More cleanups (thx zzz)

Author: str4d

src/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -137,7 +137,8 @@ protected byte[] engineSign() throws SignatureException {
         FieldElement S = curve.fromBigInteger(leEnc.decode(digest.digest(message)).multiply(a).add(rBI).mod(l));
 
         // R+S
-        ByteBuffer out = ByteBuffer.allocate(64);
+        int b = curve.getField().getb();
+        ByteBuffer out = ByteBuffer.allocate(b/4);
         out.put(Rbyte).put(S.toByteArray());
         return out.array();
     }
@@ -149,11 +150,8 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         if (sigBytes.length != b/4)
             throw new SignatureException("signature length is wrong");
 
-        byte[] Rbyte = Arrays.copyOfRange(sigBytes, 0, b/8);
-        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
-
-        // If we get to here, Rbyte is valid
-        digest.update(Rbyte);
+        // R is first b/8 bytes of sigBytes, S is second b/8 bytes
+        digest.update(sigBytes, 0, b/8);
         digest.update(((EdDSAPublicKey) key).getAbyte());
         // h = H(Rbar,Abar,M)
         byte[] message = baos.toByteArray();
@@ -163,14 +161,15 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         LittleEndianEncoding leEnc = new LittleEndianEncoding();
         h = leEnc.encode(leEnc.decode(h).mod(key.getParams().getL()), b/8);
 
+        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
 
         byte[] Rcalc = R.toByteArray();
         int result = 1;
         for (int i = 0; i < Rcalc.length; i++) {
-            result &= Utils.equal(Rcalc[i], Rbyte[i]);
+            result &= Utils.equal(Rcalc[i], sigBytes[i]);
         }
         return result == 1;
     }

src/net/i2p/crypto/eddsa/math/FieldElement.java

@@ -92,7 +92,7 @@ public FieldElement multiply(FieldElement val) {
     }
 
     public FieldElement square() {
-        return modPow(BigInteger.valueOf(2), f.getQ());
+        return modPow(Constants.TWO, f.getQ());
     }
 
     public FieldElement squareAndDouble() {

src/net/i2p/crypto/eddsa/math/GroupElement.java

@@ -405,14 +405,14 @@ public boolean equals(Object obj) {
      * Method is package private only so that tests run.
      *
      * @param a = a[0]+256*a[1]+...+256^31 a[31]
-     * @return
+     * @return 64 bytes, each between -8 and 7
      */
     static byte[] toRadix16(byte[] a) {
         byte[] e = new byte[64];
         int i;
         // Radix 16 notation
         for (i = 0; i < 32; i++) {
-            e[2*i+0] = (byte) ((a[i] >> 0) & 15);
+            e[2*i+0] = (byte) (a[i] & 15);
             e[2*i+1] = (byte) ((a[i] >> 4) & 15);
         }
         /* each e[i] is between 0 and 15 */
@@ -422,10 +422,10 @@ static byte[] toRadix16(byte[] a) {
             e[i] += carry;
             carry = e[i] + 8;
             carry >>= 4;
-        e[i] -= carry << 4;
+            e[i] -= carry << 4;
         }
         e[63] += carry;
-        /* each e[i] is between -8 and 8 */
+        /* each e[i] is between -8 and 7 */
         return e;
     }
 
@@ -442,12 +442,11 @@ static byte[] toRadix16(byte[] a) {
      */
     GroupElement cmov(GroupElement u, int b) {
         GroupElement ret = null;
-        int i;
-        for (i = 0; i < b; i++) {
+        for (int i = 0; i < b; i++) {
             // Only for b == 1
             ret = u;
         }
-        for (i = 0; i < 1-b; i++) {
+        for (int i = 0; i < 1-b; i++) {
             // Only for b == 0
             ret = this;
         }
@@ -457,6 +456,7 @@ GroupElement cmov(GroupElement u, int b) {
     /**
      * Look up 16^i r_i B in the precomputed table.
      * No secret array indices, no secret branching.
+     * Constant time.
      *
      * Must have previously precomputed.
      *
@@ -492,6 +492,7 @@ GroupElement select(int pos, int b) {
      * h = a * Bb where a = a[0]+256*a[1]+...+256^31 a[31] and
      * B is this point. If its lookup table has not been precomputed, it
      * will be at the start of the method (and cached for later calls). 
+     * Constant time.
      *
      * Preconditions: (TODO: Check this applies here)
      *   a[31] <= 127
@@ -531,28 +532,27 @@ public GroupElement scalarMultiply(byte[] a) {
      *
      * Method is package private only so that tests run.
      *
-     * @param a
-     * @return
+     * @param a 32 bytes
+     * @return 256 bytes
      */
     static byte[] slide(byte[] a) {
         byte[] r = new byte[256];
-        int i;
-        int b;
-        int k;
 
-        for (i = 0;i < 256;++i) {
+        // put each bit of 'a' into a separate byte, 0 or 1
+        for (int i = 0; i < 256; ++i) {
             r[i] = (byte) (1 & (a[i >> 3] >> (i & 7)));
         }
 
-        for (i = 0;i < 256;++i) {
+        for (int i = 0; i < 256; ++i) {
             if (r[i] != 0) {
-                for (b = 1; b <= 6 && i + b < 256; ++b) {
+                for (int b = 1; b <= 6 && i + b < 256; ++b) {
                     if (r[i + b] != 0) {
                         if (r[i] + (r[i + b] << b) <= 15) {
-                            r[i] += r[i + b] << b; r[i + b] = 0;
+                            r[i] += r[i + b] << b;
+                            r[i + b] = 0;
                         } else if (r[i] - (r[i + b] << b) >= -15) {
                             r[i] -= r[i + b] << b;
-                            for (k = i + b; k < 256; ++k) {
+                            for (int k = i + b; k < 256; ++k) {
                                 if (r[k] == 0) {
                                     r[k] = 1;
                                     break;

src/net/i2p/crypto/eddsa/math/LittleEndianEncoding.java

@@ -6,6 +6,14 @@
 public class LittleEndianEncoding implements Encoding, Serializable {
     private static final long serialVersionUID = 3984579843759837L;
 
+    /**
+     *  Convert x to little endian.
+     *  Constant time.
+     *
+     *  @param len must be big enough
+     *  @return array of length len
+     *  @throws ArrayIndexOutOfBoundsException if len not big enough
+     */
     public byte[] encode(BigInteger x, int len) {
         byte[] in = x.toByteArray();
         byte[] out = new byte[len];
@@ -18,8 +26,10 @@ public byte[] encode(BigInteger x, int len) {
         return out;
     }
 
+    /**
+     *  Convert in to big endian
+     */
     public BigInteger decode(byte[] in) {
-        // Convert 'in' to big endian
         byte[] out = new byte[in.length];
         for (int i = 0; i < in.length; i++) {
             out[i] = in[in.length-1-i];

src/net/i2p/crypto/eddsa/spec/EdDSAParameterSpec.java

@@ -22,6 +22,9 @@ public class EdDSAParameterSpec implements AlgorithmParameterSpec, Serializable
     private final BigInteger l;
     private final GroupElement B;
 
+    /**
+     *  @throws IllegalArgumentException if hash algorithm is unsupported or length is wrong
+     */
     public EdDSAParameterSpec(Curve curve, String hashAlgo,
             BigInteger l, GroupElement B) {
         try {

src/net/i2p/crypto/eddsa/spec/EdDSAPrivateKeySpec.java

@@ -20,6 +20,9 @@ public class EdDSAPrivateKeySpec implements KeySpec {
     private final GroupElement A;
     private final EdDSAParameterSpec spec;
 
+    /**
+     *  @throws IllegalArgumentException if hash algorithm is unsupported
+     */
     public EdDSAPrivateKeySpec(byte[] seed, EdDSAParameterSpec spec) {
         this.spec = spec;
         this.seed = seed;

src/net/i2p/crypto/eddsa/spec/EdDSAPublicKeySpec.java

@@ -13,6 +13,9 @@ public class EdDSAPublicKeySpec implements KeySpec {
     private final GroupElement Aneg;
     private final EdDSAParameterSpec spec;
 
+    /**
+     *  @throws IllegalArgumentException if key length is wrong
+     */
     public EdDSAPublicKeySpec(byte[] pk, EdDSAParameterSpec spec) {
         if (pk.length != spec.getCurve().getField().getb()/8)
             throw new IllegalArgumentException("public-key length is wrong");