Update to version 13 and base on libsdoium stable 1.0.18

IntersectMBO · Nov 28, 2022 · 7355eeb · 7355eeb
1 parent 24407d5
commit 7355eeb
Show file tree

Hide file tree

Showing 37 changed files with 1,365 additions and 2,017 deletions.
diff --git a/cardano-crypto-praos/cardano-crypto-praos.cabal b/cardano-crypto-praos/cardano-crypto-praos.cabal
@@ -21,13 +21,13 @@ extra-source-files:    cbits/crypto_vrf.h
                        cbits/vrf03/crypto_vrf_ietfdraft03.h
                        cbits/vrf03/vrf_ietfdraft03.h
 
-                       -- cbits/vrf10_batchcompat/crypto_vrf_ietfdraft10.h
-                       -- cbits/vrf10_batchcompat/vrf_ietfdraft10.h
+                       cbits/vrf13_batchcompat/crypto_vrf_ietfdraft13.h
+                       cbits/vrf13_batchcompat/vrf_ietfdraft13.h
 
                        cbits/private/common.h
                        cbits/private/quirks.h
                        cbits/private/ed25519_ref10.h
-                       --cbits/private/hash_to_curve.h
+                       cbits/private/core_h2c.h
                        cbits/private/ed25519_ref10_fe_25_5.h
                        cbits/private/ed25519_ref10_fe_51.h
 
@@ -73,7 +73,7 @@ library
   hs-source-dirs:       src
   exposed-modules:      Cardano.Crypto.VRF.Praos
                  -- Disabled until the full audit is complete:
-                 -- ,      Cardano.Crypto.VRF.PraosBatchCompat
+                 ,      Cardano.Crypto.VRF.PraosBatchCompat
                  ,      Cardano.Crypto.RandomBytes
 
   build-depends:        base
@@ -87,17 +87,13 @@ library
 
   if !flag(external-libsodium-vrf)
     c-sources:          cbits/crypto_vrf.c
-                        cbits/vrf03/convert.c
-                        cbits/vrf03/keypair.c
                         cbits/vrf03/prove.c
                         cbits/vrf03/verify.c
                         cbits/vrf03/vrf.c
 
-                        -- cbits/vrf10_batchcompat/convert.c
-                        -- cbits/vrf10_batchcompat/verify.c
-                        -- cbits/vrf10_batchcompat/keypair.c
-                        -- cbits/vrf10_batchcompat/prove.c
-                        -- cbits/vrf10_batchcompat/vrf.c
+                        cbits/vrf13_batchcompat/verify.c
+                        cbits/vrf13_batchcompat/prove.c
+                        cbits/vrf13_batchcompat/vrf.c
 
-                        -- cbits/private/hash_to_curve.c
+                        cbits/private/core_h2c.c
                         cbits/private/ed25519_ref10.c
diff --git a/cardano-crypto-praos/cbits/crypto_vrf.c b/cardano-crypto-praos/cbits/crypto_vrf.c
@@ -44,47 +44,54 @@ crypto_vrf_keypair(unsigned char *pk, unsigned char *sk)
 }
 
 int
-crypto_vrf_keypair_from_seed(unsigned char *pk, unsigned char *sk,
-			     const unsigned char *seed)
+crypto_vrf_seed_keypair(unsigned char *pk, unsigned char *sk,
+                        const unsigned char *seed)
 {
-    return crypto_vrf_ietfdraft03_keypair_from_seed(pk, sk, seed);
-}
+    ge25519_p3 A;
 
-int
-crypto_vrf_is_valid_key(const unsigned char *pk)
-{
-    return crypto_vrf_ietfdraft03_is_valid_key(pk);
+    crypto_hash_sha512(sk, seed, 32);
+    sk[0] &= 248;
+    sk[31] &= 127;
+    sk[31] |= 64;
+
+    ge25519_scalarmult_base(&A, sk);
+    ge25519_p3_tobytes(pk, &A);
+
+    memmove(sk, seed, 32);
+    memmove(sk + 32, pk, 32);
+
+    return 0;
 }
 
 int
 crypto_vrf_prove(unsigned char *proof, const unsigned char *skpk,
 		 const unsigned char *m, const unsigned long long mlen)
 {
-    return crypto_vrf_ietfdraft03_prove(proof, skpk, m, mlen);
+    return crypto_vrf_ietfdraft13_prove(proof, skpk, m, mlen);
 }
 
 int
 crypto_vrf_verify(unsigned char *output, const unsigned char *pk,
 		  const unsigned char *proof, const unsigned char *m,
 		  const unsigned long long mlen)
 {
-    return crypto_vrf_ietfdraft03_verify(output, pk, proof, m, mlen);
+    return crypto_vrf_ietfdraft13_verify(output, pk, proof, m, mlen);
 }
 
 int
 crypto_vrf_proof_to_hash(unsigned char *hash, const unsigned char *proof)
 {
-    return crypto_vrf_ietfdraft03_proof_to_hash(hash, proof);
+    return crypto_vrf_ietfdraft13_proof_to_hash(hash, proof);
 }
 
 void
 crypto_vrf_sk_to_pk(unsigned char *pk, const unsigned char *skpk)
 {
-    crypto_vrf_ietfdraft03_sk_to_pk(pk, skpk);
+    memmove(pk, skpk+32, 32);
 }
 
 void
 crypto_vrf_sk_to_seed(unsigned char *seed, const unsigned char *skpk)
 {
-    crypto_vrf_ietfdraft03_sk_to_seed(seed, skpk);
+    memmove(seed, skpk, 32);
 }
diff --git a/cardano-crypto-praos/cbits/crypto_vrf.h b/cardano-crypto-praos/cbits/crypto_vrf.h
@@ -21,51 +21,51 @@
 extern "C" {
 #endif
 
-#define crypto_vrf_PUBLICKEYBYTES crypto_vrf_ietfdraft03_PUBLICKEYBYTES
+#define crypto_vrf_PUBLICKEYBYTES crypto_vrf_ietfdraft13_PUBLICKEYBYTES
 SODIUM_EXPORT
 size_t crypto_vrf_publickeybytes(void);
 
-#define crypto_vrf_SECRETKEYBYTES crypto_vrf_ietfdraft03_SECRETKEYBYTES
+#define crypto_vrf_SECRETKEYBYTES crypto_vrf_ietfdraft13_SECRETKEYBYTES
 SODIUM_EXPORT
 size_t crypto_vrf_secretkeybytes(void);
 
-#define crypto_vrf_SEEDBYTES crypto_vrf_ietfdraft03_SEEDBYTES
+#define crypto_vrf_SEEDBYTES crypto_vrf_ietfdraft13_SEEDBYTES
 SODIUM_EXPORT
 size_t crypto_vrf_seedbytes(void);
 
-#define crypto_vrf_PROOFBYTES crypto_vrf_ietfdraft03_PROOFBYTES
+#define crypto_vrf_PROOFBYTES crypto_vrf_ietfdraft13_BYTES
 SODIUM_EXPORT
 size_t crypto_vrf_proofbytes(void);
 
-#define crypto_vrf_OUTPUTBYTES crypto_vrf_ietfdraft03_OUTPUTBYTES
+#define crypto_vrf_OUTPUTBYTES crypto_vrf_ietfdraft13_OUTPUTBYTES
 SODIUM_EXPORT
 size_t crypto_vrf_outputbytes(void);
 
-#define crypto_vrf_PRIMITIVE "ietfdraft03"
+#define crypto_vrf_PRIMITIVE "ietfdraft13"
 SODIUM_EXPORT
 const char *crypto_vrf_primitive(void);
 
 SODIUM_EXPORT
-int crypto_vrf_keypair(unsigned char *pk, unsigned char *sk);
+int crypto_vrf_keypair(unsigned char *pk, unsigned char *sk)
+__attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_vrf_keypair_from_seed(unsigned char *pk, unsigned char *sk,
-				 const unsigned char *seed);
-
-SODIUM_EXPORT
-int crypto_vrf_is_valid_key(const unsigned char *pk)
-            __attribute__ ((warn_unused_result));
+				 const unsigned char *seed)
+__attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_vrf_prove(unsigned char *proof, const unsigned char *sk,
-		     const unsigned char *m, unsigned long long mlen);
+		     const unsigned char *m, unsigned long long mlen)
+__attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_vrf_verify(unsigned char *output,
 		      const unsigned char *pk,
 		      const unsigned char *proof,
 		      const unsigned char *m, unsigned long long mlen)
-            __attribute__ ((warn_unused_result));
+            __attribute__ ((warn_unused_result))
+__attribute__ ((warn_unused_result))  __attribute__ ((nonnull));
 
 SODIUM_EXPORT
 int crypto_vrf_proof_to_hash(unsigned char *hash, const unsigned char *proof);

diff --git a/cardano-crypto-praos/cbits/private/common.h b/cardano-crypto-praos/cbits/private/common.h
@@ -1,7 +1,7 @@
 #ifndef common_H
 #define common_H 1
 
-#if !defined(_MSC_VER) && !defined(DEV_MODE) && 1
+#if !defined(_MSC_VER) && !defined(DEV_MODE) && 0
 # warning *** This is unstable, untested, development code.
 # warning It might not compile. It might not work as expected.
 # warning It might be totally insecure.
@@ -20,8 +20,6 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "quirks.h"
-
 #define COMPILER_ASSERT(X) (void) sizeof(char[(X) ? 1 : -1])
 
 #ifdef HAVE_TI_MODE

diff --git a/cardano-crypto-praos/cbits/private/core_h2c.c b/cardano-crypto-praos/cbits/private/core_h2c.c
@@ -0,0 +1,133 @@
+#include <assert.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "core_h2c.h"
+#include "sodium/crypto_hash_sha256.h"
+#include "sodium/crypto_hash_sha512.h"
+#include "common.h"
+
+#define HASH_BYTES      crypto_hash_sha256_BYTES
+#define HASH_BLOCKBYTES 64U
+
+static void
+core_h2c_string_to_hash_sha256(unsigned char *h, const size_t h_len, const char *ctx,
+                               const unsigned char *msg, size_t msg_len)
+{
+    crypto_hash_sha256_state st;
+    const unsigned char      empty_block[HASH_BLOCKBYTES] = { 0 };
+    unsigned char            u0[HASH_BYTES];
+    unsigned char            ux[HASH_BYTES] = { 0 };
+    unsigned char            t[3] = { 0U, (unsigned char) h_len, 0U};
+    unsigned char            ctx_len_u8;
+    size_t                   ctx_len = ctx != NULL ? strlen(ctx) : 0U;
+    size_t                   i, j;
+
+    assert(h_len <= 0xff);
+    if (ctx_len > (size_t) 0xff) {
+        crypto_hash_sha256_init(&st);
+        crypto_hash_sha256_update(&st,
+                                  (const unsigned char *) "H2C-OVERSIZE-DST-",
+                                  sizeof "H2C-OVERSIZE-DST-" - 1U);
+        crypto_hash_sha256_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha256_final(&st, u0);
+        ctx = (const char *) u0;
+        ctx_len = HASH_BYTES;
+        COMPILER_ASSERT(HASH_BYTES <= (size_t) 0xff);
+    }
+    ctx_len_u8 = (unsigned char) ctx_len;
+    crypto_hash_sha256_init(&st);
+    crypto_hash_sha256_update(&st, empty_block, sizeof empty_block);
+    crypto_hash_sha256_update(&st, msg, msg_len);
+    crypto_hash_sha256_update(&st, t, 3U);
+    crypto_hash_sha256_update(&st, (const unsigned char *) ctx, ctx_len);
+    crypto_hash_sha256_update(&st, &ctx_len_u8, 1U);
+    crypto_hash_sha256_final(&st, u0);
+
+    for (i = 0U; i < h_len; i += HASH_BYTES) {
+        for (j = 0U; j < HASH_BYTES; j++) {
+            ux[j] ^= u0[j];
+        }
+        t[2]++;
+        crypto_hash_sha256_init(&st);
+        crypto_hash_sha256_update(&st, ux, HASH_BYTES);
+        crypto_hash_sha256_update(&st, &t[2], 1U);
+        crypto_hash_sha256_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha256_update(&st, &ctx_len_u8, 1U);
+        crypto_hash_sha256_final(&st, ux);
+        memcpy(&h[i], ux, h_len - i >= (sizeof ux) ? (sizeof ux) : h_len - i);
+    }
+}
+
+#undef  HASH_BYTES
+#undef  HASH_BLOCKBYTES
+
+#define HASH_BYTES      crypto_hash_sha512_BYTES
+#define HASH_BLOCKBYTES 128U
+
+static void
+core_h2c_string_to_hash_sha512(unsigned char *h, const size_t h_len, const char *ctx,
+                               const unsigned char *msg, size_t msg_len)
+{
+    crypto_hash_sha512_state st;
+    const unsigned char      empty_block[HASH_BLOCKBYTES] = { 0 };
+    unsigned char            u0[HASH_BYTES];
+    unsigned char            ux[HASH_BYTES] = { 0 };
+    unsigned char            t[3] = { 0U, (unsigned char) h_len, 0U};
+    unsigned char            ctx_len_u8;
+    size_t                   ctx_len = ctx != NULL ? strlen(ctx) : 0U;
+    size_t                   i, j;
+
+    assert(h_len <= 0xff);
+    if (ctx_len > (size_t) 0xff) {
+        crypto_hash_sha512_init(&st);
+        crypto_hash_sha512_update(&st,
+                                  (const unsigned char *) "H2C-OVERSIZE-DST-",
+                                  sizeof "H2C-OVERSIZE-DST-" - 1U);
+        crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha512_final(&st, u0);
+        ctx = (const char *) u0;
+        ctx_len = HASH_BYTES;
+        COMPILER_ASSERT(HASH_BYTES <= (size_t) 0xff);
+    }
+    ctx_len_u8 = (unsigned char) ctx_len;
+    crypto_hash_sha512_init(&st);
+    crypto_hash_sha512_update(&st, empty_block, sizeof empty_block);
+    crypto_hash_sha512_update(&st, msg, msg_len);
+    crypto_hash_sha512_update(&st, t, 3U);
+    crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+    crypto_hash_sha512_update(&st, &ctx_len_u8, 1U);
+    crypto_hash_sha512_final(&st, u0);
+
+    for (i = 0U; i < h_len; i += HASH_BYTES) {
+        for (j = 0U; j < HASH_BYTES; j++) {
+            ux[j] ^= u0[j];
+        }
+        t[2]++;
+        crypto_hash_sha512_init(&st);
+        crypto_hash_sha512_update(&st, ux, HASH_BYTES);
+        crypto_hash_sha512_update(&st, &t[2], 1U);
+        crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha512_update(&st, &ctx_len_u8, 1U);
+        crypto_hash_sha512_final(&st, ux);
+        memcpy(&h[i], ux, h_len - i >= (sizeof ux) ? (sizeof ux) : h_len - i);
+    }
+}
+
+int
+core_h2c_string_to_hash(unsigned char *h, const size_t h_len, const char *ctx,
+                        const unsigned char *msg, size_t msg_len, int hash_alg)
+{
+    switch (hash_alg) {
+        case CORE_H2C_SHA256:
+            core_h2c_string_to_hash_sha256(h, h_len, ctx, msg, msg_len);
+            return 0;
+        case CORE_H2C_SHA512:
+            core_h2c_string_to_hash_sha512(h, h_len, ctx, msg, msg_len);
+            return 0;
+        default:
+            errno = EINVAL;
+            return -1;
+    }
+}
diff --git a/cardano-crypto-praos/cbits/private/core_h2c.h b/cardano-crypto-praos/cbits/private/core_h2c.h
@@ -0,0 +1,10 @@
+#ifndef core_h2c_H
+#define core_h2c_H
+
+#define CORE_H2C_SHA256 1
+#define CORE_H2C_SHA512 2
+
+int core_h2c_string_to_hash(unsigned char *h, const size_t h_len, const char *ctx,
+                            const unsigned char *msg, size_t msg_len,
+                            int hash_alg);
+#endif