Merge pull request #599 from libtom/rereview-curve25519-ctx-and-ph

Re-review curve25519 ctx and ph

Author: sjaeckel

src/headers/tomcrypt_private.h

@@ -345,13 +345,13 @@ int tweetnacl_crypto_sign_open(
   int *stat,
   unsigned char *m,unsigned long long *mlen,
   const unsigned char *sm,unsigned long long smlen,
-  const unsigned char *ctx, unsigned long cs,
+  const unsigned char *ctx, unsigned long long cs,
   const unsigned char *pk);
 int tweetnacl_crypto_sign_keypair(prng_state *prng, int wprng, unsigned char *pk,unsigned char *sk);
 int tweetnacl_crypto_sk_to_pk(unsigned char *pk, const unsigned char *sk);
 int tweetnacl_crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p);
 int tweetnacl_crypto_scalarmult_base(unsigned char *q,const unsigned char *n);
-int tweetnacl_crypto_ph(unsigned char *out, const unsigned char *msg, unsigned long msglen);
+int tweetnacl_crypto_ph(unsigned char *out, const unsigned char *msg, unsigned long long msglen);
 
 typedef int (*sk_to_pk)(unsigned char *pk ,const unsigned char *sk);
 int ec25519_import_pkcs8(const unsigned char *in, unsigned long inlen,

src/pk/ec25519/ec25519_crypto_ctx.c

@@ -28,6 +28,7 @@ int ec25519_crypto_ctx(unsigned char *out, unsigned long *outlen, unsigned char
   buf++;
 
   if (ctxlen > 0u) {
+    LTC_ARGCHK(ctx != NULL);
     XMEMCPY(buf, ctx, ctxlen);
     buf += ctxlen;
   }

src/pk/ec25519/tweetnacl.c

@@ -221,39 +221,22 @@ int tweetnacl_crypto_scalarmult_base(u8 *q,const u8 *n)
   return tweetnacl_crypto_scalarmult(q,n,nine);
 }
 
-static int tweetnacl_crypto_hash(u8 *out,const u8 *m,u64 n)
+static LTC_INLINE int tweetnacl_crypto_hash_ctx(u8 *out,const u8 *m,u64 n,const u8 *ctx,u32 cs)
 {
-  unsigned long len;
-  int err, hash_idx;
+  unsigned long len = 64;
+  int hash_idx = find_hash("sha512");
 
   if (n > ULONG_MAX) return CRYPT_OVERFLOW;
 
-  hash_idx = find_hash("sha512");
-  len = 64;
-  if ((err = hash_memory(hash_idx, m, n, out, &len)) != CRYPT_OK) return err;
+  if(cs == 0)
+    return hash_memory(hash_idx, m, n, out, &len);
 
-  return 0;
+  return hash_memory_multi(hash_idx, out, &len, ctx, cs, m, n, LTC_NULL);
 }
 
-static int tweetnacl_crypto_hash_ctx(u8 *out,const u8 *m,u64 n,const u8 *ctx,u32 cs)
+static LTC_INLINE int tweetnacl_crypto_hash(u8 *out,const u8 *m,u64 n)
 {
-  unsigned long len;
-  int err;
-  u8 buf[512];
-
-  if(cs == 0)
-    return tweetnacl_crypto_hash(out,m,n);
-
-  len = n + cs;
-  if (len > 512) return CRYPT_HASH_OVERFLOW;
-
-  XMEMCPY(buf,ctx,cs);
-  XMEMCPY(buf+cs,m,n);
-
-  err = tweetnacl_crypto_hash(out,buf,len);
-  zeromem(buf, len);
-
-  return err;
+  return tweetnacl_crypto_hash_ctx(out, m, n, NULL, 0);
 }
 
 sv add(gf p[4],gf q[4])
@@ -465,7 +448,7 @@ static int unpackneg(gf r[4],const u8 p[32])
   return 0;
 }
 
-int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *ctx,size_t cs,const u8 *pk)
+int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *ctx,u64 cs,const u8 *pk)
 {
   u64 i;
   u8 s[32],t[32],h[64];
@@ -502,7 +485,7 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
   return CRYPT_OK;
 }
 
-int tweetnacl_crypto_ph(u8 *out,const u8 *msg,size_t msglen)
+int tweetnacl_crypto_ph(u8 *out,const u8 *msg,u64 msglen)
 {
   return tweetnacl_crypto_hash(out, msg, msglen);
 }

src/pk/ed25519/ed25519_sign.c

@@ -67,7 +67,7 @@ int ed25519ctx_sign(const  unsigned char *msg, unsigned long  msglen,
                     const curve25519_key *private_key)
 {
    int err;
-   unsigned char ctx_prefix[512] = {0};
+   unsigned char ctx_prefix[292];
    unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
    LTC_ARGCHK(ctx != NULL);
@@ -94,8 +94,8 @@ int ed25519ph_sign(const  unsigned char *msg, unsigned long  msglen,
                    const curve25519_key *private_key)
 {
    int err;
-   unsigned char ctx_prefix[512] = {0};
-   unsigned char msg_hash[64] = {0};
+   unsigned char msg_hash[64];
+   unsigned char ctx_prefix[292];
    unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
    if ((err = ec25519_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1, ctx, ctxlen)) != CRYPT_OK)
@@ -104,10 +104,7 @@ int ed25519ph_sign(const  unsigned char *msg, unsigned long  msglen,
    if ((err = tweetnacl_crypto_ph(msg_hash, msg, msglen)) != CRYPT_OK)
       return err;
 
-   msg = msg_hash;
-   msglen = 64;
-
-   return s_ed25519_sign(msg, msglen, sig, siglen, ctx_prefix, ctx_prefix_size, private_key);
+   return s_ed25519_sign(msg_hash, sizeof(msg_hash), sig, siglen, ctx_prefix, ctx_prefix_size, private_key);
 }
 
 /**

src/pk/ed25519/ed25519_verify.c

@@ -70,7 +70,7 @@ int ed25519ctx_verify(const  unsigned char *msg, unsigned long msglen,
                                        int *stat,
                       const curve25519_key *public_key)
 {
-   unsigned char ctx_prefix[512] = {0};
+   unsigned char ctx_prefix[292];
    unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
    LTC_ARGCHK(ctx != NULL);
@@ -100,8 +100,8 @@ int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
                      const curve25519_key *public_key)
 {
    int err;
-   unsigned char ctx_prefix[512] = {0};
-   unsigned char msg_hash[64] = {0};
+   unsigned char msg_hash[64];
+   unsigned char ctx_prefix[292];
    unsigned long ctx_prefix_size = sizeof(ctx_prefix);
 
    if ((err = ec25519_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1, ctx, ctxlen)) != CRYPT_OK)
@@ -110,10 +110,7 @@ int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
    if ((err = tweetnacl_crypto_ph(msg_hash, msg, msglen)) != CRYPT_OK)
       return err;
 
-   msg = msg_hash;
-   msglen = 64;
-
-   return s_ed25519_verify(msg, msglen, sig, siglen, ctx_prefix, ctx_prefix_size, stat, public_key);
+   return s_ed25519_verify(msg_hash, sizeof(msg_hash), sig, siglen, ctx_prefix, ctx_prefix_size, stat, public_key);
 }
 
 /**

tests/multi_test.c

@@ -15,7 +15,7 @@ int multi_test(void)
 
 /* HASH testing */
    len = sizeof(buf[0]);
-#if defined(ENDIAN_32BITWORD) || defined(_MSC_VER)
+#if defined(ENDIAN_32BITWORD) || defined(_WIN32)
    len2 = 0x80000000UL;
 #else
    /* Check against the max. input limit of SHA-1 as of RFC8017 */