/src/botan/src/lib/pubkey/ed25519/ed25519.cpp
Line | Count | Source |
1 | | /* |
2 | | * Ed25519 |
3 | | * (C) 2017 Ribose Inc |
4 | | * |
5 | | * Based on the public domain code from SUPERCOP ref10 by |
6 | | * Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/ed25519.h> |
12 | | |
13 | | #include <botan/hash.h> |
14 | | #include <botan/internal/ed25519_internal.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | 0 | void ed25519_gen_keypair(uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) { |
19 | 0 | uint8_t az[64]; |
20 | |
|
21 | 0 | auto sha512 = HashFunction::create_or_throw("SHA-512"); |
22 | 0 | sha512->update(seed, 32); |
23 | 0 | sha512->final(az); |
24 | 0 | az[0] &= 248; |
25 | 0 | az[31] &= 63; |
26 | 0 | az[31] |= 64; |
27 | |
|
28 | 0 | ed25519_basepoint_mul(std::span<uint8_t, 32>{pk, 32}, az); |
29 | |
|
30 | 0 | copy_mem(sk, seed, 32); |
31 | 0 | copy_mem(sk + 32, pk, 32); |
32 | 0 | } |
33 | | |
34 | | void ed25519_sign(uint8_t sig[64], |
35 | | const uint8_t m[], |
36 | | size_t mlen, |
37 | | const uint8_t sk[64], |
38 | | const uint8_t domain_sep[], |
39 | 0 | size_t domain_sep_len) { |
40 | 0 | uint8_t az[64]; |
41 | 0 | uint8_t nonce[64]; |
42 | 0 | uint8_t hram[64]; |
43 | |
|
44 | 0 | auto sha512 = HashFunction::create_or_throw("SHA-512"); |
45 | |
|
46 | 0 | sha512->update(sk, 32); |
47 | 0 | sha512->final(az); |
48 | 0 | az[0] &= 248; |
49 | 0 | az[31] &= 63; |
50 | 0 | az[31] |= 64; |
51 | |
|
52 | 0 | sha512->update(domain_sep, domain_sep_len); |
53 | 0 | sha512->update(az + 32, 32); |
54 | 0 | sha512->update(m, mlen); |
55 | 0 | sha512->final(nonce); |
56 | |
|
57 | 0 | sc_reduce(nonce); |
58 | 0 | ed25519_basepoint_mul(std::span<uint8_t, 32>{sig, 32}, nonce); |
59 | |
|
60 | 0 | sha512->update(domain_sep, domain_sep_len); |
61 | 0 | sha512->update(sig, 32); |
62 | 0 | sha512->update(sk + 32, 32); |
63 | 0 | sha512->update(m, mlen); |
64 | 0 | sha512->final(hram); |
65 | |
|
66 | 0 | sc_reduce(hram); |
67 | 0 | sc_muladd(sig + 32, hram, az, nonce); |
68 | 0 | } |
69 | | |
70 | | bool ed25519_verify(const uint8_t* m, |
71 | | size_t mlen, |
72 | | const uint8_t sig[64], |
73 | | const uint8_t* pk, |
74 | | const uint8_t domain_sep[], |
75 | 0 | size_t domain_sep_len) { |
76 | 0 | if((sig[63] & 0xE0) != 0x00) { |
77 | 0 | return false; |
78 | 0 | } |
79 | | |
80 | 0 | const uint64_t CURVE25519_ORDER[4] = { |
81 | 0 | 0x1000000000000000, |
82 | 0 | 0x0000000000000000, |
83 | 0 | 0x14def9dea2f79cd6, |
84 | 0 | 0x5812631a5cf5d3ed, |
85 | 0 | }; |
86 | |
|
87 | 0 | const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3), |
88 | 0 | load_le<uint64_t>(sig + 32, 2), |
89 | 0 | load_le<uint64_t>(sig + 32, 1), |
90 | 0 | load_le<uint64_t>(sig + 32, 0)}; |
91 | | |
92 | | // RFC 8032 adds the requirement that we verify that s < order in |
93 | | // the signature; this did not exist in the original Ed25519 spec. |
94 | 0 | for(size_t i = 0; i != 4; ++i) { |
95 | 0 | if(s[i] > CURVE25519_ORDER[i]) { |
96 | 0 | return false; |
97 | 0 | } |
98 | 0 | if(s[i] < CURVE25519_ORDER[i]) { |
99 | 0 | break; |
100 | 0 | } |
101 | 0 | if(i == 3) { // here s == order |
102 | 0 | return false; |
103 | 0 | } |
104 | 0 | } |
105 | | |
106 | 0 | uint8_t h[64]; |
107 | 0 | auto sha512 = HashFunction::create_or_throw("SHA-512"); |
108 | |
|
109 | 0 | sha512->update(domain_sep, domain_sep_len); |
110 | 0 | sha512->update(sig, 32); |
111 | 0 | sha512->update(pk, 32); |
112 | 0 | sha512->update(m, mlen); |
113 | 0 | sha512->final(h); |
114 | 0 | sc_reduce(h); |
115 | |
|
116 | 0 | return signature_check(std::span<const uint8_t, 32>{pk, 32}, h, sig, sig + 32); |
117 | 0 | } |
118 | | |
119 | | } // namespace Botan |