diff --git a/src/decaf_crypto.c b/src/decaf_crypto.c index ebf9dc7..c567727 100644 --- a/src/decaf_crypto.c +++ b/src/decaf_crypto.c @@ -51,7 +51,7 @@ void decaf_255_private_to_public ( memcpy(pub, priv->pub, sizeof(decaf_255_public_key_t)); } -decaf_bool_t +decaf_error_t decaf_255_shared_secret ( uint8_t *shared, size_t shared_bytes, @@ -92,15 +92,16 @@ decaf_255_shared_secret ( } shake256_update(sponge, ss_ser, sizeof(ss_ser)); - decaf_bool_t ret = decaf_255_direct_scalarmul(ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE, DECAF_TRUE); + decaf_error_t ret = decaf_255_direct_scalarmul(ss_ser, your_pubkey, my_privkey->secret_scalar, DECAF_FALSE, DECAF_TRUE); + decaf_bool_t good = decaf_successful(ret); /* If invalid, then replace ... */ for (i=0; isym)) { - ss_ser[i] |= my_privkey->sym[i] & ~ret; + ss_ser[i] |= my_privkey->sym[i] & ~good; } else if (i - sizeof(my_privkey->sym) < strlen(nope)) { - ss_ser[i] |= nope[i-sizeof(my_privkey->sym)] & ~ret; + ss_ser[i] |= nope[i-sizeof(my_privkey->sym)] & ~good; } } @@ -159,7 +160,7 @@ decaf_255_sign_shake ( decaf_bzero(encoded,sizeof(encoded)); } -decaf_bool_t +decaf_error_t decaf_255_verify_shake ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, @@ -181,9 +182,9 @@ decaf_255_verify_shake ( decaf_255_scalar_decode_long(challenge, overkill, sizeof(overkill)); /* Decode points. */ - ret = decaf_255_point_decode(point, sig, DECAF_TRUE); - ret &= decaf_255_point_decode(pubpoint, pub, DECAF_FALSE); - ret &= decaf_255_scalar_decode(response, &sig[DECAF_255_SER_BYTES]); + ret = decaf_successful(decaf_255_point_decode(point, sig, DECAF_TRUE)); + ret &= decaf_successful(decaf_255_point_decode(pubpoint, pub, DECAF_FALSE)); + ret &= decaf_successful(decaf_255_scalar_decode(response, &sig[DECAF_255_SER_BYTES])); decaf_255_base_double_scalarmul_non_secret ( pubpoint, response, pubpoint, challenge @@ -191,7 +192,7 @@ decaf_255_verify_shake ( ret &= decaf_255_point_eq(pubpoint, point); - return ret; + return decaf_succeed_if(ret); } void @@ -208,7 +209,7 @@ decaf_255_sign ( shake256_destroy(ctx); } -decaf_bool_t +decaf_error_t decaf_255_verify ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, @@ -218,7 +219,7 @@ decaf_255_verify ( shake256_ctx_t ctx; shake256_init(ctx); shake256_update(ctx, message, message_len); - decaf_bool_t ret = decaf_255_verify_shake(sig, pub, ctx); + decaf_error_t ret = decaf_255_verify_shake(sig, pub, ctx); shake256_destroy(ctx); return ret; } diff --git a/src/decaf_fast.c b/src/decaf_fast.c index 5190f49..990f557 100644 --- a/src/decaf_fast.c +++ b/src/decaf_fast.c @@ -261,7 +261,7 @@ static INLINE void sc_montsqr (scalar_t out, const scalar_t a) { sc_montmul(out,a,a); } -decaf_bool_t API_NS(scalar_invert) ( +decaf_error_t API_NS(scalar_invert) ( scalar_t out, const scalar_t a ) { @@ -318,7 +318,7 @@ decaf_bool_t API_NS(scalar_invert) ( /* Demontgomerize */ sc_montmul(out,out,API_NS(scalar_one)); decaf_bzero(precmp, sizeof(precmp)); - return ~API_NS(scalar_eq)(out,API_NS(scalar_zero)); + return decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero))); } void API_NS(scalar_sub) ( @@ -510,13 +510,14 @@ static decaf_bool_t gf_deser(gf s, const unsigned char ser[SER_BYTES]) { return gf_deserialize((gf_s *)s, ser); } -decaf_bool_t API_NS(point_decode) ( +decaf_error_t API_NS(point_decode) ( point_t p, const unsigned char ser[SER_BYTES], decaf_bool_t allow_identity ) { gf s, a, b, c, d, e, f; decaf_bool_t succ = gf_deser(s, ser), zero = gf_eq(s, ZERO); + allow_identity = ~word_is_zero(allow_identity); succ &= allow_identity | ~zero; succ &= ~hibit(s); gf_sqr ( a, s ); @@ -566,7 +567,7 @@ decaf_bool_t API_NS(point_decode) ( assert(API_NS(point_valid)(p) | ~succ); - return succ; + return decaf_succeed_if(succ); } #if IMAGINE_TWIST @@ -700,7 +701,7 @@ scalar_decode_short ( } } -decaf_bool_t API_NS(scalar_decode)( +decaf_error_t API_NS(scalar_decode)( scalar_t s, const unsigned char ser[SER_BYTES] ) { @@ -710,10 +711,11 @@ decaf_bool_t API_NS(scalar_decode)( for (i=0; ilimb[i] - sc_p->limb[i]) >> WBITS; } + /* Here accum == 0 or -1 */ API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */ - return accum; + return decaf_succeed_if(accum); } void API_NS(scalar_destroy) ( @@ -1170,7 +1172,7 @@ void API_NS(point_from_hash_nonuniform) ( assert(API_NS(point_valid)(p)); } -decaf_bool_t +decaf_error_t API_NS(invert_elligator_nonuniform) ( unsigned char recovered_hash[SER_BYTES], const point_t p, @@ -1218,7 +1220,7 @@ API_NS(invert_elligator_nonuniform) ( gf_encode(recovered_hash, b); /* TODO: deal with overflow flag */ - return succ; + return decaf_succeed_if(succ); } void API_NS(point_from_hash_uniform) ( @@ -1231,7 +1233,7 @@ void API_NS(point_from_hash_uniform) ( API_NS(point_add)(pt,pt,pt2); } -decaf_bool_t +decaf_error_t API_NS(invert_elligator_uniform) ( unsigned char partial_hash[2*SER_BYTES], const point_t p, @@ -1481,7 +1483,7 @@ void API_NS(point_cond_sel) ( const point_t b, decaf_bool_t pick_b ) { - pick_b = ~(((decaf_dword_t)pick_b - 1) >> WBITS); + pick_b = ~word_is_zero(pick_b); constant_time_select(out,b,a,sizeof(point_t),pick_b); } @@ -1491,12 +1493,12 @@ void API_NS(scalar_cond_sel) ( const scalar_t b, decaf_bool_t pick_b ) { - pick_b = ~(((decaf_dword_t)pick_b - 1) >> WBITS); + pick_b = ~word_is_zero(pick_b); constant_time_select(out,b,a,sizeof(scalar_t),pick_b); } /* TODO: restore Curve25519 Montgomery ladder? */ -decaf_bool_t API_NS(direct_scalarmul) ( +decaf_error_t API_NS(direct_scalarmul) ( uint8_t scaled[SER_BYTES], const uint8_t base[SER_BYTES], const scalar_t scalar, @@ -1504,13 +1506,13 @@ decaf_bool_t API_NS(direct_scalarmul) ( decaf_bool_t short_circuit ) { point_t basep; - decaf_bool_t succ = API_NS(point_decode)(basep, base, allow_identity); - if (short_circuit & ~succ) return succ; + decaf_bool_t succ = decaf_successful(API_NS(point_decode)(basep, base, allow_identity)); + if (short_circuit && ~succ) return DECAF_FAILURE; API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ); API_NS(point_scalarmul)(basep, basep, scalar); API_NS(point_encode)(scaled, basep); API_NS(point_destroy)(basep); - return succ; + return decaf_succeed_if(succ); } /** diff --git a/src/decaf_gen_tables.c b/src/decaf_gen_tables.c index 1db5aa6..de917d6 100644 --- a/src/decaf_gen_tables.c +++ b/src/decaf_gen_tables.c @@ -75,7 +75,7 @@ int main(int argc, char **argv) { API_NS(point_t) real_point_base; int ret = API_NS(point_decode)(real_point_base,base_point_ser_for_pregen,0); - if (!ret) return 1; + if (ret != DECAF_SUCCESS) return 1; API_NS(precomputed_s) *pre; ret = posix_memalign((void**)&pre, API_NS2(alignof,precomputed_s), API_NS2(sizeof,precomputed_s)); diff --git a/src/include/word.h b/src/include/word.h index c66cb36..489f392 100644 --- a/src/include/word.h +++ b/src/include/word.h @@ -73,7 +73,6 @@ #define UNUSED __attribute__((unused)) #define INLINE __inline__ __attribute__((always_inline)) - #ifdef __ARM_NEON__ typedef uint32x4_t vecmask_t; #elif __clang__ diff --git a/src/public_include/decaf/common.h b/src/public_include/decaf/common.h index 1b9c988..62732ef 100644 --- a/src/public_include/decaf/common.h +++ b/src/public_include/decaf/common.h @@ -51,9 +51,28 @@ extern "C" { /** DECAF_TRUE = -1 so that DECAF_TRUE & x = x */ static const decaf_bool_t DECAF_TRUE = -(decaf_bool_t)1, DECAF_FALSE = 0; -/** NB Success is -1, failure is 0. */ -static const decaf_bool_t DECAF_SUCCESS = -(decaf_bool_t)1 /*DECAF_TRUE*/, - DECAF_FAILURE = 0 /*DECAF_FALSE*/; +/* Success or failure */ +// FIXME: deploy project-wide +typedef enum { + DECAF_SUCCESS = -1, + DECAF_FAILURE = 0 +} decaf_error_t; + + +/** Return success if x is true */ +static __inline__ __attribute__((unused,always_inline)) +decaf_error_t +decaf_succeed_if(decaf_bool_t x) { + return (decaf_error_t)x; +} + +/** Return DECAF_TRUE iff x == DECAF_SUCCESS */ +static __inline__ __attribute__((unused,always_inline)) +decaf_bool_t +decaf_successful(decaf_error_t e) { + decaf_dword_t w = ((decaf_word_t)e) ^ ((decaf_word_t)DECAF_SUCCESS); + return (w-1)>>DECAF_WORD_BITS; +} /** * @brief Overwrite data with zeros. Uses memset_s if available. diff --git a/src/public_include/decaf/crypto.h b/src/public_include/decaf/crypto.h index 72b1a01..4ca19e4 100644 --- a/src/public_include/decaf/crypto.h +++ b/src/public_include/decaf/crypto.h @@ -103,7 +103,7 @@ void decaf_255_private_to_public ( * @warning This is a pretty silly shared secret computation * and will almost definitely change in the future. */ -decaf_bool_t +decaf_error_t decaf_255_shared_secret ( uint8_t *shared, size_t shared_bytes, @@ -147,8 +147,11 @@ decaf_255_sign ( * @param [in] sig The signature. * @param [in] pub The public key. * @param [in] shake A SHAKE256 context with the message. + * + * @return DECAF_SUCCESS The signature verified successfully. + * @return DECAF_FAILURE The signature did not verify successfully. */ -decaf_bool_t +decaf_error_t decaf_255_verify_shake ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, @@ -162,8 +165,11 @@ decaf_255_verify_shake ( * @param [in] pub The public key. * @param [in] message The message. * @param [in] message_len The message's length. + * + * @return DECAF_SUCCESS The signature verified successfully. + * @return DECAF_FAILURE The signature did not verify successfully. */ -decaf_bool_t +decaf_error_t decaf_255_verify ( const decaf_255_signature_t sig, const decaf_255_public_key_t pub, diff --git a/src/public_include/decaf/crypto.hxx b/src/public_include/decaf/crypto.hxx index ef23ed5..c799a06 100644 --- a/src/public_include/decaf/crypto.hxx +++ b/src/public_include/decaf/crypto.hxx @@ -64,14 +64,14 @@ public: } /** @brief Verify a sig. TODO: nothrow version? */ - inline bool verify_shake(const SHAKE &ctx_, const FixedBlock &sig) throw(CryptoException) { + inline void verify_shake(const SHAKE &ctx_, const FixedBlock &sig) throw(CryptoException) { SHAKE ctx(ctx_); ctx << ser << sig.slice(0,Group::Point::SER_BYTES); FixedArrayBuffer challenge; ctx.output(challenge); typename Group::Scalar response; - decaf_bool_t scalar_OK = Group::Scalar::decode( + decaf_error_t scalar_OK = Group::Scalar::decode( response, sig.slice(Group::Point::SER_BYTES, Group::Scalar::SER_BYTES) ); @@ -79,9 +79,10 @@ public: const typename Group::Point combo = point().non_secret_combo_with_base( typename Group::Scalar(challenge), response ); - //if (combo != typename Group::Point(sig.slice(0,Group::Point::SER_BYTES))) - // throw CryptoException(); - return scalar_OK & (combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES))); + if (!decaf_successful(scalar_OK) + || combo != typename Group::Point(sig.slice(0,Group::Point::SER_BYTES))) + throw CryptoException(); + //return scalar_OK & (combo == typename Group::Point(sig.slice(0,Group::Point::SER_BYTES))); } /** @brief Sign from a message. */ diff --git a/src/public_include/decaf/decaf_255.h b/src/public_include/decaf/decaf_255.h index f7d143b..3675bcc 100644 --- a/src/public_include/decaf/decaf_255.h +++ b/src/public_include/decaf/decaf_255.h @@ -80,7 +80,7 @@ extern const struct decaf_255_precomputed_s *decaf_255_precomputed_base API_VIS; * @retval DECAF_FAILURE The scalar was greater than the modulus, * and has been reduced modulo that modulus. */ -decaf_bool_t decaf_255_scalar_decode ( +decaf_error_t decaf_255_scalar_decode ( decaf_255_scalar_t out, const unsigned char ser[DECAF_255_SCALAR_BYTES] ) API_VIS WARN_UNUSED NONNULL2 NOINLINE; @@ -164,7 +164,7 @@ void decaf_255_scalar_mul ( * @param [out] out 1/a. * @return DECAF_SUCCESS The input is nonzero. */ -decaf_bool_t decaf_255_scalar_invert ( +decaf_error_t decaf_255_scalar_invert ( decaf_255_scalar_t out, const decaf_255_scalar_t a ) API_VIS WARN_UNUSED NONNULL2 NOINLINE; @@ -217,7 +217,7 @@ void decaf_255_point_encode ( * @retval DECAF_FAILURE The decoding didn't succeed, because * ser does not represent a point. */ -decaf_bool_t decaf_255_point_decode ( +decaf_error_t decaf_255_point_decode ( decaf_255_point_t pt, const uint8_t ser[DECAF_255_SER_BYTES], decaf_bool_t allow_identity @@ -335,7 +335,7 @@ void decaf_255_point_scalarmul ( * @retval DECAF_FAILURE The scalarmul didn't succeed, because * base does not represent a point. */ -decaf_bool_t decaf_255_direct_scalarmul ( +decaf_error_t decaf_255_direct_scalarmul ( uint8_t scaled[DECAF_255_SER_BYTES], const uint8_t base[DECAF_255_SER_BYTES], const decaf_255_scalar_t scalar, @@ -552,7 +552,7 @@ void decaf_255_point_from_hash_uniform ( * @retval DECAF_SUCCESS The inverse succeeded. * @retval DECAF_FAILURE The inverse failed. */ -decaf_bool_t +decaf_error_t decaf_255_invert_elligator_nonuniform ( unsigned char recovered_hash[DECAF_255_SER_BYTES], const decaf_255_point_t pt, @@ -577,7 +577,7 @@ decaf_255_invert_elligator_nonuniform ( * @retval DECAF_SUCCESS The inverse succeeded. * @retval DECAF_FAILURE The inverse failed. */ -decaf_bool_t +decaf_error_t decaf_255_invert_elligator_uniform ( unsigned char recovered_hash[2*DECAF_255_SER_BYTES], const decaf_255_point_t pt, diff --git a/src/public_include/decaf/decaf_255.hxx b/src/public_include/decaf/decaf_255.hxx index 3f43217..d2a4177 100644 --- a/src/public_include/decaf/decaf_255.hxx +++ b/src/public_include/decaf/decaf_255.hxx @@ -139,7 +139,7 @@ public: * @brief Decode from correct-length little-endian byte sequence. * @return DECAF_FAILURE if the scalar is greater than or equal to the group order q. */ - static inline decaf_bool_t __attribute__((warn_unused_result)) decode ( + static inline decaf_error_t __attribute__((warn_unused_result)) decode ( Scalar &sc, const FixedBlock buffer ) NOEXCEPT { return decaf_255_scalar_decode(sc.s,buffer.data()); @@ -268,7 +268,7 @@ public: * @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point, * or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined. */ - static inline decaf_bool_t __attribute__((warn_unused_result)) decode ( + static inline decaf_error_t __attribute__((warn_unused_result)) decode ( Point &p, const FixedBlock &buffer, decaf_bool_t allow_identity=DECAF_TRUE ) NOEXCEPT { return decaf_255_point_decode(p.p,buffer.data(),allow_identity); @@ -354,7 +354,7 @@ public: inline Point &operator/=(const Scalar &s) throw(CryptoException) { return (*this) *= s.inverse(); } /** @brief Validate / sanity check */ - inline bool validate() const NOEXCEPT { return DECAF_SUCCESS == decaf_255_point_valid(p); } + inline bool validate() const NOEXCEPT { return decaf_255_point_valid(p); } /** @brief Double-scalar multiply, equivalent to q*qs + r*rs but faster. */ static inline Point double_scalarmul ( @@ -398,10 +398,10 @@ public: } /** - * Modify buffer so that Point::from_hash(Buffer) == *this, and return true; - * or leave buf unmodified and return false. + * Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS; + * or leave buf unmodified and return DECAF_FAILURE. */ - inline bool invert_elligator ( + inline decaf_error_t invert_elligator ( Buffer buf, uint16_t hint ) const NOEXCEPT { unsigned char buf2[2*HASH_BYTES]; @@ -409,30 +409,30 @@ public: memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size()); decaf_bool_t ret; if (buf.size() > HASH_BYTES) { - ret = decaf_255_invert_elligator_uniform(buf2, p, hint); + ret = decaf_successful(decaf_255_invert_elligator_uniform(buf2, p, hint)); } else { - ret = decaf_255_invert_elligator_nonuniform(buf2, p, hint); + ret = decaf_successful(decaf_255_invert_elligator_nonuniform(buf2, p, hint)); } if (buf.size() < HASH_BYTES) { ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size()); } - if (DECAF_SUCCESS == ret) { + if (ret) { /* TODO: make this constant time?? */ memcpy(buf.data(),buf2,(buf.size() < HASH_BYTES) ? buf.size() : HASH_BYTES); } decaf_bzero(buf2,sizeof(buf2)); - return DECAF_SUCCESS == ret; + return decaf_succeed_if(ret); } /** @brief Steganographically encode this */ inline SecureBuffer steg_encode(Rng &rng, size_t size=STEG_BYTES) const throw(std::bad_alloc, LengthException) { if (size <= HASH_BYTES + 4 || size > 2*HASH_BYTES) throw LengthException(); SecureBuffer out(STEG_BYTES); - bool done; + decaf_error_t done; do { rng.read(Buffer(out).slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1)); done = invert_elligator(out, out[HASH_BYTES-1]); - } while (!done); + } while (!decaf_successful(done)); return out; } diff --git a/src/public_include/decaf/decaf_448.h b/src/public_include/decaf/decaf_448.h index a9fddcf..ba64bf7 100644 --- a/src/public_include/decaf/decaf_448.h +++ b/src/public_include/decaf/decaf_448.h @@ -80,7 +80,7 @@ extern const struct decaf_448_precomputed_s *decaf_448_precomputed_base API_VIS; * @retval DECAF_FAILURE The scalar was greater than the modulus, * and has been reduced modulo that modulus. */ -decaf_bool_t decaf_448_scalar_decode ( +decaf_error_t decaf_448_scalar_decode ( decaf_448_scalar_t out, const unsigned char ser[DECAF_448_SCALAR_BYTES] ) API_VIS WARN_UNUSED NONNULL2 NOINLINE; @@ -164,7 +164,7 @@ void decaf_448_scalar_mul ( * @param [out] out 1/a. * @return DECAF_TRUE The input is nonzero. */ -decaf_bool_t decaf_448_scalar_invert ( +decaf_error_t decaf_448_scalar_invert ( decaf_448_scalar_t out, const decaf_448_scalar_t a ) API_VIS WARN_UNUSED NONNULL2 NOINLINE; @@ -217,7 +217,7 @@ void decaf_448_point_encode ( * @retval DECAF_FAILURE The decoding didn't succeed, because * ser does not represent a point. */ -decaf_bool_t decaf_448_point_decode ( +decaf_error_t decaf_448_point_decode ( decaf_448_point_t pt, const uint8_t ser[DECAF_448_SER_BYTES], decaf_bool_t allow_identity @@ -335,7 +335,7 @@ void decaf_448_point_scalarmul ( * @retval DECAF_FAILURE The scalarmul didn't succeed, because * base does not represent a point. */ -decaf_bool_t decaf_448_direct_scalarmul ( +decaf_error_t decaf_448_direct_scalarmul ( uint8_t scaled[DECAF_448_SER_BYTES], const uint8_t base[DECAF_448_SER_BYTES], const decaf_448_scalar_t scalar, @@ -552,7 +552,7 @@ void decaf_448_point_from_hash_uniform ( * @retval DECAF_SUCCESS The inverse succeeded. * @retval DECAF_FAILURE The inverse failed. */ -decaf_bool_t +decaf_error_t decaf_448_invert_elligator_nonuniform ( unsigned char recovered_hash[DECAF_448_SER_BYTES], const decaf_448_point_t pt, @@ -577,7 +577,7 @@ decaf_448_invert_elligator_nonuniform ( * @retval DECAF_SUCCESS The inverse succeeded. * @retval DECAF_FAILURE The inverse failed. */ -decaf_bool_t +decaf_error_t decaf_448_invert_elligator_uniform ( unsigned char recovered_hash[2*DECAF_448_SER_BYTES], const decaf_448_point_t pt, diff --git a/src/public_include/decaf/decaf_448.hxx b/src/public_include/decaf/decaf_448.hxx index 334bb6f..85250af 100644 --- a/src/public_include/decaf/decaf_448.hxx +++ b/src/public_include/decaf/decaf_448.hxx @@ -130,7 +130,7 @@ public: * @brief Decode from correct-length little-endian byte sequence. * @return DECAF_FAILURE if the scalar is greater than or equal to the group order q. */ - static inline decaf_bool_t __attribute__((warn_unused_result)) decode ( + static inline decaf_error_t __attribute__((warn_unused_result)) decode ( Scalar &sc, const FixedBlock buffer ) NOEXCEPT { return decaf_448_scalar_decode(sc.s,buffer.data()); @@ -271,7 +271,7 @@ public: * @return DECAF_FAILURE the string was the wrong length, or wasn't the encoding of a point, * or was the identity and allow_identity was DECAF_FALSE. Contents of the buffer are undefined. */ - static inline decaf_bool_t __attribute__((warn_unused_result)) decode ( + static inline decaf_error_t __attribute__((warn_unused_result)) decode ( Point &p, const FixedBlock &buffer, decaf_bool_t allow_identity=DECAF_TRUE ) NOEXCEPT { return decaf_448_point_decode(p.p,buffer.data(),allow_identity); @@ -366,7 +366,7 @@ public: inline Point &operator/=(const Scalar &s) throw(CryptoException) { return (*this) *= s.inverse(); } /** @brief Validate / sanity check */ - inline bool validate() const NOEXCEPT { return DECAF_SUCCESS == decaf_448_point_valid(p); } + inline bool validate() const NOEXCEPT { return decaf_448_point_valid(p); } /** @brief Double-scalar multiply, equivalent to q*qs + r*rs but faster. */ static inline Point double_scalarmul ( @@ -415,10 +415,10 @@ public: } /** - * Modify buffer so that Point::from_hash(Buffer) == *this, and return true; - * or leave buf unmodified and return false. + * Modify buffer so that Point::from_hash(Buffer) == *this, and return DECAF_SUCCESS; + * or leave buf unmodified and return DECAF_FAILURE. */ - inline bool invert_elligator ( + inline decaf_error_t invert_elligator ( Buffer buf, uint16_t hint ) const NOEXCEPT { unsigned char buf2[2*HASH_BYTES]; @@ -426,30 +426,29 @@ public: memcpy(buf2,buf.data(),(buf.size() > 2*HASH_BYTES) ? 2*HASH_BYTES : buf.size()); decaf_bool_t ret; if (buf.size() > HASH_BYTES) { - ret = decaf_448_invert_elligator_uniform(buf2, p, hint); + ret = decaf_successful(decaf_448_invert_elligator_uniform(buf2, p, hint)); } else { - ret = decaf_448_invert_elligator_nonuniform(buf2, p, hint); + ret = decaf_successful(decaf_448_invert_elligator_nonuniform(buf2, p, hint)); } if (buf.size() < HASH_BYTES) { - // FIXME: this &= will fail if success becomes 0 ret &= decaf_memeq(&buf2[buf.size()], &buf2[HASH_BYTES], HASH_BYTES - buf.size()); } - if (DECAF_SUCCESS == ret) { + if (ret) { /* TODO: make this constant time?? */ memcpy(buf.data(),buf2,(buf.size() < HASH_BYTES) ? buf.size() : HASH_BYTES); } decaf_bzero(buf2,sizeof(buf2)); - return (ret == DECAF_SUCCESS); + return decaf_succeed_if(ret); } /** @brief Steganographically encode this */ inline SecureBuffer steg_encode(Rng &rng) const throw(std::bad_alloc) { SecureBuffer out(STEG_BYTES); - bool done; + decaf_error_t done; do { rng.read(Buffer(out).slice(HASH_BYTES-1,STEG_BYTES-HASH_BYTES+1)); done = invert_elligator(out, out[HASH_BYTES-1]); - } while (!done); + } while (!decaf_successful(done)); return out; } diff --git a/test/test_decaf.cxx b/test/test_decaf.cxx index 7e04bc5..c603405 100644 --- a/test/test_decaf.cxx +++ b/test/test_decaf.cxx @@ -201,8 +201,8 @@ static void test_elligator() { if (len > Point::HASH_BYTES) memcpy(&(*alts2[j])[Point::HASH_BYTES], &b1[Point::HASH_BYTES], len-Point::HASH_BYTES); - successes[j] = s.invert_elligator(*alts[j], j); - successes2[j] = ss.invert_elligator(*alts2[j],j); + successes[j] = decaf_successful( s.invert_elligator(*alts[j], j)); + successes2[j] = decaf_successful(ss.invert_elligator(*alts2[j],j)); if (successes[j] != successes2[j] || (successes[j] && successes2[j] && *alts[j] != *alts2[j]) @@ -353,17 +353,17 @@ static void test_decaf() { decaf_255_private_to_public(p1,s1); decaf_255_derive_private_key(s2,proto2); decaf_255_private_to_public(p2,s2); - if (!decaf_255_shared_secret (shared1,sizeof(shared1),s1,p2)) { + if (DECAF_SUCCESS != decaf_255_shared_secret (shared1,sizeof(shared1),s1,p2)) { test.fail(); printf("Fail ss12\n"); } - if (!decaf_255_shared_secret (shared2,sizeof(shared2),s2,p1)) { + if (DECAF_SUCCESS != decaf_255_shared_secret (shared2,sizeof(shared2),s2,p1)) { test.fail(); printf("Fail ss21\n"); } if (memcmp(shared1,shared2,sizeof(shared1))) { test.fail(); printf("Fail ss21 == ss12\n"); } decaf_255_sign (sig,s1,(const unsigned char *)message,strlen(message)); - if (!decaf_255_verify (sig,p1,(const unsigned char *)message,strlen(message))) { + if (DECAF_SUCCESS != decaf_255_verify (sig,p1,(const unsigned char *)message,strlen(message))) { test.fail(); printf("Fail sig ver\n"); } }