탐색 도움말
로그인
cloudflare
/
cfssl
의 미러 https://github.com/cloudflare/cfssl
Watch 1
Star 0
포크 0
파일 이슈
트리: f6cb3e8a12
브랜치 태그
cfssl
/
vendor
/
golang.org
/
x
/
crypto
/
curve25519
/
curve25519.go

curve25519.go 4.0 KB
히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147 
  1. // Copyright 2019 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. // Package curve25519 provides an implementation of the X25519 function, which
    6. 

  6. // performs scalar multiplication on the elliptic curve known as Curve25519.
    7. 

  7. // See RFC 7748.
    8. 

  8. package curve25519 // import "golang.org/x/crypto/curve25519"
    9. 

  9. 

  10. import (
    11. 

  11. 	"crypto/subtle"
    12. 

  12. 	"errors"
    13. 

  13. 	"strconv"
    14. 

  14. 

  15. 	"golang.org/x/crypto/curve25519/internal/field"
    16. 

  16. )
    17. 

  17. 

  18. // ScalarMult sets dst to the product scalar * point.
    19. 

  19. //
    20. 

  20. // Deprecated: when provided a low-order point, ScalarMult will set dst to all
    21. 

  21. // zeroes, irrespective of the scalar. Instead, use the X25519 function, which
    22. 

  22. // will return an error.
    23. 

  23. func ScalarMult(dst, scalar, point *[32]byte) {
    24. 

  24. 	var e [32]byte
    25. 

  25. 

  26. 	copy(e[:], scalar[:])
    27. 

  27. 	e[0] &= 248
    28. 

  28. 	e[31] &= 127
    29. 

  29. 	e[31] |= 64
    30. 

  30. 

  31. 	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
    32. 

  32. 	x1.SetBytes(point[:])
    33. 

  33. 	x2.One()
    34. 

  34. 	x3.Set(&x1)
    35. 

  35. 	z3.One()
    36. 

  36. 

  37. 	swap := 0
    38. 

  38. 	for pos := 254; pos >= 0; pos-- {
    39. 

  39. 		b := e[pos/8] >> uint(pos&7)
    40. 

  40. 		b &= 1
    41. 

  41. 		swap ^= int(b)
    42. 

  42. 		x2.Swap(&x3, swap)
    43. 

  43. 		z2.Swap(&z3, swap)
    44. 

  44. 		swap = int(b)
    45. 

  45. 

  46. 		tmp0.Subtract(&x3, &z3)
    47. 

  47. 		tmp1.Subtract(&x2, &z2)
    48. 

  48. 		x2.Add(&x2, &z2)
    49. 

  49. 		z2.Add(&x3, &z3)
    50. 

  50. 		z3.Multiply(&tmp0, &x2)
    51. 

  51. 		z2.Multiply(&z2, &tmp1)
    52. 

  52. 		tmp0.Square(&tmp1)
    53. 

  53. 		tmp1.Square(&x2)
    54. 

  54. 		x3.Add(&z3, &z2)
    55. 

  55. 		z2.Subtract(&z3, &z2)
    56. 

  56. 		x2.Multiply(&tmp1, &tmp0)
    57. 

  57. 		tmp1.Subtract(&tmp1, &tmp0)
    58. 

  58. 		z2.Square(&z2)
    59. 

  59. 

  60. 		z3.Mult32(&tmp1, 121666)
    61. 

  61. 		x3.Square(&x3)
    62. 

  62. 		tmp0.Add(&tmp0, &z3)
    63. 

  63. 		z3.Multiply(&x1, &z2)
    64. 

  64. 		z2.Multiply(&tmp1, &tmp0)
    65. 

  65. 	}
    66. 

  66. 

  67. 	x2.Swap(&x3, swap)
    68. 

  68. 	z2.Swap(&z3, swap)
    69. 

  69. 

  70. 	z2.Invert(&z2)
    71. 

  71. 	x2.Multiply(&x2, &z2)
    72. 

  72. 	copy(dst[:], x2.Bytes())
    73. 

  73. }
    74. 

  74. 

  75. // ScalarBaseMult sets dst to the product scalar * base where base is the
    76. 

  76. // standard generator.
    77. 

  77. //
    78. 

  78. // It is recommended to use the X25519 function with Basepoint instead, as
    79. 

  79. // copying into fixed size arrays can lead to unexpected bugs.
    80. 

  80. func ScalarBaseMult(dst, scalar *[32]byte) {
    81. 

  81. 	ScalarMult(dst, scalar, &basePoint)
    82. 

  82. }
    83. 

  83. 

  84. const (
    85. 

  85. 	// ScalarSize is the size of the scalar input to X25519.
    86. 

  86. 	ScalarSize = 32
    87. 

  87. 	// PointSize is the size of the point input to X25519.
    88. 

  88. 	PointSize = 32
    89. 

  89. )
    90. 

  90. 

  91. // Basepoint is the canonical Curve25519 generator.
    92. 

  92. var Basepoint []byte
    93. 

  93. 

  94. var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
    95. 

  95. 

  96. func init() { Basepoint = basePoint[:] }
    97. 

  97. 

  98. func checkBasepoint() {
    99. 

  99. 	if subtle.ConstantTimeCompare(Basepoint, []byte{
    100. 

  100. 		0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    101. 

  101. 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    102. 

  102. 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    103. 

  103. 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    104. 

  104. 	}) != 1 {
    105. 

  105. 		panic("curve25519: global Basepoint value was modified")
    106. 

  106. 	}
    107. 

  107. }
    108. 

  108. 

  109. // X25519 returns the result of the scalar multiplication (scalar * point),
    110. 

  110. // according to RFC 7748, Section 5. scalar, point and the return value are
    111. 

  111. // slices of 32 bytes.
    112. 

  112. //
    113. 

  113. // scalar can be generated at random, for example with crypto/rand. point should
    114. 

  114. // be either Basepoint or the output of another X25519 call.
    115. 

  115. //
    116. 

  116. // If point is Basepoint (but not if it's a different slice with the same
    117. 

  117. // contents) a precomputed implementation might be used for performance.
    118. 

  118. func X25519(scalar, point []byte) ([]byte, error) {
    119. 

  119. 	// Outline the body of function, to let the allocation be inlined in the
    120. 

  120. 	// caller, and possibly avoid escaping to the heap.
    121. 

  121. 	var dst [32]byte
    122. 

  122. 	return x25519(&dst, scalar, point)
    123. 

  123. }
    124. 

  124. 

  125. func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) {
    126. 

  126. 	var in [32]byte
    127. 

  127. 	if l := len(scalar); l != 32 {
    128. 

  128. 		return nil, errors.New("bad scalar length: " + strconv.Itoa(l) + ", expected 32")
    129. 

  129. 	}
    130. 

  130. 	if l := len(point); l != 32 {
    131. 

  131. 		return nil, errors.New("bad point length: " + strconv.Itoa(l) + ", expected 32")
    132. 

  132. 	}
    133. 

  133. 	copy(in[:], scalar)
    134. 

  134. 	if &point[0] == &Basepoint[0] {
    135. 

  135. 		checkBasepoint()
    136. 

  136. 		ScalarBaseMult(dst, &in)
    137. 

  137. 	} else {
    138. 

  138. 		var base, zero [32]byte
    139. 

  139. 		copy(base[:], point)
    140. 

  140. 		ScalarMult(dst, &in, &base)
    141. 

  141. 		if subtle.ConstantTimeCompare(dst[:], zero[:]) == 1 {
    142. 

  142. 			return nil, errors.New("bad input point: low order point")
    143. 

  143. 		}
    144. 

  144. 	}
    145. 

  145. 	return dst[:], nil
    146. 

  146. }
    147. 

  147.