now EdDSA works.

ChangeLog

@@ -1,3 +1,10 @@
+2014-04-03  Niibe Yutaka  <gniibe@fsij.org>
+
+	* src/ecc-edwards.c (eddsa_sign_25519): Change type of OUT.
+	* src/openpgp.c (cmd_internal_authenticate): Have a buffer.
+
+	* src/flash.c (flash_init): Fix key address finder.
+
 2014-04-02  Niibe Yutaka  <gniibe@fsij.org>
 
 	* src/openpgp-do.c (proc_key_import): Handle EdDSA.

doc/note/NOTES

@@ -76,7 +76,6 @@ KEYPTR
          ----> [   P   ][   Q   ][       N        ]
                <---encrypted----><---  plain  ---->
 
-key_addr                       4-byte
 initial_vector (random)        16-byte
 checksum_encrypted             16-byte
 dek_encrypted_by_keystring_pw1 16-byte

src/ecc-edwards.c

@@ -750,7 +750,7 @@ mod_reduce_M (bn256 *R, const bn512 *A)
 
 
 void
-eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint8_t *out,
+eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint32_t *out,
 		  const bn256 *a, const uint8_t *seed, const bn256 *pk)
 {
   bn256 *r, *s;
@@ -761,7 +761,7 @@ eddsa_sign_25519 (const uint8_t *input, size_t ilen, uint8_t *out,
   uint32_t carry, borrow;
 
   r = (bn256 *)out;
-  s = (bn256 *)(out+32);
+  s = (bn256 *)(out+(32/4));
 
   sha512_start (&ctx);
   sha512_update (&ctx, seed, sizeof (bn256)); /* It's upper half of the hash */

src/flash.c

@@ -80,20 +80,17 @@ extern uint8_t _data_pool;
 static int key_available_at (uint8_t *k)
 {
   int i;
-  uint8_t *p;
 
-  p = k;
   for (i = 0; i < KEY_SIZE; i++)
-    if (*p)
+    if (k[i])
       break;
-  if (p == k + KEY_SIZE)	/* It's ZERO.  Released key.  */
+  if (i == KEY_SIZE)	/* It's ZERO.  Released key.  */
     return 0;
 
-  p = k;
   for (i = 0; i < KEY_SIZE; i++)
-    if (*p != 0xff)
+    if (k[i] != 0xff)
       break;
-  if (p == k + KEY_SIZE)	/* It's FULL.  Unused key.  */
+  if (i == KEY_SIZE)	/* It's FULL.  Unused key.  */
     return 0;
 
   return 1;
@@ -127,7 +124,7 @@ flash_init (void)
       uint8_t *k;
 
       kd[i].key_addr = NULL;
-      for (k = p; k < k + FLASH_PAGE_SIZE; k += KEY_SIZE)
+      for (k = p; k < p + FLASH_PAGE_SIZE; k += KEY_SIZE)
 	if (key_available_at (k))
 	  {
 	    kd[i].key_addr = k;

src/gnuk.h

@@ -257,7 +257,7 @@ extern int ecdsa_sign_p256k1 (const uint8_t *hash, uint8_t *output,
 extern uint8_t *ecdsa_compute_public_p256k1 (const uint8_t *key_data);
 
 extern int eddsa_sign_25519 (const uint8_t *input, size_t ilen,
-			     uint8_t *output,
+			     uint32_t *output,
 			     const uint8_t *sk_a, const uint8_t *seed,
 			     const uint8_t *pk);
 extern uint8_t *eddsa_compute_public_25519 (const uint8_t *a);

src/openpgp.c

@@ -809,7 +809,7 @@ cmd_get_data (void)
 #define ECDSA_SIGNATURE_LENGTH 64
 
 #define EDDSA_HASH_LEN_MAX 256
-#define EDDSA_SIGNATURE_LENGTH 32
+#define EDDSA_SIGNATURE_LENGTH 64
 
 static void
 cmd_pso (void)
@@ -1020,6 +1020,8 @@ cmd_internal_authenticate (void)
 
   if (P1 (apdu) == 0x00 && P2 (apdu) == 0x00)
     {
+      uint32_t output[64/4];	/* Require 4-byte alignment. */
+
       DEBUG_SHORT (len);
 
       if (!ac_check_status (AC_OTHER_AUTHORIZED))
@@ -1037,10 +1039,11 @@ cmd_internal_authenticate (void)
 	}
 
       res_APDU_size = EDDSA_SIGNATURE_LENGTH;
-      r = eddsa_sign_25519 (apdu.cmd_apdu_data, len, res_APDU,
+      r = eddsa_sign_25519 (apdu.cmd_apdu_data, len, output,
 	    kd[GPG_KEY_FOR_AUTHENTICATION].data,
 	    kd[GPG_KEY_FOR_AUTHENTICATION].data+32,
 	    kd[GPG_KEY_FOR_AUTHENTICATION].key_addr + KEY_CONTENT_LEN);
+      memcpy (res_APDU, output, EDDSA_SIGNATURE_LENGTH);
       if (r < 0)
 	GPG_ERROR ();
     }