/src/botan/src/lib/pubkey/ed25519/ed25519.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Ed25519 |
3 | | * (C) 2017 Ribose Inc |
4 | | * |
5 | | * Based on the public domain code from SUPERCOP ref10 by |
6 | | * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/ed25519.h> |
12 | | #include <botan/internal/ed25519_internal.h> |
13 | | #include <botan/internal/sha2_64.h> |
14 | | #include <botan/rng.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32]) |
19 | 3 | { |
20 | 3 | uint8_t az[64]; |
21 | | |
22 | 3 | SHA_512 sha; |
23 | 3 | sha.update(seed, 32); |
24 | 3 | sha.final(az); |
25 | 3 | az[0] &= 248; |
26 | 3 | az[31] &= 63; |
27 | 3 | az[31] |= 64; |
28 | | |
29 | 3 | ge_scalarmult_base(pk, az); |
30 | | |
31 | | // todo copy_mem |
32 | 3 | copy_mem(sk, seed, 32); |
33 | 3 | copy_mem(sk + 32, pk, 32); |
34 | 3 | } |
35 | | |
36 | | void ed25519_sign(uint8_t sig[64], |
37 | | const uint8_t m[], size_t mlen, |
38 | | const uint8_t sk[64], |
39 | | const uint8_t domain_sep[], size_t domain_sep_len) |
40 | 0 | { |
41 | 0 | uint8_t az[64]; |
42 | 0 | uint8_t nonce[64]; |
43 | 0 | uint8_t hram[64]; |
44 | |
|
45 | 0 | SHA_512 sha; |
46 | |
|
47 | 0 | sha.update(sk, 32); |
48 | 0 | sha.final(az); |
49 | 0 | az[0] &= 248; |
50 | 0 | az[31] &= 63; |
51 | 0 | az[31] |= 64; |
52 | |
|
53 | 0 | sha.update(domain_sep, domain_sep_len); |
54 | 0 | sha.update(az + 32, 32); |
55 | 0 | sha.update(m, mlen); |
56 | 0 | sha.final(nonce); |
57 | |
|
58 | 0 | sc_reduce(nonce); |
59 | 0 | ge_scalarmult_base(sig, nonce); |
60 | |
|
61 | 0 | sha.update(domain_sep, domain_sep_len); |
62 | 0 | sha.update(sig, 32); |
63 | 0 | sha.update(sk + 32, 32); |
64 | 0 | sha.update(m, mlen); |
65 | 0 | sha.final(hram); |
66 | |
|
67 | 0 | sc_reduce(hram); |
68 | 0 | sc_muladd(sig + 32, hram, az, nonce); |
69 | 0 | } |
70 | | |
71 | | bool ed25519_verify(const uint8_t* m, size_t mlen, |
72 | | const uint8_t sig[64], |
73 | | const uint8_t* pk, |
74 | | const uint8_t domain_sep[], size_t domain_sep_len) |
75 | 0 | { |
76 | 0 | uint8_t h[64]; |
77 | 0 | uint8_t rcheck[32]; |
78 | 0 | ge_p3 A; |
79 | 0 | SHA_512 sha; |
80 | |
|
81 | 0 | if(sig[63] & 224) |
82 | 0 | { |
83 | 0 | return false; |
84 | 0 | } |
85 | 0 | if(ge_frombytes_negate_vartime(&A, pk) != 0) |
86 | 0 | { |
87 | 0 | return false; |
88 | 0 | } |
89 | | |
90 | 0 | sha.update(domain_sep, domain_sep_len); |
91 | 0 | sha.update(sig, 32); |
92 | 0 | sha.update(pk, 32); |
93 | 0 | sha.update(m, mlen); |
94 | 0 | sha.final(h); |
95 | 0 | sc_reduce(h); |
96 | |
|
97 | 0 | ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32); |
98 | |
|
99 | 0 | return constant_time_compare(rcheck, sig, 32); |
100 | 0 | } |
101 | | |
102 | | } |