jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
176 Commits
4 Branches
18 MiB
 
 
 
 
 
 
Tree: 82c49b3ca0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '82c49b3ca0'
${ noResults }
lora-irrigation/strobe/x25519.h

129 lines
4.2 KiB
Raw Blame History 

  1. /**

  2.  * @file x25519.h

  3.  * @copyright

  4.  *   Copyright (c) 2016 Cryptography Research, Inc.  \n

  5.  *   Released under the MIT License.  See LICENSE.txt for license information.

  6.  * @author Mike Hamburg

  7.  * @brief X25519 key exchange and signatures.

  8.  */

  9. 

  10. #ifndef __X25519_H__

  11. #define __X25519_H__

  12. 

  13. #define X25519_BYTES (256/8)

  14. 

  15. /* The base point (9) */

  16. extern const unsigned char X25519_BASE_POINT[X25519_BYTES];

  17. 

  18. /** Number of bytes in an EC public key */

  19. #define EC_PUBLIC_BYTES 32

  20. 

  21. /** Number of bytes in an EC private key */

  22. #define EC_PRIVATE_BYTES 32

  23. 

  24. /**

  25.  * Number of bytes in a Schnorr challenge.

  26.  * Could be set to 16 in a pinch.  (FUTURE?)

  27.  */

  28. #define EC_CHALLENGE_BYTES 32

  29. 

  30. /** Enough bytes to get a uniform sample mod #E.  For eg a Brainpool

  31.  * curve this would need to be more than for a private key, but due

  32.  * to the special prime used by Curve25519, the same size is enough.

  33.  */

  34. #define EC_UNIFORM_BYTES 32

  35. 

  36. /* x25519 scalar multiplication.  Sets out to scalar*base.

  37.  *

  38.  * If clamp is set (and supported by X25519_INTEROP_SUPPORT_CLAMP)

  39.  * then the scalar will be "clamped" like a Curve25519 secret key.

  40.  * This adds almost no security, but permits interop with other x25519

  41.  * implementations without manually clamping the keys.

  42.  *

  43.  * Per RFC 7748, this function returns failure (-1) if the output

  44.  * is zero and clamp is set.  This indicates "non-contributory behavior",

  45.  * meaning that one party might steer the key so that the other party's

  46.  * contribution doesn't matter, or contributes only a little entropy.

  47.  *

  48.  * WARNING: however, this function differs from RFC 7748 in another way:

  49.  * it pays attention to the high bit base[EC_PUBLIC_BYTES-1] & 0x80, but

  50.  * RFC 7748 says to ignore this bit.  For compatibility with RFC 7748,

  51.  * you must also clear this bit by running base[EC_PUBLIC_BYTES-1] &= 0x7F.

  52.  * This library won't clear it for you because it takes the base point as

  53.  * const, and (depending on build flags) dosen't copy it.

  54.  *

  55.  * If clamp==0, or if X25519_INTEROP_SUPPORT_CLAMP==0, then this function

  56.  * always returns 0.

  57.  */

  58. int x25519 (

  59.     unsigned char out[EC_PUBLIC_BYTES],

  60.     const unsigned char scalar[EC_PRIVATE_BYTES],

  61.     const unsigned char base[EC_PUBLIC_BYTES],

  62.     int clamp

  63. );

  64. 

  65. /**

  66.  * Returns 0 on success, -1 on failure.

  67.  *

  68.  * Per RFC 7748, this function returns failure if the output

  69.  * is zero and clamp is set.  This usually doesn't matter for

  70.  * base scalarmuls.

  71.  *

  72.  * If clamp==0, or if X25519_INTEROP_SUPPORT_CLAMP==0, then this function

  73.  * always returns 0.

  74.  *

  75.  * Same as x255(out,scalar,X255_BASE_POINT), except that

  76.  * other implementations may optimize it.

  77.  */

  78. static inline int x25519_base (

  79.     unsigned char out[EC_PUBLIC_BYTES],

  80.     const unsigned char scalar[EC_PRIVATE_BYTES],

  81.     int clamp

  82. ) {

  83.     return x25519(out,scalar,X25519_BASE_POINT,clamp);

  84. }

  85. 

  86. /**

  87.  * As x25519_base, but with a scalar that's EC_UNIFORM_BYTES long,

  88.  * and clamp always 0 (and thus, no return value).

  89.  *

  90.  * This is used for signing.  Implementors must replace it for

  91.  * curves that require more bytes for uniformity (Brainpool).

  92.  */

  93. static inline void x25519_base_uniform (

  94.     unsigned char out[EC_PUBLIC_BYTES],

  95.     const unsigned char scalar[EC_UNIFORM_BYTES]

  96. ) {

  97.     (void)x25519_base(out,scalar,0);

  98. }

  99. 

  100. /**

  101.  * STROBE-compatible Schnorr signatures using curve25519 (not ed25519)

  102.  *

  103.  * The user will call x25519_base_uniform(eph,eph_secret) to schedule

  104.  * a random ephemeral secret key.  They then call a Schnorr oracle to

  105.  * get a challenge, and compute the response using this function.

  106.  */

  107. void x25519_sign_p2 (

  108.     unsigned char response[EC_PRIVATE_BYTES],

  109.     const unsigned char challenge[EC_CHALLENGE_BYTES],

  110.     const unsigned char eph_secret[EC_UNIFORM_BYTES],

  111.     const unsigned char secret[EC_PRIVATE_BYTES]

  112. );

  113. 

  114. /**

  115.  * STROBE-compatible signature verification using curve25519 (not ed25519).

  116.  * This function is the public equivalent x25519_sign_p2, taking the long-term

  117.  * and ephemeral public keys instead of secret ones.

  118.  *

  119.  * Returns -1 on failure and 0 on success.

  120.  */

  121. int x25519_verify_p2 (

  122.     const unsigned char response[X25519_BYTES],

  123.     const unsigned char challenge[X25519_BYTES],

  124.     const unsigned char eph[X25519_BYTES],

  125.     const unsigned char pub[X25519_BYTES]

  126. );

  127. 

  128. #endif /* __X25519_H__ */