From a3b094eb99cc6cc1052c03f7d8f63ca911b2b490 Mon Sep 17 00:00:00 2001 From: Michael Hamburg Date: Thu, 7 Jan 2016 11:48:24 -0800 Subject: [PATCH] trying to make headers the same, for future unified generation --- src/decaf_crypto.c | 19 ++++--- src/public_include/decaf.hxx | 15 ++++-- src/public_include/decaf/decaf_255.h | 39 +++++++------- src/public_include/decaf/decaf_448.h | 78 +++++++++++++++------------- 4 files changed, 85 insertions(+), 66 deletions(-) diff --git a/src/decaf_crypto.c b/src/decaf_crypto.c index 6ec11f4..47c42ee 100644 --- a/src/decaf_crypto.c +++ b/src/decaf_crypto.c @@ -15,18 +15,24 @@ #include "curve_data.inc.c" #define SCALAR_BYTES ((SCALAR_BITS + 7)/8) + /* TODO: canonicalize and freeze the STROBE constants in this file + * (and STROBE itself for that matter) + */ +static const char *DERIVE_MAGIC = API_NAME"::derive_private_key"; +static const char *SIGN_MAGIC = API_NAME"::sign"; +static const char *SHARED_SECRET_MAGIC = API_NAME"::shared_secret"; +static const uint16_t SHARED_SECRET_MAX_BLOCK_SIZE = 1<<12; static const unsigned int SCALAR_OVERKILL_BYTES = SCALAR_BYTES + 8; void API_NS(derive_private_key) ( API_NS(private_key_t) priv, const API_NS(symmetric_key_t) proto ) { - const char *magic = API_NAME"::derive_private_key"; /* TODO: canonicalize and freeze */ uint8_t encoded_scalar[SCALAR_OVERKILL_BYTES]; API_NS(point_t) pub; keccak_strobe_t strobe; - strobe_init(strobe, &STROBE_256, magic, 0); + strobe_init(strobe, &STROBE_256, DERIVE_MAGIC, 0); strobe_fixed_key(strobe, proto, sizeof(API_NS(symmetric_key_t))); strobe_prng(strobe, encoded_scalar, sizeof(encoded_scalar)); strobe_destroy(strobe); @@ -54,8 +60,6 @@ void API_NS(private_to_public) ( memcpy(pub, priv->pub, sizeof(API_NS(public_key_t))); } -static const uint16_t SHARED_SECRET_MAX_BLOCK_SIZE = 1<<12; /* TODO: standardize and freeze */ - decaf_error_t API_NS(shared_secret) ( uint8_t *shared, @@ -64,9 +68,8 @@ API_NS(shared_secret) ( const API_NS(public_key_t) your_pubkey, int me_first ) { - const char *magic = API_NAME"::shared_secret"; /* TODO: canonicalize and freeze */ keccak_strobe_t strobe; - strobe_init(strobe, &STROBE_256, magic, 0); + strobe_init(strobe, &STROBE_256, SHARED_SECRET_MAGIC, 0); uint8_t ss_ser[SER_BYTES]; @@ -194,7 +197,7 @@ API_NS(sign) ( size_t message_len ) { keccak_strobe_t ctx; - strobe_init(ctx,&STROBE_256,API_NAME"::sign",0); /* TODO: canonicalize and freeze */ + strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0); strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT); API_NS(sign_strobe)(ctx, sig, priv); strobe_destroy(ctx); @@ -208,7 +211,7 @@ API_NS(verify) ( size_t message_len ) { keccak_strobe_t ctx; - strobe_init(ctx,&STROBE_256,API_NAME"::sign",0); /* TODO: canonicalize and freeze */ + strobe_init(ctx,&STROBE_256,SIGN_MAGIC,0); strobe_transact(ctx, NULL, message, message_len, STROBE_CW_STREAMING_PLAINTEXT); decaf_error_t ret = API_NS(verify_strobe)(ctx, sig, pub); strobe_destroy(ctx); diff --git a/src/public_include/decaf.hxx b/src/public_include/decaf.hxx index d1a9900..f5dc2dd 100644 --- a/src/public_include/decaf.hxx +++ b/src/public_include/decaf.hxx @@ -1,9 +1,16 @@ - +/** + * @file decaf/decaf.hxx + * @copyright + * Copyright (c) 2016 Cryptography Research, Inc. \n + * Released under the MIT License. See LICENSE.txt for license information. + * @author Mike Hamburg + * @brief Decaf curve metaheader. + * @todo TODO remove/autogenerate all these headers. + */ #ifndef __DECAF_HXX__ #define __DECAF_HXX__ 1 -#include // MAGIC -#include // MAGIC +#include +#include #endif /* __DECAF_H__ */ - diff --git a/src/public_include/decaf/decaf_255.h b/src/public_include/decaf/decaf_255.h index ad71dec..09968ab 100644 --- a/src/public_include/decaf/decaf_255.h +++ b/src/public_include/decaf/decaf_255.h @@ -22,11 +22,14 @@ extern "C" { #define DECAF_255_SCALAR_LIMBS (256/DECAF_WORD_BITS) /** Galois field element internal structure */ +#ifndef __DECAF_255_GF_DEFINED__ +#define __DECAF_255_GF_DEFINED__ 1 typedef struct gf_25519_s { /** @cond internal */ decaf_word_t limb[DECAF_255_LIMBS]; /** @endcond */ } __attribute__((aligned(32))) gf_25519_s, gf_25519_t[1]; +#endif /* __DECAF_255_GF_DEFINED__ */ /** Number of bytes in a serialized point. */ #define DECAF_255_SER_BYTES 32 @@ -36,9 +39,9 @@ typedef struct gf_25519_s { /** Twisted Edwards (-1,d-1) extended homogeneous coordinates */ typedef struct decaf_255_point_s { - /**@cond internal*/ + /** @cond internal */ gf_25519_t x,y,z,t; - /**@endcond*/ + /** @endcond */ } decaf_255_point_t[1]; /** Precomputed table based on a point. Can be trivial implementation. */ @@ -451,10 +454,10 @@ void decaf_255_base_double_scalarmul_non_secret ( * @param [in] pick_b If nonzero, choose point b. */ void decaf_255_point_cond_sel ( - decaf_255_point_t out, - const decaf_255_point_t a, - const decaf_255_point_t b, - decaf_word_t pick_b + decaf_255_point_t out, + const decaf_255_point_t a, + const decaf_255_point_t b, + decaf_word_t pick_b ) API_VIS NONNULL3 NOINLINE; /** @@ -467,10 +470,10 @@ void decaf_255_point_cond_sel ( * @param [in] pick_b If nonzero, choose scalar b. */ void decaf_255_scalar_cond_sel ( - decaf_255_scalar_t out, - const decaf_255_scalar_t a, - const decaf_255_scalar_t b, - decaf_word_t pick_b + decaf_255_scalar_t out, + const decaf_255_scalar_t a, + const decaf_255_scalar_t b, + decaf_word_t pick_b ) API_VIS NONNULL3 NOINLINE; /** @@ -492,8 +495,8 @@ decaf_bool_t decaf_255_point_valid ( * @param [in] p The point to torque. */ void decaf_255_point_debugging_torque ( - decaf_255_point_t q, - const decaf_255_point_t p + decaf_255_point_t q, + const decaf_255_point_t p ) API_VIS NONNULL2 NOINLINE; /** @@ -506,9 +509,9 @@ void decaf_255_point_debugging_torque ( * @param [in] factor Serialized GF factor to scale. */ void decaf_255_point_debugging_pscale ( - decaf_255_point_t q, - const decaf_255_point_t p, - const unsigned char factor[DECAF_255_SER_BYTES] + decaf_255_point_t q, + const decaf_255_point_t p, + const unsigned char factor[DECAF_255_SER_BYTES] ) API_VIS NONNULL2 NOINLINE; /** @@ -612,7 +615,7 @@ decaf_255_invert_elligator_uniform ( * @brief Overwrite scalar with zeros. */ void decaf_255_scalar_destroy ( - decaf_255_scalar_t scalar + decaf_255_scalar_t scalar ) NONNULL1 API_VIS; /** @@ -620,14 +623,14 @@ void decaf_255_scalar_destroy ( * @todo Use this internally. */ void decaf_255_point_destroy ( - decaf_255_point_t point + decaf_255_point_t point ) NONNULL1 API_VIS; /** * @brief Overwrite precomputed table with zeros. */ void decaf_255_precomputed_destroy ( - decaf_255_precomputed_s *pre + decaf_255_precomputed_s *pre ) NONNULL1 API_VIS; #ifdef __cplusplus diff --git a/src/public_include/decaf/decaf_448.h b/src/public_include/decaf/decaf_448.h index 98a2ad7..6a7ca20 100644 --- a/src/public_include/decaf/decaf_448.h +++ b/src/public_include/decaf/decaf_448.h @@ -6,7 +6,7 @@ * Copyright (c) 2015 Cryptography Research, Inc. \n * Released under the MIT License. See LICENSE.txt for license information. * - * @brief A group of prime order p, based on Ed448-Goldilocks. + * @brief A group of prime order p, based on Ed448. */ #ifndef __DECAF_448_H__ #define __DECAF_448_H__ 1 @@ -25,10 +25,11 @@ extern "C" { #ifndef __DECAF_448_GF_DEFINED__ #define __DECAF_448_GF_DEFINED__ 1 typedef struct gf_448_s { + /** @cond internal */ decaf_word_t limb[DECAF_448_LIMBS]; + /** @endcond */ } __attribute__((aligned(32))) gf_448_s, gf_448_t[1]; #endif /* __DECAF_448_GF_DEFINED__ */ -/** @endcond */ /** Number of bytes in a serialized point. */ #define DECAF_448_SER_BYTES 56 @@ -37,7 +38,11 @@ typedef struct gf_448_s { #define DECAF_448_SCALAR_BYTES 56 /** Twisted Edwards (-1,d-1) extended homogeneous coordinates */ -typedef struct decaf_448_point_s { /**@cond internal*/gf_448_t x,y,z,t;/**@endcond*/ } decaf_448_point_t[1]; +typedef struct decaf_448_point_s { + /** @cond internal */ + gf_448_t x,y,z,t; + /** @endcond */ +} decaf_448_point_t[1]; /** Precomputed table based on a point. Can be trivial implementation. */ struct decaf_448_precomputed_s; @@ -162,7 +167,7 @@ void decaf_448_scalar_mul ( * @brief Invert a scalar. When passed zero, return 0. The input and output may alias. * @param [in] a A scalar. * @param [out] out 1/a. - * @return DECAF_TRUE The input is nonzero. + * @return DECAF_SUCCESS The input is nonzero. */ decaf_error_t decaf_448_scalar_invert ( decaf_448_scalar_t out, @@ -183,7 +188,7 @@ static inline void NONNULL2 decaf_448_scalar_copy ( } /** - * @brief Set a scalar to an integer. + * @brief Set a scalar to an unsigned integer. * @param [in] a An integer. * @param [out] out Will become equal to a. */ @@ -400,7 +405,7 @@ void decaf_448_point_double_scalarmul ( * a1 = scalar1 * base * a2 = scalar2 * base * - * Equivalent to two calls to decaf_255_point_scalarmul, but may be + * Equivalent to two calls to decaf_448_point_scalarmul, but may be * faster. * * @param [out] a1 The first multiple @@ -410,11 +415,11 @@ void decaf_448_point_double_scalarmul ( * @param [in] scalar2 A second scalar to multiply by. */ void decaf_448_point_dual_scalarmul ( - decaf_448_point_t a1, - decaf_448_point_t a2, - const decaf_448_point_t b, - const decaf_448_scalar_t scalar1, - const decaf_448_scalar_t scalar2 + decaf_448_point_t a1, + decaf_448_point_t a2, + const decaf_448_point_t b, + const decaf_448_scalar_t scalar1, + const decaf_448_scalar_t scalar2 ) API_VIS NONNULL5 NOINLINE; /** @@ -441,14 +446,14 @@ void decaf_448_base_double_scalarmul_non_secret ( /** -* @brief Constant-time decision between two points. If pick_b -* is zero, out = a; else out = b. -* -* @param [out] q The output. It may be the same as either input. -* @param [in] a Any point. -* @param [in] b Any point. -* @param [in] pick_b If nonzero, choose point b. -*/ + * @brief Constant-time decision between two points. If pick_b + * is zero, out = a; else out = b. + * + * @param [out] q The output. It may be the same as either input. + * @param [in] a Any point. + * @param [in] b Any point. + * @param [in] pick_b If nonzero, choose point b. + */ void decaf_448_point_cond_sel ( decaf_448_point_t out, const decaf_448_point_t a, @@ -457,14 +462,14 @@ void decaf_448_point_cond_sel ( ) API_VIS NONNULL3 NOINLINE; /** -* @brief Constant-time decision between two scalars. If pick_b -* is zero, out = a; else out = b. -* -* @param [out] q The output. It may be the same as either input. -* @param [in] a Any scalar. -* @param [in] b Any scalar. -* @param [in] pick_b If nonzero, choose scalar b. -*/ + * @brief Constant-time decision between two scalars. If pick_b + * is zero, out = a; else out = b. + * + * @param [out] q The output. It may be the same as either input. + * @param [in] a Any scalar. + * @param [in] b Any scalar. + * @param [in] pick_b If nonzero, choose scalar b. + */ void decaf_448_scalar_cond_sel ( decaf_448_scalar_t out, const decaf_448_scalar_t a, @@ -484,14 +489,15 @@ decaf_bool_t decaf_448_point_valid ( ) API_VIS WARN_UNUSED NONNULL1 NOINLINE; /** - * @brief Torque a point, for debugging purposes. + * @brief Torque a point, for debugging purposes. The output + * will be equal to the input. * * @param [out] q The point to torque. * @param [in] p The point to torque. */ void decaf_448_point_debugging_torque ( - decaf_448_point_t q, - const decaf_448_point_t p + decaf_448_point_t q, + const decaf_448_point_t p ) API_VIS NONNULL2 NOINLINE; /** @@ -504,9 +510,9 @@ void decaf_448_point_debugging_torque ( * @param [in] factor Serialized GF factor to scale. */ void decaf_448_point_debugging_pscale ( - decaf_448_point_t q, - const decaf_448_point_t p, - const unsigned char factor[DECAF_448_SER_BYTES] + decaf_448_point_t q, + const decaf_448_point_t p, + const unsigned char factor[DECAF_448_SER_BYTES] ) API_VIS NONNULL2 NOINLINE; /** @@ -610,7 +616,7 @@ decaf_448_invert_elligator_uniform ( * @brief Overwrite scalar with zeros. */ void decaf_448_scalar_destroy ( - decaf_448_scalar_t scalar + decaf_448_scalar_t scalar ) NONNULL1 API_VIS; /** @@ -618,14 +624,14 @@ void decaf_448_scalar_destroy ( * @todo Use this internally. */ void decaf_448_point_destroy ( - decaf_448_point_t point + decaf_448_point_t point ) NONNULL1 API_VIS; /** * @brief Overwrite precomputed table with zeros. */ void decaf_448_precomputed_destroy ( - decaf_448_precomputed_s *pre + decaf_448_precomputed_s *pre ) NONNULL1 API_VIS; #ifdef __cplusplus