Add SignStream and VerifyStream functions (GH #796)

2019-02-10 22:09:28 -05:00 · 2019-02-10 22:09:28 -05:00 · 7143da6864
parent 1c6a96a57e
commit 7143da6864
5 changed files with 190 additions and 3 deletions
--- a/donna.h
+++ b/donna.h
@ -81,6 +81,23 @@ int ed25519_publickey(byte publicKey[32], const byte secretKey[32]);
 ///   SHA512.
 int ed25519_sign(const byte* message, size_t messageLength, const byte secretKey[32], const byte publicKey[32], byte signature[64]);

+/// \brief Creates a signature on a message
+/// \param stream std::istream derived class
+/// \param publicKey byte array with the public key
+/// \param secretKey byte array with the private key
+/// \param signature byte array for the signature
+/// \returns 0 on success, non-0 otherwise
+/// \details ed25519_sign() generates a signature on a message using
+///   the public and private keys. The various buffers can be exact
+///   sizes, and do not require extra space like when using the
+///   NaCl library functions.
+/// \details This ed25519_sign() overload handles large streams. It
+///   was added for signing and verifying files that are too large
+///   for a memory allocation.
+/// \details At the moment the hash function for signing is fixed at
+///   SHA512.
+int ed25519_sign(std::istream& stream, const byte secretKey[32], const byte publicKey[32], byte signature[64]);
+
 /// \brief Verifies a signature on a message
 /// \param message byte array with the message
 /// \param messageLength size of the message, in bytes
@ -88,13 +105,29 @@ int ed25519_sign(const byte* message, size_t messageLength, const byte secretKey
 /// \param signature byte array with the signature
 /// \returns 0 on success, non-0 otherwise
 /// \details ed25519_sign_open() verifies a signature on a message using
-///   the public. The various buffers can be exact sizes, and do not
+///   the public key. The various buffers can be exact sizes, and do not
 ///   require extra space like when using the NaCl library functions.
 /// \details At the moment the hash function for signing is fixed at
 ///   SHA512.
 int
 ed25519_sign_open(const byte *message, size_t messageLength, const byte publicKey[32], const byte signature[64]);

+/// \brief Verifies a signature on a message
+/// \param stream std::istream derived class
+/// \param publicKey byte array with the public key
+/// \param signature byte array with the signature
+/// \returns 0 on success, non-0 otherwise
+/// \details ed25519_sign_open() verifies a signature on a message using
+///   the public key. The various buffers can be exact sizes, and do not
+///   require extra space like when using the NaCl library functions.
+/// \details This ed25519_sign_open() overload handles large streams. It
+///   was added for signing and verifying files that are too large
+///   for a memory allocation.
+/// \details At the moment the hash function for signing is fixed at
+///   SHA512.
+int
+ed25519_sign_open(std::istream& stream, const byte publicKey[32], const byte signature[64]);
+
 //****************************** Internal ******************************//

 #ifndef CRYPTOPP_DOXYGEN_PROCESSING
--- a/donna_64.cpp
+++ b/donna_64.cpp
@ -27,6 +27,9 @@
 #include "misc.h"
 #include "cpu.h"

+#include <istream>
+#include <sstream>
+
 #if CRYPTOPP_GCC_DIAGNOSTIC_AVAILABLE
 # pragma GCC diagnostic ignored "-Wunused-function"
 #endif
@ -780,6 +783,18 @@ ed25519_extsk(hash_512bits extsk, const byte sk[32]) {
    extsk[31] |= 64;
 }

+void
+UpdateFromStream(HashTransformation& hash, std::istream& stream)
+{
+    SecByteBlock block(4096);
+    while (stream.read((char*)block.begin(), block.size()))
+        hash.Update(block, block.size());
+
+    std::streamsize rem = stream.gcount();
+    if (rem)
+        hash.Update(block, rem);
+}
+
 void
 ed25519_hram(hash_512bits hram, const byte RS[64], const byte pk[32], const unsigned char *m, size_t mlen) {
    SHA512 hash;
@ -789,6 +804,15 @@ ed25519_hram(hash_512bits hram, const byte RS[64], const byte pk[32], const unsi
    hash.Final(hram);
 }

+void
+ed25519_hram(hash_512bits hram, const byte RS[64], const byte pk[32], std::istream& stream) {
+    SHA512 hash;
+    hash.Update(RS, 32);
+    hash.Update(pk, 32);
+    UpdateFromStream(hash, stream);
+    hash.Final(hram);
+}
+
 bignum256modm_element_t
 lt_modm(bignum256modm_element_t a, bignum256modm_element_t b) {
    return (a - b) >> 63;
@ -861,7 +885,6 @@ barrett_reduce256_modm(bignum256modm r, const bignum256modm q1, const bignum256m
    reduce256_modm(r);
 }

-
 void
 add256_modm(bignum256modm r, const bignum256modm x, const bignum256modm y) {
    bignum256modm_element_t c;
@ -1573,6 +1596,54 @@ ed25519_publickey(byte publicKey[32], const byte secretKey[32])
    return ed25519_publickey_CXX(publicKey, secretKey);
 }

+int
+ed25519_sign_CXX(std::istream& stream, const byte sk[32], const byte pk[32], byte RS[64])
+{
+    using namespace CryptoPP::Donna::Ed25519;
+
+    bignum256modm r, S, a;
+    ALIGN(16) ge25519 R;
+    hash_512bits extsk, hashr, hram;
+
+    // Unfortunately we need to read the stream twice. The fisrt time calculates
+    // 'r = H(aExt[32..64], m)'. The second time calculates 'S = H(R,A,m)'. There
+    // is a data dependency due to hashing 'RS' with 'R = [r]B' that does not
+    // allow us to read the stream once.
+    std::streampos where = stream.tellg();
+
+    ed25519_extsk(extsk, sk);
+
+    /* r = H(aExt[32..64], m) */
+    SHA512 hash;
+    hash.Update(extsk + 32, 32);
+    UpdateFromStream(hash, stream);
+    hash.Final(hashr);
+    expand256_modm(r, hashr, 64);
+
+    /* R = rB */
+    ge25519_scalarmult_base_niels(&R, ge25519_niels_base_multiples, r);
+    ge25519_pack(RS, &R);
+
+    // Reset stream for the second digest
+    stream.clear();
+    stream.seekg(where);
+
+    /* S = H(R,A,m).. */
+    ed25519_hram(hram, RS, pk, stream);
+    expand256_modm(S, hram, 64);
+
+    /* S = H(R,A,m)a */
+    expand256_modm(a, extsk, 32);
+    mul256_modm(S, S, a);
+
+    /* S = (r + H(R,A,m)a) */
+    add256_modm(S, S, r);
+
+    /* S = (r + H(R,A,m)a) mod L */
+    contract256_modm(RS + 32, S);
+    return 0;
+}
+
 int
 ed25519_sign_CXX(const byte *m, size_t mlen, const byte sk[32], const byte pk[32], byte RS[64])
 {
@ -1611,6 +1682,13 @@ ed25519_sign_CXX(const byte *m, size_t mlen, const byte sk[32], const byte pk[32
    return 0;
 }

+int
+ed25519_sign(std::istream& stream, const byte secretKey[32], const byte publicKey[32],
+             byte signature[64])
+{
+    return ed25519_sign_CXX(stream, secretKey, publicKey, signature);
+}
+
 int
 ed25519_sign(const byte* message, size_t messageLength, const byte secretKey[32],
             const byte publicKey[32], byte signature[64])
@ -1646,6 +1724,40 @@ ed25519_sign_open_CXX(const byte *m, size_t mlen, const byte pk[32], const byte
    return ed25519_verify(RS, checkR, 32) ? 0 : -1;
 }

+int
+ed25519_sign_open_CXX(std::istream& stream, const byte pk[32], const byte RS[64]) {
+
+    using namespace CryptoPP::Donna::Ed25519;
+
+    ALIGN(16) ge25519 R, A;
+    hash_512bits hash;
+    bignum256modm hram, S;
+    unsigned char checkR[32];
+
+    if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
+        return -1;
+
+    /* hram = H(R,A,m) */
+    ed25519_hram(hash, RS, pk, stream);
+    expand256_modm(hram, hash, 64);
+
+    /* S */
+    expand256_modm(S, RS + 32, 32);
+
+    /* SB - H(R,A,m)A */
+    ge25519_double_scalarmult_vartime(&R, &A, hram, S);
+    ge25519_pack(checkR, &R);
+
+    /* check that R = SB - H(R,A,m)A */
+    return ed25519_verify(RS, checkR, 32) ? 0 : -1;
+}
+
+int
+ed25519_sign_open(std::istream& stream, const byte publicKey[32], const byte signature[64])
+{
+    return ed25519_sign_open_CXX(stream, publicKey, signature);
+}
+
 int
 ed25519_sign_open(const byte *message, size_t messageLength, const byte publicKey[32], const byte signature[64])
 {
--- a/poly1305.cpp
+++ b/poly1305.cpp
@ -209,7 +209,7 @@ void Poly1305_Base<T>::UncheckedSetKey(const byte *key, unsigned int length, con
 	if (params.GetValue(Name::IV(), t) && t.begin() && t.size())
 	{
 		CRYPTOPP_ASSERT(t.size() == m_nk.size());
-		Resynchronize(t.begin(), t.size());
+		Resynchronize(t.begin(), (int)t.size());
 	}

 	Restart();
--- a/xed25519.cpp
+++ b/xed25519.cpp
@ -685,6 +685,17 @@ size_t ed25519Signer::SignAndRestart(RandomNumberGenerator &rng, PK_MessageAccum
    return ret == 0 ? SIGNATURE_LENGTH : 0;
 }

+size_t ed25519Signer::SignStream (RandomNumberGenerator &rng, std::istream& stream, byte *signature) const
+{
+    CRYPTOPP_ASSERT(signature != NULLPTR); CRYPTOPP_UNUSED(rng);
+
+    const ed25519PrivateKey& pk = static_cast<const ed25519PrivateKey&>(GetPrivateKey());
+    int ret = Donna::ed25519_sign(stream, pk.GetPrivateKeyBytePtr(), pk.GetPublicKeyBytePtr(), signature);
+    CRYPTOPP_ASSERT(ret == 0);
+
+    return ret == 0 ? SIGNATURE_LENGTH : 0;
+}
+
 // ******************** ed25519 Verifier ************************* //

 bool ed25519PublicKey::GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
@ -856,4 +867,14 @@ bool ed25519Verifier::VerifyAndRestart(PK_MessageAccumulator &messageAccumulator
    return ret == 0;
 }

+bool ed25519Verifier::VerifyStream(std::istream& stream, const byte *signature, size_t signatureLen) const
+{
+    CRYPTOPP_ASSERT(signatureLen == SIGNATURE_LENGTH);
+
+    const ed25519PublicKey& pk = static_cast<const ed25519PublicKey&>(GetPublicKey());
+    int ret = Donna::ed25519_sign_open(stream, pk.GetPublicKeyBytePtr(), signature);
+
+    return ret == 0;
+}
+
 NAMESPACE_END  // CryptoPP
--- a/xed25519.h
+++ b/xed25519.h
@ -574,6 +574,18 @@ struct ed25519Signer : public PK_Signer

    size_t SignAndRestart(RandomNumberGenerator &rng, PK_MessageAccumulator &messageAccumulator, byte *signature, bool restart) const;

+    /// \brief Sign a stream
+    /// \param rng a RandomNumberGenerator derived class
+    /// \param stream an std::istream derived class
+    /// \param signature a block of bytes for the signature
+    /// \return actual signature length
+    /// \details SignStream() handles large streams. It was added for signing and verifying
+    ///  files that are too large for a memory allocation.
+    /// \details ed25519 is a determinsitic signature scheme. <tt>IsProbabilistic()</tt>
+    ///  returns false and the random number generator can be <tt>NullRNG()</tt>.
+    /// \pre <tt>COUNTOF(signature) == MaxSignatureLength()</tt>
+    size_t SignStream (RandomNumberGenerator &rng, std::istream& stream, byte *signature) const;
+
 protected:
    ed25519PrivateKey m_key;
 };
@ -742,6 +754,15 @@ struct ed25519Verifier : public PK_Verifier

    bool VerifyAndRestart(PK_MessageAccumulator &messageAccumulator) const;

+    /// \brief Check whether input signature is a valid signature for input message
+    /// \param stream an std::istream derived class
+    /// \param signature a pointer to the signature over the message
+    /// \param signatureLen the size of the signature
+    /// \return true if the signature is valid, false otherwise
+    /// \details VerifyStream() handles large streams. It was added for signing and verifying
+    ///  files that are too large for a memory allocation.
+    bool VerifyStream(std::istream& stream, const byte *signature, size_t signatureLen) const;
+
    DecodingResult RecoverAndRestart(byte *recoveredMessage, PK_MessageAccumulator &messageAccumulator) const {
        CRYPTOPP_UNUSED(recoveredMessage); CRYPTOPP_UNUSED(messageAccumulator);
        throw NotImplemented("ed25519Verifier: this object does not support recoverable messages");