/src/botan/src/lib/pubkey/ed25519/ed25519.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Ed25519 |
3 | | * (C) 2017 Ribose Inc |
4 | | * |
5 | | * Based on the public domain code from SUPERCOP ref10 by |
6 | | * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/ed25519.h> |
12 | | |
13 | | #include <botan/rng.h> |
14 | | #include <botan/internal/ct_utils.h> |
15 | | #include <botan/internal/ed25519_internal.h> |
16 | | #include <botan/internal/sha2_64.h> |
17 | | |
18 | | namespace Botan { |
19 | | |
20 | 0 | void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32]) { |
21 | 0 | uint8_t az[64]; |
22 | |
|
23 | 0 | SHA_512 sha; |
24 | 0 | sha.update(seed, 32); |
25 | 0 | sha.final(az); |
26 | 0 | az[0] &= 248; |
27 | 0 | az[31] &= 63; |
28 | 0 | az[31] |= 64; |
29 | |
|
30 | 0 | ge_scalarmult_base(pk, az); |
31 | | |
32 | | // todo copy_mem |
33 | 0 | copy_mem(sk, seed, 32); |
34 | 0 | copy_mem(sk + 32, pk, 32); |
35 | 0 | } |
36 | | |
37 | | void ed25519_sign(uint8_t sig[64], |
38 | | const uint8_t m[], |
39 | | size_t mlen, |
40 | | const uint8_t sk[64], |
41 | | const uint8_t domain_sep[], |
42 | 0 | size_t domain_sep_len) { |
43 | 0 | uint8_t az[64]; |
44 | 0 | uint8_t nonce[64]; |
45 | 0 | uint8_t hram[64]; |
46 | |
|
47 | 0 | SHA_512 sha; |
48 | |
|
49 | 0 | sha.update(sk, 32); |
50 | 0 | sha.final(az); |
51 | 0 | az[0] &= 248; |
52 | 0 | az[31] &= 63; |
53 | 0 | az[31] |= 64; |
54 | |
|
55 | 0 | sha.update(domain_sep, domain_sep_len); |
56 | 0 | sha.update(az + 32, 32); |
57 | 0 | sha.update(m, mlen); |
58 | 0 | sha.final(nonce); |
59 | |
|
60 | 0 | sc_reduce(nonce); |
61 | 0 | ge_scalarmult_base(sig, nonce); |
62 | |
|
63 | 0 | sha.update(domain_sep, domain_sep_len); |
64 | 0 | sha.update(sig, 32); |
65 | 0 | sha.update(sk + 32, 32); |
66 | 0 | sha.update(m, mlen); |
67 | 0 | sha.final(hram); |
68 | |
|
69 | 0 | sc_reduce(hram); |
70 | 0 | sc_muladd(sig + 32, hram, az, nonce); |
71 | 0 | } |
72 | | |
73 | | bool ed25519_verify(const uint8_t* m, |
74 | | size_t mlen, |
75 | | const uint8_t sig[64], |
76 | | const uint8_t* pk, |
77 | | const uint8_t domain_sep[], |
78 | 0 | size_t domain_sep_len) { |
79 | 0 | uint8_t h[64]; |
80 | 0 | uint8_t rcheck[32]; |
81 | 0 | ge_p3 A; |
82 | 0 | SHA_512 sha; |
83 | |
|
84 | 0 | if(sig[63] & 224) { |
85 | 0 | return false; |
86 | 0 | } |
87 | 0 | if(ge_frombytes_negate_vartime(&A, pk) != 0) { |
88 | 0 | return false; |
89 | 0 | } |
90 | | |
91 | 0 | const uint64_t CURVE25519_ORDER[4] = { |
92 | 0 | 0x1000000000000000, |
93 | 0 | 0x0000000000000000, |
94 | 0 | 0x14def9dea2f79cd6, |
95 | 0 | 0x5812631a5cf5d3ed, |
96 | 0 | }; |
97 | |
|
98 | 0 | const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3), |
99 | 0 | load_le<uint64_t>(sig + 32, 2), |
100 | 0 | load_le<uint64_t>(sig + 32, 1), |
101 | 0 | load_le<uint64_t>(sig + 32, 0)}; |
102 | | |
103 | | // RFC 8032 adds the requirement that we verify that s < order in |
104 | | // the signature; this did not exist in the original Ed25519 spec. |
105 | 0 | for(size_t i = 0; i != 4; ++i) { |
106 | 0 | if(s[i] > CURVE25519_ORDER[i]) { |
107 | 0 | return false; |
108 | 0 | } |
109 | 0 | if(s[i] < CURVE25519_ORDER[i]) { |
110 | 0 | break; |
111 | 0 | } |
112 | 0 | if(i == 3) { // here s == order |
113 | 0 | return false; |
114 | 0 | } |
115 | 0 | } |
116 | | |
117 | 0 | sha.update(domain_sep, domain_sep_len); |
118 | 0 | sha.update(sig, 32); |
119 | 0 | sha.update(pk, 32); |
120 | 0 | sha.update(m, mlen); |
121 | 0 | sha.final(h); |
122 | 0 | sc_reduce(h); |
123 | |
|
124 | 0 | ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32); |
125 | |
|
126 | 0 | return CT::is_equal(rcheck, sig, 32).as_bool(); |
127 | 0 | } |
128 | | |
129 | | } // namespace Botan |