 +78,20 @@ static void hash_init_with_dom(
#endif
}

void decaf_ed448_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
}

void decaf_ed448_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES]
@@ -149,7 +165,7 @@ void decaf_ed448_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -183,7 +199,7 @@ void decaf_ed448_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -207,6 +223,33 @@ void decaf_ed448_sign (
}


void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif
decaf_bzero(hash_output,sizeof(hash_output));
}

decaf_error_t decaf_ed448_verify (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
@@ -233,7 +276,7 @@ decaf_error_t decaf_ed448_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_448_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -265,3 +308,32 @@ decaf_error_t decaf_ed448_verify (
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}


decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed448_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
return ret;
}

+ 76
- 1
src/GENERATED/include/decaf/ed255.h View File

@@ -16,6 +16,8 @@
#define __DECAF_ED255_H__ 1

#include <decaf/decaf_255.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>

#ifdef __cplusplus
extern "C" {
@@ -32,6 +34,12 @@ extern "C" {

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_25519_SUPPORTS_CONTEXTS 0
/** Prehash context renaming macros. */
#define decaf_ed25519_prehash_ctx_s decaf_sha512_ctx_s
#define decaf_ed25519_prehash_ctx_t decaf_sha512_ctx_t
#define decaf_ed25519_prehash_update decaf_sha512_update
#define decaf_ed25519_prehash_destroy decaf_sha512_destroy

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
@@ -75,6 +83,48 @@ void decaf_ed25519_sign (
#endif
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
* @brief EdDSA signing with prehash.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed25519_sign_prehash (
uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_25519_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed25519_prehash_init (
decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
* @brief EdDSA signature verification.
*
@@ -105,7 +155,32 @@ decaf_error_t decaf_ed25519_verify (
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;


/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed25519_verify_prehash (
const uint8_t signature[DECAF_EDDSA_25519_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_25519_PUBLIC_BYTES],
const decaf_ed25519_prehash_ctx_t hash
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
* @brief EdDSA point encoding. Used internally, exposed externally.


+ 17
- 31
src/GENERATED/include/decaf/ed255.hxx View File

@@ -79,14 +79,12 @@ private:
) {
throw LengthException();
}
if (SUPPORTS_CONTEXTS) {
const char pfx[] = "";
uint8_t dom[2] = {2, (uint8_t)context_.size() };
update((const unsigned char*)pfx,strlen(pfx));
update(dom,2);
update(context_);
}

#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
decaf_ed25519_prehash_init((decaf_sha512_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed25519_prehash_init(wrapped);
#endif
}
public:
@@ -122,17 +120,13 @@ template<class CRTP, Prehashed ph> class Signing;
template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/* Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp);
decaf_ed25519_sign (
decaf_ed25519_sign_prehash (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
tmp.data(),
tmp.size(),
1
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -324,19 +318,15 @@ public:

template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
return decaf_ed25519_verify (
return decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -344,19 +334,15 @@ public:
);
}
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_25519_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
if (DECAF_SUCCESS != decaf_ed25519_verify (
if (DECAF_SUCCESS != decaf_ed25519_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed25519_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_25519_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()


+ 76
- 1
src/GENERATED/include/decaf/ed448.h View File

@@ -16,6 +16,8 @@
#define __DECAF_ED448_H__ 1

#include <decaf/decaf_448.h>
#include <decaf/shake.h>
#include <decaf/sha512.h>

#ifdef __cplusplus
extern "C" {
@@ -32,6 +34,12 @@ extern "C" {

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_448_SUPPORTS_CONTEXTS 1
/** Prehash context renaming macros. */
#define decaf_ed448_prehash_ctx_s decaf_shake256_ctx_s
#define decaf_ed448_prehash_ctx_t decaf_shake256_ctx_t
#define decaf_ed448_prehash_update decaf_shake256_update
#define decaf_ed448_prehash_destroy decaf_shake256_destroy

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
@@ -75,6 +83,48 @@ void decaf_ed448_sign (
#endif
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
* @brief EdDSA signing with prehash.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed448_sign_prehash (
uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_448_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed448_prehash_init (
decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
* @brief EdDSA signature verification.
*
@@ -105,7 +155,32 @@ decaf_error_t decaf_ed448_verify (
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;


/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed448_verify_prehash (
const uint8_t signature[DECAF_EDDSA_448_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_448_PUBLIC_BYTES],
const decaf_ed448_prehash_ctx_t hash
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
* @brief EdDSA point encoding. Used internally, exposed externally.


+ 17
- 31
src/GENERATED/include/decaf/ed448.hxx View File

@@ -77,14 +77,12 @@ private:
) {
throw LengthException();
}
if (SUPPORTS_CONTEXTS) {
const char pfx[] = "SigEd448";
uint8_t dom[2] = {2, (uint8_t)context_.size() };
update((const unsigned char*)pfx,strlen(pfx));
update(dom,2);
update(context_);
}

#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
decaf_ed448_prehash_init((decaf_shake256_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed448_prehash_init(wrapped);
#endif
}
public:
@@ -120,17 +118,13 @@ template<class CRTP, Prehashed ph> class Signing;
template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/* Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp);
decaf_ed448_sign (
decaf_ed448_sign_prehash (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
tmp.data(),
tmp.size(),
1
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -324,19 +318,15 @@ public:

template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
return decaf_ed448_verify (
return decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -344,19 +334,15 @@ public:
);
}
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_448_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
if (DECAF_SUCCESS != decaf_ed448_verify (
if (DECAF_SUCCESS != decaf_ed448_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed448_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_448_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()


+ 7
- 7
src/GENERATED/include/decaf/sha512.hxx View File

@@ -30,7 +30,7 @@ class SHA512 {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_sha512_ctx_t sha;
decaf_sha512_ctx_t wrapped;

public:
@@ -44,10 +44,10 @@ public:
static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
/** Constructor */
inline SHA512() NOEXCEPT { decaf_sha512_init(sha); }
inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); }
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); }
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); }
@@ -61,17 +61,17 @@ public:
/** @brief Output bytes from the SHA context, and resets it. */
inline void final(Buffer b) throw(LengthException) {
if (b.size() > OUTPUT_BYTES) throw LengthException();
decaf_sha512_final(sha,b.data(),b.size());
decaf_sha512_final(wrapped,b.data(),b.size());
}
/** Resets the SHA context */
inline void reset() NOEXCEPT { decaf_sha512_init(sha); }
inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); }

/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) {
if (len > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(len);
decaf_sha512_final(sha,buffer.data(),len);
decaf_sha512_final(wrapped,buffer.data(),len);
return buffer;
}

@@ -93,7 +93,7 @@ public:
}

/** Destructor zeroizes state */
inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); }
inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); }
};
} /* namespace decaf */


+ 12
- 12
src/GENERATED/include/decaf/shake.hxx View File

@@ -35,18 +35,18 @@ class KeccakHash {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_keccak_sponge_t sp;
decaf_keccak_sponge_t wrapped;
/** Initialize from parameters */
inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); }
inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); }
/** @endcond */
public:
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); }
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); }
inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); }
/** Add more data, stream version. */
inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; }
@@ -58,7 +58,7 @@ public:
inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) {
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
@@ -68,7 +68,7 @@ public:
inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) {
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
@@ -78,7 +78,7 @@ public:
* output too many bytes from a SHA-3 instance.
*/
inline void output(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) {
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
@@ -87,19 +87,19 @@ public:
* LengthException if you've output too many bytes from a SHA3 instance.
*/
inline void final(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) {
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const NOEXCEPT {
return decaf_sponge_default_output_bytes(sp);
return decaf_sponge_default_output_bytes(wrapped);
}
/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const NOEXCEPT {
return decaf_sponge_max_output_bytes(sp);
return decaf_sponge_max_output_bytes(wrapped);
}
/** Output the default number of bytes. */
@@ -113,10 +113,10 @@ public:
}

/** Reset the hash to the empty string */
inline void reset() NOEXCEPT { decaf_sha3_reset(sp); }
inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); }
/** Destructor zeroizes state */
inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); }
inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); }
};

/** Fixed-output-length SHA3 */


+ 76
- 4
src/per_curve/eddsa.tmpl.c View File

@@ -47,6 +47,7 @@ static void clamp (
static void hash_init_with_dom(
hash_ctx_t hash,
uint8_t prehashed,
uint8_t for_prehash,
const uint8_t *context,
uint8_t context_len
) {
@@ -54,12 +55,13 @@ static void hash_init_with_dom(
#if SUPPORTS_CONTEXTS
const char *dom_s = "$(eddsa_dom)";
const uint8_t dom[2] = {1+word_is_zero(prehashed), context_len};
const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};
hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));
hash_update(hash,dom,2);
hash_update(hash,context,context_len);
#else
(void)prehashed;
(void)for_prehash;
(void)context;
assert(context==NULL);
(void)context_len;
@@ -67,6 +69,20 @@ static void hash_init_with_dom(
#endif
}

void decaf_ed$(gf_shortname)_prehash_init (
hash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
hash_init_with_dom(hash,1,1,context,context_len);
#else
hash_init_with_dom(hash,1,1,NULL,0);
#endif
}

void decaf_ed$(gf_shortname)_derive_public_key (
uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
@@ -140,7 +156,7 @@ void decaf_ed$(gf_shortname)_sign (
API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));
/* Hash to create the nonce */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,expanded.seed,sizeof(expanded.seed));
hash_update(hash,message,message_len);
decaf_bzero(&expanded, sizeof(expanded));
@@ -174,7 +190,7 @@ void decaf_ed$(gf_shortname)_sign (
API_NS(scalar_t) challenge_scalar;
{
/* Compute the challenge */
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,nonce_point,sizeof(nonce_point));
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -198,6 +214,33 @@ void decaf_ed$(gf_shortname)_sign (
}


void decaf_ed$(gf_shortname)_sign_prehash (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed$(gf_shortname)_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
decaf_ed$(gf_shortname)_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1);
#endif
decaf_bzero(hash_output,sizeof(hash_output));
}

decaf_error_t decaf_ed$(gf_shortname)_verify (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
@@ -224,7 +267,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
{
/* Compute the challenge */
hash_ctx_t hash;
hash_init_with_dom(hash,prehashed,context,context_len);
hash_init_with_dom(hash,prehashed,0,context,context_len);
hash_update(hash,signature,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,pubkey,DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES);
hash_update(hash,message,message_len);
@@ -256,3 +299,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
);
return decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));
}


decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) {
decaf_error_t ret;
uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */
{
decaf_ed$(gf_shortname)_prehash_ctx_t hash_too;
memcpy(hash_too,hash,sizeof(hash_too));
hash_final(hash_too,hash_output,sizeof(hash_output));
hash_destroy(hash_too);
}
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);
#else
ret = decaf_ed$(gf_shortname)_verify(signature,pubkey,hash_output,sizeof(hash_output),1);
#endif
return ret;
}

+ 76
- 1
src/per_curve/eddsa.tmpl.h View File

@@ -1,6 +1,8 @@
/** @brief A group of prime order p, based on $(iso_to). */

#include <decaf/decaf_$(gf_bits).h>
#include <decaf/shake.h>
#include <decaf/sha512.h>

#ifdef __cplusplus
extern "C" {
@@ -17,6 +19,12 @@ extern "C" {

/** Does EdDSA support contexts? */
#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS $(eddsa_supports_contexts)
/** Prehash context renaming macros. */
#define decaf_ed$(gf_shortname)_prehash_ctx_s decaf_$(eddsa_hash)_ctx_s
#define decaf_ed$(gf_shortname)_prehash_ctx_t decaf_$(eddsa_hash)_ctx_t
#define decaf_ed$(gf_shortname)_prehash_update decaf_$(eddsa_hash)_update
#define decaf_ed$(gf_shortname)_prehash_destroy decaf_$(eddsa_hash)_destroy

/**
* @brief EdDSA key generation. This function uses a different (non-Decaf)
@@ -60,6 +68,48 @@ void decaf_ed$(gf_shortname)_sign (
#endif
) API_VIS __attribute__((nonnull(1,2,3))) NOINLINE;

/**
* @brief EdDSA signing with prehash.
*
* @param [out] signature The signature.
* @param [in] privkey The private key.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
void decaf_ed$(gf_shortname)_sign_prehash (
uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2,3,4))) NOINLINE;
/**
* @brief Prehash initialization, with contexts if supported.
*
* @param [out] hash The hash object to be initialized.
* @param [in] context A "context" for this signature of up to 255 bytes.
* @param [in] context_len Length of the context.
*/
void decaf_ed$(gf_shortname)_prehash_init (
decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1))) NOINLINE;

/**
* @brief EdDSA signature verification.
*
@@ -90,7 +140,32 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;


/**
* @brief EdDSA signature verification.
*
* Uses the standard (i.e. less-strict) verification formula.
*
* @param [in] signature The signature.
* @param [in] pubkey The public key.
* @param [in] context A "context" for this signature of up to 255 bytes. Must be the same as what was used for the prehash.
* @param [in] context_len Length of the context.
* @param [in] hash The hash of the message. This object will not be modified by the call.
* @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.
*
* @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed
* messages, at least without some very careful protocol-level disambiguation. For Ed448 it is
* safe. The C++ wrapper is designed to make it harder to screw this up, but this C code gives
* you no seat belt.
*/
decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
const decaf_ed$(gf_shortname)_prehash_ctx_t hash
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, const uint8_t *context,
uint8_t context_len
#endif
) API_VIS __attribute__((nonnull(1,2))) NOINLINE;

/**
* @brief EdDSA point encoding. Used internally, exposed externally.


+ 17
- 31
src/per_curve/eddsa.tmpl.hxx View File

@@ -68,14 +68,12 @@ private:
) {
throw LengthException();
}
if (SUPPORTS_CONTEXTS) {
const char pfx[] = "$(eddsa_dom)";
uint8_t dom[2] = {2, (uint8_t)context_.size() };
update((const unsigned char*)pfx,strlen(pfx));
update(dom,2);
update(context_);
}

#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
decaf_ed$(gf_shortname)_prehash_init((decaf_$(eddsa_hash)_ctx_s *)wrapped,context_.data(),context_.size());
#else
decaf_ed$(gf_shortname)_prehash_init(wrapped);
#endif
}
public:
@@ -111,17 +109,13 @@ template<class CRTP, Prehashed ph> class Signing;
template<class CRTP> class Signing<CRTP,PREHASHED> {
public:
/* Sign a prehash context, and reset the context */
inline SecureBuffer sign_prehashed ( Prehash &ph ) const /*throw(std::bad_alloc)*/ {
inline SecureBuffer sign_prehashed ( const Prehash &ph ) const /*throw(std::bad_alloc)*/ {
SecureBuffer out(CRTP::SIG_BYTES);
FixedArrayBuffer<Prehash::OUTPUT_BYTES> tmp;
ph.final(tmp);
decaf_ed$(gf_shortname)_sign (
decaf_ed$(gf_shortname)_sign_prehash (
out.data(),
((const CRTP*)this)->priv_.data(),
((const CRTP*)this)->pub_.data(),
tmp.data(),
tmp.size(),
1
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -326,19 +320,15 @@ public:

template<class CRTP> class Verification<CRTP,PREHASHED> {
public:
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline decaf_error_t WARN_UNUSED verify_prehashed_noexcept (
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*NOEXCEPT*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
return decaf_ed$(gf_shortname)_verify (
return decaf_ed$(gf_shortname)_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()
@@ -346,19 +336,15 @@ public:
);
}
/* Verify a prehash context, and reset the context */
/* Verify a prehash context. */
inline void verify_prehashed (
const FixedBlock<DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES> &sig,
Prehash &ph
const Prehash &ph
) const /*throw(CryptoException)*/ {
FixedArrayBuffer<Prehash::OUTPUT_BYTES> m;
ph.final(m);
if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify (
if (DECAF_SUCCESS != decaf_ed$(gf_shortname)_verify_prehash (
sig.data(),
((const CRTP*)this)->pub_.data(),
m.data(),
m.size(),
1
(const decaf_ed$(gf_shortname)_prehash_ctx_s*)ph.wrapped
#if DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTS
, ph.context_.data(),
ph.context_.size()


+ 7
- 7
src/public_include/decaf/sha512.hxx View File

@@ -30,7 +30,7 @@ class SHA512 {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_sha512_ctx_t sha;
decaf_sha512_ctx_t wrapped;

public:
@@ -44,10 +44,10 @@ public:
static const size_t DEFAULT_OUTPUT_BYTES = OUTPUT_BYTES;
/** Constructor */
inline SHA512() NOEXCEPT { decaf_sha512_init(sha); }
inline SHA512() NOEXCEPT { decaf_sha512_init(wrapped); }
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(sha,in,len); }
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha512_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { update(s.data(),s.size()); }
@@ -61,17 +61,17 @@ public:
/** @brief Output bytes from the SHA context, and resets it. */
inline void final(Buffer b) throw(LengthException) {
if (b.size() > OUTPUT_BYTES) throw LengthException();
decaf_sha512_final(sha,b.data(),b.size());
decaf_sha512_final(wrapped,b.data(),b.size());
}
/** Resets the SHA context */
inline void reset() NOEXCEPT { decaf_sha512_init(sha); }
inline void reset() NOEXCEPT { decaf_sha512_init(wrapped); }

/** @brief Output bytes from the sponge. */
inline SecureBuffer final(size_t len = OUTPUT_BYTES) throw(LengthException) {
if (len > OUTPUT_BYTES) throw LengthException();
SecureBuffer buffer(len);
decaf_sha512_final(sha,buffer.data(),len);
decaf_sha512_final(wrapped,buffer.data(),len);
return buffer;
}

@@ -93,7 +93,7 @@ public:
}

/** Destructor zeroizes state */
inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(sha); }
inline ~SHA512() NOEXCEPT { decaf_sha512_destroy(wrapped); }
};
} /* namespace decaf */


+ 12
- 12
src/public_include/decaf/shake.hxx View File

@@ -35,18 +35,18 @@ class KeccakHash {
protected:
/** @cond internal */
/** The C-wrapper sponge state */
decaf_keccak_sponge_t sp;
decaf_keccak_sponge_t wrapped;
/** Initialize from parameters */
inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(sp, params); }
inline KeccakHash(const decaf_kparams_s *params) NOEXCEPT { decaf_sponge_init(wrapped, params); }
/** @endcond */
public:
/** Add more data to running hash */
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(sp,in,len); }
inline void update(const uint8_t *__restrict__ in, size_t len) NOEXCEPT { decaf_sha3_update(wrapped,in,len); }

/** Add more data to running hash, C++ version. */
inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(sp,s.data(),s.size()); }
inline void update(const Block &s) NOEXCEPT { decaf_sha3_update(wrapped,s.data(),s.size()); }
/** Add more data, stream version. */
inline KeccakHash &operator<<(const Block &s) NOEXCEPT { update(s); return *this; }
@@ -58,7 +58,7 @@ public:
inline SecureBuffer output(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_output(sp,buffer.data(),len)) {
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
@@ -68,7 +68,7 @@ public:
inline SecureBuffer final(size_t len) throw(std::bad_alloc, LengthException) {
if (len > max_output_size()) throw LengthException();
SecureBuffer buffer(len);
if (DECAF_SUCCESS != decaf_sha3_final(sp,buffer.data(),len)) {
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,buffer.data(),len)) {
throw LengthException();
}
return buffer;
@@ -78,7 +78,7 @@ public:
* output too many bytes from a SHA-3 instance.
*/
inline void output(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_output(sp,b.data(),b.size())) {
if (DECAF_SUCCESS != decaf_sha3_output(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
@@ -87,19 +87,19 @@ public:
* LengthException if you've output too many bytes from a SHA3 instance.
*/
inline void final(Buffer b) throw(LengthException) {
if (DECAF_SUCCESS != decaf_sha3_final(sp,b.data(),b.size())) {
if (DECAF_SUCCESS != decaf_sha3_final(wrapped,b.data(),b.size())) {
throw LengthException();
}
}
/** @brief Return the sponge's default output size. */
inline size_t default_output_size() const NOEXCEPT {
return decaf_sponge_default_output_bytes(sp);
return decaf_sponge_default_output_bytes(wrapped);
}
/** @brief Return the sponge's maximum output size. */
inline size_t max_output_size() const NOEXCEPT {
return decaf_sponge_max_output_bytes(sp);
return decaf_sponge_max_output_bytes(wrapped);
}
/** Output the default number of bytes. */
@@ -113,10 +113,10 @@ public:
}

/** Reset the hash to the empty string */
inline void reset() NOEXCEPT { decaf_sha3_reset(sp); }
inline void reset() NOEXCEPT { decaf_sha3_reset(wrapped); }
/** Destructor zeroizes state */
inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(sp); }
inline ~KeccakHash() NOEXCEPT { decaf_sponge_destroy(wrapped); }
};

/** Fixed-output-length SHA3 */


Write Preview
Loading…
Cancel
Save