Annotation of src/usr.bin/signify/mod_ed25519.c, Revision 1.1
1.1 ! tedu 1: /* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
! 2:
! 3: /*
! 4: * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
! 5: * Peter Schwabe, Bo-Yin Yang.
! 6: * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
! 7: */
! 8:
! 9: #include "crypto_api.h"
! 10:
! 11: #include "ge25519.h"
! 12:
! 13: static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
! 14: {
! 15: unsigned long long i;
! 16:
! 17: for (i = 0;i < 32;++i) playground[i] = sm[i];
! 18: for (i = 32;i < 64;++i) playground[i] = pk[i-32];
! 19: for (i = 64;i < smlen;++i) playground[i] = sm[i];
! 20:
! 21: crypto_hash_sha512(hram,playground,smlen);
! 22: }
! 23:
! 24: #ifndef VERIFYONLY
! 25: int crypto_sign_ed25519_keypair(
! 26: unsigned char *pk,
! 27: unsigned char *sk
! 28: )
! 29: {
! 30: sc25519 scsk;
! 31: ge25519 gepk;
! 32: unsigned char extsk[64];
! 33: int i;
! 34:
! 35: randombytes(sk, 32);
! 36: crypto_hash_sha512(extsk, sk, 32);
! 37: extsk[0] &= 248;
! 38: extsk[31] &= 127;
! 39: extsk[31] |= 64;
! 40:
! 41: sc25519_from32bytes(&scsk,extsk);
! 42:
! 43: ge25519_scalarmult_base(&gepk, &scsk);
! 44: ge25519_pack(pk, &gepk);
! 45: for(i=0;i<32;i++)
! 46: sk[32 + i] = pk[i];
! 47: return 0;
! 48: }
! 49:
! 50: int crypto_sign_ed25519(
! 51: unsigned char *sm,unsigned long long *smlen,
! 52: const unsigned char *m,unsigned long long mlen,
! 53: const unsigned char *sk
! 54: )
! 55: {
! 56: sc25519 sck, scs, scsk;
! 57: ge25519 ger;
! 58: unsigned char r[32];
! 59: unsigned char s[32];
! 60: unsigned char extsk[64];
! 61: unsigned long long i;
! 62: unsigned char hmg[crypto_hash_sha512_BYTES];
! 63: unsigned char hram[crypto_hash_sha512_BYTES];
! 64:
! 65: crypto_hash_sha512(extsk, sk, 32);
! 66: extsk[0] &= 248;
! 67: extsk[31] &= 127;
! 68: extsk[31] |= 64;
! 69:
! 70: *smlen = mlen+64;
! 71: for(i=0;i<mlen;i++)
! 72: sm[64 + i] = m[i];
! 73: for(i=0;i<32;i++)
! 74: sm[32 + i] = extsk[32+i];
! 75:
! 76: crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
! 77:
! 78: /* Computation of R */
! 79: sc25519_from64bytes(&sck, hmg);
! 80: ge25519_scalarmult_base(&ger, &sck);
! 81: ge25519_pack(r, &ger);
! 82:
! 83: /* Computation of s */
! 84: for(i=0;i<32;i++)
! 85: sm[i] = r[i];
! 86:
! 87: get_hram(hram, sm, sk+32, sm, mlen+64);
! 88:
! 89: sc25519_from64bytes(&scs, hram);
! 90: sc25519_from32bytes(&scsk, extsk);
! 91: sc25519_mul(&scs, &scs, &scsk);
! 92:
! 93: sc25519_add(&scs, &scs, &sck);
! 94:
! 95: sc25519_to32bytes(s,&scs); /* cat s */
! 96: for(i=0;i<32;i++)
! 97: sm[32 + i] = s[i];
! 98:
! 99: return 0;
! 100: }
! 101: #endif
! 102: int crypto_sign_ed25519_open(
! 103: unsigned char *m,unsigned long long *mlen,
! 104: const unsigned char *sm,unsigned long long smlen,
! 105: const unsigned char *pk
! 106: )
! 107: {
! 108: unsigned int i;
! 109: int ret;
! 110: unsigned char t2[32];
! 111: ge25519 get1, get2;
! 112: sc25519 schram, scs;
! 113: unsigned char hram[crypto_hash_sha512_BYTES];
! 114:
! 115: *mlen = (unsigned long long) -1;
! 116: if (smlen < 64) return -1;
! 117:
! 118: if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
! 119:
! 120: get_hram(hram,sm,pk,m,smlen);
! 121:
! 122: sc25519_from64bytes(&schram, hram);
! 123:
! 124: sc25519_from32bytes(&scs, sm+32);
! 125:
! 126: ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
! 127: ge25519_pack(t2, &get2);
! 128:
! 129: ret = crypto_verify_32(sm, t2);
! 130:
! 131: if (!ret)
! 132: {
! 133: for(i=0;i<smlen-64;i++)
! 134: m[i] = sm[i + 64];
! 135: *mlen = smlen-64;
! 136: }
! 137: else
! 138: {
! 139: for(i=0;i<smlen-64;i++)
! 140: m[i] = 0;
! 141: }
! 142: return ret;
! 143: }