hanswolff / curve25519 Goto Github PK

using the pasted example code, my program crashes with the following.

Unhandled Exception: System.OverflowException: Arithmetic operation resulted in
an overflow.
at CryptoTests.Curve25519.Pack(Long10 x, Byte[] m) in c:\Projects\CryptoTests\Curve25519.cs:line 352
at CryptoTests.Curve25519.Core(Byte[] publicKey, Byte[] signingKey, Byte[] privateKey, Byte[] peerPublicKey) in
c:\Projects\CryptoTests\Curve25519.cs:line 855
at CryptoTests.Curve25519.GetPublicKey(Byte[] privateKey) in c:\Projects\CryptoTests\Curve25519.cs:line 117
at CryptoTests.Program.Main(String[] args) in c:\Projects\CryptoTests\Program.cs:line 44

using .NET 4.0 and SharpDevelop

We found that we couldn't get this and another library that uses Curve25519 to work so we tested both libraries against the official test vectors. In particular, we tested the conversion from the secret key of party A (d_A) to the public key (x_A). These test vectors are found on the last page of the draft RFC:
https://tools.ietf.org/html/draft-josefsson-tls-curve25519-04

Here is the sample code using the WallF.BaseNEncodings package to convert hex to byte arrays:

var d_A = "5ac99f33632e5a768de7e81bf854c27c46e3fbf2abbacd29ec4aff517369c660".ToUpper();
var d_A_bytes = BaseEncoding.Base16.FromBaseString(d_A);
var d_A_clamped = Curve25519.ClampPrivateKey(d_A_bytes);

// value should be 057e23ea9f1cbe8a27168f6e696a791de61dd3af7acd4eeacc6e7ba514fda863
var x_A_bytes = Curve25519.GetPublicKey(d_A_bytes); // gives a704c2f860fe0c74c457ed4d0f1b26e907491fa34c3b3af0c2f89bd391f68c01
var x_A_clamped = Curve25519.GetPublicKey(d_A_clamped); // gives 565689ffdf3c5be17b44ab2a5519e28a919b520c2fb9fde9414b46dcdbc99c3b

Hi,

Could you state the license of the source code (e.g. with a LICENSE file in the root directory)?

for example Alice has a public static and I want to set her public key in the Curve25519 object in the same way we use ClampPrivateKey, so that whenever I create alice's key pair it's with her private and public keys in conjunction with bob's public key.

Is it a security risk? Of course the shared secret will be different.

cloned the Curve25519 of CodesInChaos to avoid side channel attacks
need to remove unsafe code (looks like a big chunk of work)

https://github.com/langboost/curve25519-uwp

Please can you convert it into c#

GetSharedSecret gives incorrect key when using the following inputs:
secret/private: 234, 183, 44, 116, 96, 33, 23, 106, 200, 150, 208, 81, 47, 232, 48, 189, 4, 208, 79, 178, 76, 201, 232, 191, 119, 98, 67, 173, 106, 40, 211, 44
public: 62, 65, 94, 218, 155, 246, 192, 248, 146, 116, 8, 29, 154, 121, 65, 5, 133, 16, 174, 216, 46, 250, 5, 58, 71, 201, 147, 27, 251, 37, 81, 52

expected key: 9, 232, 190, 195, 112, 129, 95, 8, 232, 160, 133, 229, 218, 41, 123, 7, 27, 66, 245, 22, 172, 45, 234, 65, 43, 203, 34, 93, 75, 114, 110, 215

actual key: 251, 51, 52, 154, 131, 190, 165, 36, 196, 45, 16, 138, 204, 92, 164, 162, 210, 9, 18, 19, 112, 239, 155, 109, 87, 105, 116, 109, 182, 228, 210, 57

GetNumSize method contains a bug (file https://github.com/hanswolff/curve25519/blob/master/Curve25519/Curve25519.cs)

Original Java method (http://code.google.com/p/curve25519-java/):

	private static final int numsize(byte[] x,int n) {
		while (n--!=0 && x[n]==0)
			;
		return n+1;
	}

The current implementation (note the counter increment):

       static int GetNumSize(byte[] num, int maxSize)
        {
            for (int i = maxSize; i >= 0; i++)
            {
                if (num[i] == 0) return i + 1;
            }
            return 0;
        }

As the title says, I'm getting different results from before and after bf0aaa3 in GetPublicKey.