|
Tor 0.4.9.3-alpha-dev
|
Wrapper code for an ed25519 implementation. More...
#include "orconfig.h"#include "lib/ctime/di_ops.h"#include "lib/crypt_ops/crypto_curve25519.h"#include "lib/crypt_ops/crypto_digest.h"#include "lib/crypt_ops/crypto_ed25519.h"#include "lib/crypt_ops/crypto_format.h"#include "lib/crypt_ops/crypto_rand.h"#include "lib/crypt_ops/crypto_util.h"#include "lib/log/log.h"#include "lib/log/util_bug.h"#include "lib/encoding/binascii.h"#include "lib/string/util_string.h"#include "ed25519/ref10/ed25519_ref10.h"#include "ed25519/donna/ed25519_donna_tor.h"#include <string.h>#include <errno.h>Go to the source code of this file.
Data Structures | |
| struct | ed25519_impl_t |
Functions | |
| static void | pick_ed25519_impl (void) |
| static const ed25519_impl_t * | get_ed_impl (void) |
| int | ed25519_secret_key_generate (ed25519_secret_key_t *seckey_out, int extra_strong) |
| int | ed25519_secret_key_from_seed (ed25519_secret_key_t *seckey_out, const uint8_t *seed) |
| int | ed25519_public_key_generate (ed25519_public_key_t *pubkey_out, const ed25519_secret_key_t *seckey) |
| int | ed25519_keypair_generate (ed25519_keypair_t *keypair_out, int extra_strong) |
| int | ed25519_public_key_is_zero (const ed25519_public_key_t *pubkey) |
| static uint8_t * | get_prefixed_msg (const uint8_t *msg, size_t msg_len, const char *prefix_str, size_t *final_msg_len_out) |
| int | ed25519_sign (ed25519_signature_t *signature_out, const uint8_t *msg, size_t len, const ed25519_keypair_t *keypair) |
| int | ed25519_sign_prefixed (ed25519_signature_t *signature_out, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_keypair_t *keypair) |
| int | ed25519_checksig (const ed25519_signature_t *signature, const uint8_t *msg, size_t len, const ed25519_public_key_t *pubkey) |
| int | ed25519_checksig_prefixed (const ed25519_signature_t *signature, const uint8_t *msg, size_t msg_len, const char *prefix_str, const ed25519_public_key_t *pubkey) |
| int | ed25519_checksig_batch (int *okay_out, const ed25519_checkable_t *checkable, int n_checkable) |
| int | ed25519_keypair_from_curve25519_keypair (ed25519_keypair_t *out, int *signbit_out, const curve25519_keypair_t *inp) |
| int | ed25519_public_key_from_curve25519_public_key (ed25519_public_key_t *pubkey, const curve25519_public_key_t *pubkey_in, int signbit) |
| int | ed25519_keypair_blind (ed25519_keypair_t *out, const ed25519_keypair_t *inp, const uint8_t *param) |
| int | ed25519_public_blind (ed25519_public_key_t *out, const ed25519_public_key_t *inp, const uint8_t *param) |
| int | ed25519_seckey_write_to_file (const ed25519_secret_key_t *seckey, const char *filename, const char *tag) |
| int | ed25519_seckey_read_from_file (ed25519_secret_key_t *seckey_out, char **tag_out, const char *filename) |
| int | ed25519_pubkey_write_to_file (const ed25519_public_key_t *pubkey, const char *filename, const char *tag) |
| int | ed25519_pubkey_read_from_file (ed25519_public_key_t *pubkey_out, char **tag_out, const char *filename) |
| void | ed25519_keypair_free_ (ed25519_keypair_t *kp) |
| int | ed25519_pubkey_eq (const ed25519_public_key_t *key1, const ed25519_public_key_t *key2) |
| void | ed25519_pubkey_copy (ed25519_public_key_t *dest, const ed25519_public_key_t *src) |
| STATIC int | ed25519_impl_spot_check (void) |
| void | ed25519_set_impl_params (int use_donna) |
| void | ed25519_init (void) |
| static int | ed25519_point_is_identity_element (const uint8_t *point) |
| int | ed25519_validate_pubkey (const ed25519_public_key_t *pubkey) |
Variables | |
| static const ed25519_impl_t | impl_ref10 |
| static const ed25519_impl_t | impl_donna |
| static const ed25519_impl_t * | ed25519_impl = NULL |
Wrapper code for an ed25519 implementation.
Ed25519 is a Schnorr signature on a Twisted Edwards curve, defined by Dan Bernstein. For more information, see https://ed25519.cr.yp.to/
This module wraps our choice of Ed25519 backend, and provides a few convenience functions for checking and generating signatures. It also provides Tor-specific tools for key blinding and for converting Ed25519 keys to and from the corresponding Curve25519 keys.
Definition in file crypto_ed25519.c.
| #define CRYPTO_ED25519_PRIVATE |
Definition at line 18 of file crypto_ed25519.c.
| int ed25519_checksig | ( | const ed25519_signature_t * | signature, |
| const uint8_t * | msg, | ||
| size_t | len, | ||
| const ed25519_public_key_t * | pubkey | ||
| ) |
Check whether if signature is a valid signature for the len-byte message in msg made with the key pubkey.
Return 0 if the signature is valid; -1 if it isn't.
Definition at line 327 of file crypto_ed25519.c.
Referenced by channel_tls_process_authenticate_cell(), ed25519_checksig_batch(), and ed25519_checksig_prefixed().
| int ed25519_checksig_batch | ( | int * | okay_out, |
| const ed25519_checkable_t * | checkable, | ||
| int | n_checkable | ||
| ) |
Validate every signature among those in checkable, which contains exactly n_checkable elements. If okay_out is non-NULL, set the i'th element of okay_out to 1 if the i'th element of checkable is valid, and to 0 otherwise. Return 0 if every signature was valid. Otherwise return -N, where N is the number of invalid signatures.
Definition at line 376 of file crypto_ed25519.c.
Referenced by extrainfo_parse_entry_from_string(), or_handshake_certs_ed25519_ok(), router_parse_entry_from_string(), and tor_cert_checksig().
| int ed25519_checksig_prefixed | ( | const ed25519_signature_t * | signature, |
| const uint8_t * | msg, | ||
| size_t | msg_len, | ||
| const char * | prefix_str, | ||
| const ed25519_public_key_t * | pubkey | ||
| ) |
Like ed2519_checksig(), but also prefix msg with prefix_str before verifying signature. prefix_str must be a NUL-terminated string.
Definition at line 339 of file crypto_ed25519.c.
Referenced by desc_sig_is_valid(), and verify_establish_intro_cell().
| STATIC int ed25519_impl_spot_check | ( | void | ) |
Check whether the given Ed25519 implementation seems to be working. If so, return 0; otherwise return -1.
Definition at line 665 of file crypto_ed25519.c.
Referenced by pick_ed25519_impl().
| void ed25519_init | ( | void | ) |
Definition at line 774 of file crypto_ed25519.c.
| int ed25519_keypair_blind | ( | ed25519_keypair_t * | out, |
| const ed25519_keypair_t * | inp, | ||
| const uint8_t * | param | ||
| ) |
Given an ed25519 keypair in inp, generate a corresponding ed25519 keypair in out, blinded by the corresponding 32-byte input in 'param'.
Tor uses key blinding for the "next-generation" hidden services design: service descriptors are encrypted with a key derived from the service's long-term public key, and then signed with (and stored at a position indexed by) a short-term key derived by blinding the long-term keys.
Return 0 if blinding was successful, else return -1.
Definition at line 514 of file crypto_ed25519.c.
Referenced by hs_build_blinded_keypair().
| void ed25519_keypair_free_ | ( | ed25519_keypair_t * | kp | ) |
Release all storage held for kp.
Definition at line 631 of file crypto_ed25519.c.
| int ed25519_keypair_from_curve25519_keypair | ( | ed25519_keypair_t * | out, |
| int * | signbit_out, | ||
| const curve25519_keypair_t * | inp | ||
| ) |
Given a curve25519 keypair in inp, generate a corresponding ed25519 keypair in out, and set signbit_out to the sign bit of the X coordinate of the ed25519 key.
NOTE THAT IT IS PROBABLY NOT SAFE TO USE THE GENERATED KEY FOR ANYTHING OUTSIDE OF WHAT'S PRESENTED IN PROPOSAL 228. In particular, it's probably not a great idea to use it to sign attacker-supplied anything.
Definition at line 455 of file crypto_ed25519.c.
Referenced by make_ntor_onion_key_crosscert().
| int ed25519_keypair_generate | ( | ed25519_keypair_t * | keypair_out, |
| int | extra_strong | ||
| ) |
Generate a new ed25519 keypair in keypair_out. If extra_strong is set, try to mix some system entropy into the key generation process. Return 0 on success, -1 on failure.
Definition at line 214 of file crypto_ed25519.c.
Referenced by build_service_desc_keys(), create_family_id_key(), ed_key_new(), and service_intro_point_new().
|
static |
Definition at line 781 of file crypto_ed25519.c.
| void ed25519_pubkey_copy | ( | ed25519_public_key_t * | dest, |
| const ed25519_public_key_t * | src | ||
| ) |
Set dest to contain the same key as src.
Definition at line 654 of file crypto_ed25519.c.
Referenced by build_service_desc_plaintext(), cache_client_desc_new(), circuit_send_intermediate_onion_skin(), connection_ap_handshake_attach_circuit(), consider_sending_introduce1(), create_family_id_key(), create_intro_circuit_identifier(), enqueue_rend_request(), find_service(), hs_client_setup_intro_circ_auth_key(), hs_ident_circuit_new(), hs_ident_dir_conn_init(), hs_ident_edge_conn_new(), hs_ident_server_dir_conn_new(), load_service_keys(), pick_needed_intro_points(), and server_onion_keys_new().
| int ed25519_pubkey_eq | ( | const ed25519_public_key_t * | key1, |
| const ed25519_public_key_t * | key2 | ||
| ) |
Return true iff key1 and key2 are the same public key.
Definition at line 642 of file crypto_ed25519.c.
Referenced by channel_rsa_id_group_set_badness(), check_one_family_cert(), circuit_matches_with_rend_stream(), close_directory_connections(), close_service_rp_circuits(), connection_or_client_learned_peer_id(), connection_or_set_identity_digest(), count_opened_desc_intro_point_circuits(), count_service_rp_circuits_pending(), directory_request_is_pending(), dirserv_orconn_tls_done(), ed_key_init_from_file(), extrainfo_dump_to_string_header_helper(), family_key_is_present(), find_desc_intro_point_by_ident(), flag_all_conn_wait_desc(), hs_service_ht_eq(), load_ed_keys(), node_ed25519_id_matches(), node_get_ed25519_id(), router_dump_router_to_string(), router_ed25519_id_is_me(), and router_parse_entry_from_string().
| int ed25519_pubkey_read_from_file | ( | ed25519_public_key_t * | pubkey_out, |
| char ** | tag_out, | ||
| const char * | filename | ||
| ) |
Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
Definition at line 610 of file crypto_ed25519.c.
Referenced by ed_key_init_from_file().
| int ed25519_pubkey_write_to_file | ( | const ed25519_public_key_t * | pubkey, |
| const char * | filename, | ||
| const char * | tag | ||
| ) |
Store pubkey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
Definition at line 594 of file crypto_ed25519.c.
Referenced by ed_key_init_from_file(), and load_ed_keys().
| int ed25519_public_blind | ( | ed25519_public_key_t * | out, |
| const ed25519_public_key_t * | inp, | ||
| const uint8_t * | param | ||
| ) |
Given an ed25519 public key in inp, generate a corresponding blinded public key in out, blinded with the 32-byte parameter in param. Return 0 on success, -1 on railure.
Definition at line 541 of file crypto_ed25519.c.
Referenced by ed25519_keypair_blind(), and hs_build_blinded_pubkey().
| int ed25519_public_key_from_curve25519_public_key | ( | ed25519_public_key_t * | pubkey, |
| const curve25519_public_key_t * | pubkey_in, | ||
| int | signbit | ||
| ) |
Given a curve25519 public key and sign bit of X coordinate of the ed25519 public key, generate the corresponding ed25519 public key.
Definition at line 493 of file crypto_ed25519.c.
Referenced by ed25519_keypair_from_curve25519_keypair(), router_parse_entry_from_string(), and setup_desc_intro_point().
| int ed25519_public_key_generate | ( | ed25519_public_key_t * | pubkey_out, |
| const ed25519_secret_key_t * | seckey | ||
| ) |
Given a secret key in seckey, expand it into an ed25519 public key. Return 0 on success, -1 on failure.
Definition at line 202 of file crypto_ed25519.c.
Referenced by ed25519_keypair_blind(), ed25519_keypair_from_curve25519_keypair(), ed25519_keypair_generate(), ed_key_init_from_file(), hs_service_add_ephemeral(), and load_family_id_keys_impl().
| int ed25519_public_key_is_zero | ( | const ed25519_public_key_t * | pubkey | ) |
Return true iff 'pubkey' is set to zero (eg to indicate that it is not set).
Definition at line 227 of file crypto_ed25519.c.
Referenced by cache_client_intro_state_lookup(), channel_find_by_remote_identity(), circuit_n_chan_done(), connection_ap_handshake_attach_circuit(), connection_dir_client_refetch_hsdesc_if_needed(), connection_or_client_learned_peer_id(), connection_or_get_alleged_ed25519_id(), connection_or_set_identity_digest(), create_intro_circuit_identifier(), dirserv_orconn_tls_done(), ed25519_fmt(), extend_cell_format(), extend_info_describe(), extend_info_new(), find_desc_intro_point_by_ident(), hs_client_circuit_cleanup_on_free(), hs_ident_intro_circ_is_valid(), hs_pow_queue_work(), hs_pow_verify(), learned_router_identity(), node_add_to_ed25519_map(), node_ed25519_id_matches(), node_get_ed25519_id(), node_get_mutable_by_ed25519_id(), node_remove_from_ed25519_map(), nodelist_assert_ok(), onion_skin_create(), register_service(), remove_service(), and routerinfo_get_ed25519_id().
| int ed25519_seckey_read_from_file | ( | ed25519_secret_key_t * | seckey_out, |
| char ** | tag_out, | ||
| const char * | filename | ||
| ) |
Read seckey unencrypted from filename, storing it into seckey_out. Set *tag_out to the tag it was marked with. Return 0 on success, -1 on failure.
Definition at line 570 of file crypto_ed25519.c.
Referenced by ed_key_init_from_file(), and load_family_id_keys_impl().
| int ed25519_seckey_write_to_file | ( | const ed25519_secret_key_t * | seckey, |
| const char * | filename, | ||
| const char * | tag | ||
| ) |
Store seckey unencrypted to filename, marking it with tag. Return 0 on success, -1 on failure.
Definition at line 553 of file crypto_ed25519.c.
Referenced by create_family_id_key().
| int ed25519_secret_key_from_seed | ( | ed25519_secret_key_t * | seckey_out, |
| const uint8_t * | seed | ||
| ) |
Given a 32-byte random seed in seed, expand it into an ed25519 secret key in seckey_out. Return 0 on success, -1 on failure.
Definition at line 189 of file crypto_ed25519.c.
| int ed25519_secret_key_generate | ( | ed25519_secret_key_t * | seckey_out, |
| int | extra_strong | ||
| ) |
Initialize a new ed25519 secret key in seckey_out. If extra_strong, take the RNG inputs directly from the operating system. Return 0 on success, -1 on failure.
Definition at line 168 of file crypto_ed25519.c.
Referenced by add_onion_helper_keyarg(), and ed25519_keypair_generate().
| void ed25519_set_impl_params | ( | int | use_donna | ) |
Force the Ed25519 implementation to a given one, without sanity checking the output. Used for testing.
Definition at line 746 of file crypto_ed25519.c.
| int ed25519_sign | ( | ed25519_signature_t * | signature_out, |
| const uint8_t * | msg, | ||
| size_t | len, | ||
| const ed25519_keypair_t * | keypair | ||
| ) |
Set signature_out to a signature of the len-byte message msg, using the secret and public key in keypair.
Return 0 if we successfully signed the message, otherwise return -1.
Definition at line 271 of file crypto_ed25519.c.
Referenced by connection_or_compute_authenticate_cell_body(), ed25519_sign_prefixed(), extrainfo_dump_to_string_ed_sig_helper(), router_dump_router_to_string(), and tor_cert_create_raw().
| int ed25519_sign_prefixed | ( | ed25519_signature_t * | signature_out, |
| const uint8_t * | msg, | ||
| size_t | msg_len, | ||
| const char * | prefix_str, | ||
| const ed25519_keypair_t * | keypair | ||
| ) |
Like ed25519_sign(), but also prefix msg with prefix_str before signing. prefix_str must be a NUL-terminated string.
Definition at line 292 of file crypto_ed25519.c.
Referenced by desc_encode_v3(), and hs_cell_build_establish_intro().
| int ed25519_validate_pubkey | ( | const ed25519_public_key_t * | pubkey | ) |
Validate pubkey to ensure that it has no torsion component. Return 0 if pubkey is valid, else return -1.
Definition at line 796 of file crypto_ed25519.c.
Referenced by add_ed25519_to_dir(), dirserv_add_descriptor(), hs_address_is_valid(), and hs_service_add_ephemeral().
|
inlinestatic |
Helper: Return our chosen Ed25519 implementation.
This should only be called after we've picked an implementation, but it does recover if you forget this.
Definition at line 124 of file crypto_ed25519.c.
Referenced by ed25519_checksig(), ed25519_checksig_batch(), ed25519_impl_spot_check(), ed25519_keypair_blind(), ed25519_public_blind(), ed25519_public_key_from_curve25519_public_key(), ed25519_public_key_generate(), ed25519_secret_key_from_seed(), ed25519_secret_key_generate(), ed25519_sign(), and ed25519_validate_pubkey().
|
static |
Definition at line 237 of file crypto_ed25519.c.
|
static |
Choose whether to use the Ed25519-donna implementation.
Definition at line 756 of file crypto_ed25519.c.
Referenced by get_ed_impl().
|
static |
Which Ed25519 implementation are we using? NULL if we haven't decided yet.
Definition at line 116 of file crypto_ed25519.c.
Referenced by ed25519_set_impl_params(), get_ed_impl(), and pick_ed25519_impl().
|
static |
The Ref10 Ed25519 implementation. This one is heavily optimized, but still mostly C. The C still tends to be heavily platform-specific.
Definition at line 95 of file crypto_ed25519.c.
Referenced by ed25519_set_impl_params(), and pick_ed25519_impl().
|
static |
The Ref10 Ed25519 implementation. This one is pure C and lightly optimized.
Definition at line 74 of file crypto_ed25519.c.
Referenced by ed25519_set_impl_params(), and pick_ed25519_impl().
1.9.8