/src/botan/src/lib/pubkey/ed25519/ed25519.cpp

Source (jump to first uncovered line)
/*
* Ed25519
* (C) 2017 Ribose Inc
*
* Based on the public domain code from SUPERCOP ref10 by
* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/ed25519.h>
#include <botan/internal/ed25519_internal.h>
#include <botan/sha2_64.h>
#include <botan/rng.h>

namespace Botan {

void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
   {
   uint8_t az[64];

   SHA_512 sha;
   sha.update(seed, 32);
   sha.final(az);
   az[0] &= 248;
   az[31] &= 63;
   az[31] |= 64;

   ge_scalarmult_base(pk, az);

   // todo copy_mem
   copy_mem(sk, seed, 32);
   copy_mem(sk + 32, pk, 32);
   }

void ed25519_sign(uint8_t sig[64],
                  const uint8_t m[], size_t mlen,
                  const uint8_t sk[64],
                  const uint8_t domain_sep[], size_t domain_sep_len)
   {
   uint8_t az[64];
   uint8_t nonce[64];
   uint8_t hram[64];

   SHA_512 sha;

   sha.update(sk, 32);
   sha.final(az);
   az[0] &= 248;
   az[31] &= 63;
   az[31] |= 64;

   sha.update(domain_sep, domain_sep_len);
   sha.update(az + 32, 32);
   sha.update(m, mlen);
   sha.final(nonce);

   sc_reduce(nonce);
   ge_scalarmult_base(sig, nonce);

   sha.update(domain_sep, domain_sep_len);
   sha.update(sig, 32);
   sha.update(sk + 32, 32);
   sha.update(m, mlen);
   sha.final(hram);

   sc_reduce(hram);
   sc_muladd(sig + 32, hram, az, nonce);
   }

bool ed25519_verify(const uint8_t* m, size_t mlen,
                    const uint8_t sig[64],
                    const uint8_t* pk,
                    const uint8_t domain_sep[], size_t domain_sep_len)
   {
   uint8_t h[64];
   uint8_t rcheck[32];
   ge_p3 A;
   SHA_512 sha;

   if(sig[63] & 224)
      {
      return false;
      }
   if(ge_frombytes_negate_vartime(&A, pk) != 0)
      {
      return false;
      }

   sha.update(domain_sep, domain_sep_len);
   sha.update(sig, 32);
   sha.update(pk, 32);
   sha.update(m, mlen);
   sha.final(h);
   sc_reduce(h);

   ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);

   return constant_time_compare(rcheck, sig, 32);
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Ed25519
3		* (C) 2017 Ribose Inc
4		*
5		* Based on the public domain code from SUPERCOP ref10 by
6		* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
7		*
8		* Botan is released under the Simplified BSD License (see license.txt)
9		*/
10
11		#include <botan/ed25519.h>
12		#include <botan/internal/ed25519_internal.h>
13		#include <botan/sha2_64.h>
14		#include <botan/rng.h>
15
16		namespace Botan {
17
18		void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
19	3	{
20	3	uint8_t az[64];
21	3
22	3	SHA_512 sha;
23	3	sha.update(seed, 32);
24	3	sha.final(az);
25	3	az[0] &= 248;
26	3	az[31] &= 63;
27	3	az[31] \|= 64;
28	3
29	3	ge_scalarmult_base(pk, az);
30	3
31	3	// todo copy_mem
32	3	copy_mem(sk, seed, 32);
33	3	copy_mem(sk + 32, pk, 32);
34	3	}
35
36		void ed25519_sign(uint8_t sig[64],
37		const uint8_t m[], size_t mlen,
38		const uint8_t sk[64],
39		const uint8_t domain_sep[], size_t domain_sep_len)
40	0	{
41	0	uint8_t az[64];
42	0	uint8_t nonce[64];
43	0	uint8_t hram[64];
44	0
45	0	SHA_512 sha;
46	0
47	0	sha.update(sk, 32);
48	0	sha.final(az);
49	0	az[0] &= 248;
50	0	az[31] &= 63;
51	0	az[31] \|= 64;
52	0
53	0	sha.update(domain_sep, domain_sep_len);
54	0	sha.update(az + 32, 32);
55	0	sha.update(m, mlen);
56	0	sha.final(nonce);
57	0
58	0	sc_reduce(nonce);
59	0	ge_scalarmult_base(sig, nonce);
60	0
61	0	sha.update(domain_sep, domain_sep_len);
62	0	sha.update(sig, 32);
63	0	sha.update(sk + 32, 32);
64	0	sha.update(m, mlen);
65	0	sha.final(hram);
66	0
67	0	sc_reduce(hram);
68	0	sc_muladd(sig + 32, hram, az, nonce);
69	0	}
70
71		bool ed25519_verify(const uint8_t* m, size_t mlen,
72		const uint8_t sig[64],
73		const uint8_t* pk,
74		const uint8_t domain_sep[], size_t domain_sep_len)
75	73	{
76	73	uint8_t h[64];
77	73	uint8_t rcheck[32];
78	73	ge_p3 A;
79	73	SHA_512 sha;
80	73
81	73	if(sig[63] & 224)
82	1	{
83	1	return false;
84	1	}
85	72	if(ge_frombytes_negate_vartime(&A, pk) != 0)
86	1	{
87	1	return false;
88	1	}
89	71
90	71	sha.update(domain_sep, domain_sep_len);
91	71	sha.update(sig, 32);
92	71	sha.update(pk, 32);
93	71	sha.update(m, mlen);
94	71	sha.final(h);
95	71	sc_reduce(h);
96	71
97	71	ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
98	71
99	71	return constant_time_compare(rcheck, sig, 32);
100	71	}
101
102		}

Coverage Report

Created: 2019-09-11 14:12