From 28a5799cf7594b20f14a171412fbf3e16afdcee2 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 31 Mar 2014 16:16:31 +0900
Subject: [PATCH] eddsa_sign_25519

---
 ChangeLog         |  2 ++
 misc/t-eddsa.c    | 15 ++++++++++-----
 src/Makefile.in   |  1 +
 src/ecc-edwards.c | 16 ++++++++++++----
 src/gnuk.h        | 11 ++++++++++-
 src/openpgp.c     |  9 +++++++--
 6 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index cc9412f..44a5d17 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2014-03-31  Niibe Yutaka  <gniibe@fsij.org>
 
+	* src/ecc-edwards.c (eddsa_sign_25519): Rename and API change.
+
 	* src/openpgp-do.c (gpg_do_load_prvkey, gpg_do_delete_prvkey)
 	(gpg_do_write_prvkey, gpg_do_public_key, gpg_do_keygen): Follow
 	the change of PRVKEY_DATA and KEY_DATA.
diff --git a/misc/t-eddsa.c b/misc/t-eddsa.c
index fd1d95e..89670a4 100644
--- a/misc/t-eddsa.c
+++ b/misc/t-eddsa.c
@@ -344,12 +344,17 @@ main (int argc, char *argv[])
   bn256 pk_calculated[1];
   uint8_t hash[64];
   bn256 a[1];
-  extern void eddsa_25519 (bn256 *r, bn256 *s, const uint8_t *input,
-			   size_t ilen, const bn256 *a, const uint8_t *seed,
-			   const bn256 *pk);
+  bn256 *R, *S;
+  uint8_t out[64];
+
+  extern void eddsa_sign_25519 (const uint8_t *input, size_t ilen,
+				uint8_t *output,
+				const bn256 *a, const uint8_t *seed,
+				const bn256 *pk);
   extern void eddsa_public_key_25519 (bn256 *pk, const bn256 *a);
 
-  bn256 R[1], S[1];
+  R = (bn256 *)out;
+  S = (bn256 *)(out+32);
 
   while (1)
     {
@@ -374,7 +379,7 @@ main (int argc, char *argv[])
 	  continue;
 	}
 
-      eddsa_25519 (R, S, msg, msglen, a, hash+32, pk);
+      eddsa_sign_25519 (msg, msglen, out, a, hash+32, pk);
       if (memcmp (sig, R, sizeof (bn256)) != 0
 	  || memcmp (((const uint8_t *)sig)+32, S, sizeof (bn256)) != 0)
 	{
diff --git a/src/Makefile.in b/src/Makefile.in
index 46169bb..ecf4b63 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -15,6 +15,7 @@ CSRC = main.c usb_stm32f103.c adc_stm32f103.c \
 	bn.c mod.c \
 	modp256r1.c jpc_p256r1.c ec_p256r1.c call-ec_p256r1.c \
 	modp256k1.c jpc_p256k1.c ec_p256k1.c call-ec_p256k1.c \
+	mod25638.c ecc-edwards.c sha512.c \
 	random.c neug.c sha256.c sys.c
 
 INCDIR =
diff --git a/src/ecc-edwards.c b/src/ecc-edwards.c
index 06fa68e..9f0091e 100644
--- a/src/ecc-edwards.c
+++ b/src/ecc-edwards.c
@@ -749,15 +749,19 @@ mod_reduce_M (bn256 *R, const bn512 *A)
 
 
 void
-eddsa_25519 (bn256 *r, bn256 *s, const uint8_t *input, size_t ilen,
-	     const bn256 *a, const uint8_t *seed, const bn256 *pk)
+eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint8_t *out,
+		  const bn256 *a, const uint8_t *seed, const bn256 *pk)
 {
+  bn256 *r, *s;
   sha512_context ctx;
   uint8_t hash[64];
   bn256 tmp[1];
   ac R[1];
   uint32_t carry, borrow;
 
+  r = (bn256 *)out;
+  s = (bn256 *)(out+32);
+
   sha512_start (&ctx);
   sha512_update (&ctx, seed, sizeof (bn256)); /* It's upper half of the hash */
   sha512_update (&ctx, input, ilen);
@@ -965,8 +969,9 @@ main (int argc, char *argv[])
 #ifdef TESTING_EDDSA
   uint8_t hash[64];
   bn256 a[1];
-  bn256 r[1], s[1];
+  uint8_t r_s[64];
   bn256 pk[1];
+  bn256 *r, *s;
 
   const bn256 sk[1] = {
     {{ 0x9db1619d, 0x605afdef, 0xf44a84ba, 0xc42cec92,
@@ -980,6 +985,9 @@ main (int argc, char *argv[])
     {{ 0x1582b85f, 0xac3ba390, 0x70391ec6, 0x6bb4f91c,
        0xf0f55bd2, 0x24be5b59, 0x43415165, 0x0b107a8e }} };
 
+  r = (bn256 *)r_s;
+  s = (bn256 *)(r_s+32);
+
   sha512 ((uint8_t *)sk, sizeof (bn256), hash);
   hash[0] &= 248;
   hash[31] &= 127;
@@ -987,7 +995,7 @@ main (int argc, char *argv[])
   memcpy (a, hash, sizeof (bn256));
 
   eddsa_public_key_25519 (pk, a);
-  eddsa_25519 (r, s, (const uint8_t *)"", 0, a, hash+32, pk);
+  eddsa_sign_25519 ((const uint8_t *)"", 0, r_s, a, hash+32, pk);
 
   if (memcmp (r, r_expected, sizeof (bn256)) != 0
       || memcmp (s, s_expected, sizeof (bn256)) != 0)
diff --git a/src/gnuk.h b/src/gnuk.h
index 3f94037..a745383 100644
--- a/src/gnuk.h
+++ b/src/gnuk.h
@@ -154,7 +154,10 @@ struct key_data {
 };
 
 struct key_data_internal {
-  uint32_t data[KEY_CONTENT_LEN/4]; /* p and q */
+  uint32_t data[KEY_CONTENT_LEN/4]; /*
+				     * Secret key data.
+				     * RSA: p and q, ECDSA: d, EdDSA: a+seed
+				     */
   uint32_t checksum[DATA_ENCRYPTION_KEY_SIZE/4];
 };
 
@@ -253,6 +256,12 @@ extern int ecdsa_sign_p256k1  (const uint8_t *hash, uint8_t *output,
 			       const uint8_t *key_data);
 extern uint8_t *ecdsa_compute_public_p256k1 (const uint8_t *key_data);
 
+
+extern int eddsa_sign_25519  (const uint8_t *input, size_t ilen,
+			      uint8_t *output,
+			      const uint8_t *sk_a, const uint8_t *seed,
+			      const uint8_t *pk);
+
 extern const uint8_t *gpg_do_read_simple (uint8_t);
 extern void gpg_do_write_simple (uint8_t, const uint8_t *, int);
 extern void gpg_increment_digital_signature_counter (void);
diff --git a/src/openpgp.c b/src/openpgp.c
index 2b8ca5d..613828d 100644
--- a/src/openpgp.c
+++ b/src/openpgp.c
@@ -808,6 +808,9 @@ cmd_get_data (void)
 #define ECDSA_HASH_LEN 32
 #define ECDSA_SIGNATURE_LENGTH 64
 
+#define EDDSA_HASH_LEN_MAX 256
+#define EDDSA_SIGNATURE_LENGTH 32
+
 static void
 cmd_pso (void)
 {
@@ -1034,8 +1037,10 @@ cmd_internal_authenticate (void)
 	}
 
       res_APDU_size = EDDSA_SIGNATURE_LENGTH;
-      r = eddsa_sign_25519 (apdu.cmd_apdu_data, res_APDU,
-			    &kd[GPG_KEY_FOR_AUTHENTICATION]);
+      r = eddsa_sign_25519 (apdu.cmd_apdu_data, len, res_APDU,
+	    kd[GPG_KEY_FOR_AUTHENTICATION].data,
+	    kd[GPG_KEY_FOR_AUTHENTICATION].data+32,
+	    kd[GPG_KEY_FOR_AUTHENTICATION].key_addr + KEY_CONTENT_LEN);
       if (r < 0)
 	GPG_ERROR ();
     }