/src/openssl/crypto/ec/curve448/eddsa.c

Source
/*
 * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
 * Copyright 2015-2016 Cryptography Research, Inc.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 *
 * Originally written by Mike Hamburg
 */
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "crypto/ecx.h"
#include "curve448_local.h"
#include "word.h"
#include "ed448.h"
#include "internal/numbers.h"

#define COFACTOR 4

static c448_error_t oneshot_hash(OSSL_LIB_CTX *ctx, uint8_t *out, size_t outlen,
    const uint8_t *in, size_t inlen,
    const char *propq)
{
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    EVP_MD *shake256 = NULL;
    c448_error_t ret = C448_FAILURE;

    if (hashctx == NULL)
        return C448_FAILURE;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
    if (shake256 == NULL)
        goto err;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
        || !EVP_DigestUpdate(hashctx, in, inlen)
        || !EVP_DigestFinalXOF(hashctx, out, outlen))
        goto err;

    ret = C448_SUCCESS;
err:
    EVP_MD_CTX_free(hashctx);
    EVP_MD_free(shake256);
    return ret;
}

static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
{
    secret_scalar_ser[0] &= -COFACTOR;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
    secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;
}

static c448_error_t hash_init_with_dom(OSSL_LIB_CTX *ctx, EVP_MD_CTX *hashctx,
    uint8_t prehashed,
    uint8_t for_prehash,
    const uint8_t *context,
    size_t context_len,
    const char *propq)
{
    /* ASCII: "SigEd448", in hex for EBCDIC compatibility */
    static const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
    uint8_t dom[2];
    EVP_MD *shake256 = NULL;

    if (context_len > UINT8_MAX)
        return C448_FAILURE;

    dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
        - (for_prehash == 0 ? 1 : 0));
    dom[1] = (uint8_t)context_len;

    shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
    if (shake256 == NULL)
        return C448_FAILURE;

    if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
        || !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s) - 1)
        || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
        || !EVP_DigestUpdate(hashctx, context, context_len)) {
        EVP_MD_free(shake256);
        return C448_FAILURE;
    }

    EVP_MD_free(shake256);
    return C448_SUCCESS;
}

/*
 * EdDSA key generation.  This function uses a different (non-Decaf) encoding.
 *
 * pubkey (out): The public key.
 * privkey (in): The private key.
 */
static c448_error_t
c448_ed448_derive_public_key(
    OSSL_LIB_CTX *ctx,
    uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
    const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
    const char *propq)
{
    /* only this much used for keygen */
    uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
    curve448_scalar_t secret_scalar;
    unsigned int c;
    curve448_point_t p;

    if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
            privkey,
            EDDSA_448_PRIVATE_BYTES,
            propq))
        return C448_FAILURE;

    clamp(secret_scalar_ser);

    ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
        sizeof(secret_scalar_ser));

    /*
     * Since we are going to mul_by_cofactor during encoding, divide by it
     * here. However, the EdDSA base point is not the same as the decaf base
     * point if the sigma isogeny is in use: the EdDSA base point is on
     * Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
     * converted it effectively picks up a factor of 2 from the isogenies.  So
     * we might start at 2 instead of 1.
     */
    for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
        ossl_curve448_scalar_halve(secret_scalar, secret_scalar);

    ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
        secret_scalar);

    ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);

    /* Cleanup */
    ossl_curve448_scalar_destroy(secret_scalar);
    ossl_curve448_point_destroy(p);
    OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));

    return C448_SUCCESS;
}

/*
 * EdDSA signing.
 *
 * signature (out): The signature.
 * privkey (in): The private key.
 * pubkey (in):  The public key.
 * message (in):  The message to sign.
 * message_len (in):  The length of the message.
 * prehashed (in):  Nonzero if the message is actually the hash of something
 *                  you want to sign.
 * context (in):  A "context" for this signature of up to 255 bytes.
 * context_len (in):  Length of the context.
 *
 * For Ed25519, it is unsafe to use the same key for both prehashed and
 * non-prehashed messages, at least without some very careful protocol-level
 * disambiguation.  For Ed448 it is safe.
 */
static c448_error_t
c448_ed448_sign(OSSL_LIB_CTX *ctx,
    uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
    const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message, size_t message_len,
    uint8_t prehashed, const uint8_t *context,
    size_t context_len, const char *propq)
{
    curve448_scalar_t secret_scalar;
    EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
    c448_error_t ret = C448_FAILURE;
    curve448_scalar_t nonce_scalar;
    uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
    unsigned int c;
    curve448_scalar_t challenge_scalar;

    if (hashctx == NULL)
        return C448_FAILURE;

    {
        /*
         * Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
         * secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
         */
        uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];

        if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
                EDDSA_448_PRIVATE_BYTES, propq))
            goto err;
        clamp(expanded);
        ossl_curve448_scalar_decode_long(secret_scalar, expanded,
            EDDSA_448_PRIVATE_BYTES);

        /* Hash to create the nonce */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                context_len, propq)
            || !EVP_DigestUpdate(hashctx,
                expanded + EDDSA_448_PRIVATE_BYTES,
                EDDSA_448_PRIVATE_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)) {
            OPENSSL_cleanse(expanded, sizeof(expanded));
            goto err;
        }
        OPENSSL_cleanse(expanded, sizeof(expanded));
    }

    /* Decode the nonce */
    {
        uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];

        if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
            goto err;
        ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
        OPENSSL_cleanse(nonce, sizeof(nonce));
    }

    {
        /* Scalarmul to create the nonce-point */
        curve448_scalar_t nonce_scalar_2;
        curve448_point_t p;

        ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
        for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
            ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);

        ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
            nonce_scalar_2);
        ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
        ossl_curve448_point_destroy(p);
        ossl_curve448_scalar_destroy(nonce_scalar_2);
    }

    {
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        /* Compute the challenge */
        if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
                propq)
            || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)
            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
            goto err;

        ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
            sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }

    ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
    ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);

    OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
    memcpy(signature, nonce_point, sizeof(nonce_point));
    ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
        challenge_scalar);

    ossl_curve448_scalar_destroy(secret_scalar);
    ossl_curve448_scalar_destroy(nonce_scalar);
    ossl_curve448_scalar_destroy(challenge_scalar);

    ret = C448_SUCCESS;
err:
    EVP_MD_CTX_free(hashctx);
    return ret;
}

static c448_error_t
c448_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len)
{
    curve448_point_t pk_point;

    if (pub_len != EDDSA_448_PUBLIC_BYTES)
        return C448_FAILURE;

    return ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pub);
}

/*
 * EdDSA signature verification.
 *
 * Uses the standard (i.e. less-strict) verification formula.
 *
 * signature (in): The signature.
 * pubkey (in): The public key.
 * message (in): The message to verify.
 * message_len (in): The length of the message.
 * prehashed (in): Nonzero if the message is actually the hash of something you
 *                 want to verify.
 * context (in): A "context" for this signature of up to 255 bytes.
 * context_len (in): Length of the context.
 *
 * For Ed25519, it is unsafe to use the same key for both prehashed and
 * non-prehashed messages, at least without some very careful protocol-level
 * disambiguation.  For Ed448 it is safe.
 */
static c448_error_t
c448_ed448_verify(
    OSSL_LIB_CTX *ctx,
    const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
    const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
    const uint8_t *message, size_t message_len,
    uint8_t prehashed, const uint8_t *context,
    uint8_t context_len, const char *propq)
{
    curve448_point_t pk_point, r_point;
    c448_error_t error;
    curve448_scalar_t challenge_scalar;
    curve448_scalar_t response_scalar;
    /* Order in little endian format */
    static const uint8_t order[] = {
        0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
        0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
        0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
    };
    int i;

    /*
     * Check that s (second 57 bytes of the sig) is less than the order. Both
     * s and the order are in little-endian format. This can be done in
     * variable time, since if this is not the case the signature if publicly
     * invalid.
     */
    for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
        if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
            return C448_FAILURE;
        if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
            break;
    }
    if (i < 0)
        return C448_FAILURE;

    error = ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);

    if (C448_SUCCESS != error)
        return error;

    error = ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
    if (C448_SUCCESS != error)
        return error;

    {
        /* Compute the challenge */
        EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
        uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];

        if (hashctx == NULL
            || !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
                context_len, propq)
            || !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
            || !EVP_DigestUpdate(hashctx, message, message_len)
            || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
            EVP_MD_CTX_free(hashctx);
            return C448_FAILURE;
        }

        EVP_MD_CTX_free(hashctx);
        ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
            sizeof(challenge));
        OPENSSL_cleanse(challenge, sizeof(challenge));
    }
    ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
        challenge_scalar);

    ossl_curve448_scalar_decode_long(response_scalar,
        &signature[EDDSA_448_PUBLIC_BYTES],
        EDDSA_448_PRIVATE_BYTES);

    /* pk_point = -c(x(P)) + (cx + k)G = kG */
    ossl_curve448_base_double_scalarmul_non_secret(pk_point,
        response_scalar,
        pk_point, challenge_scalar);
    return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
}

int ossl_ed448_sign(OSSL_LIB_CTX *ctx, uint8_t *out_sig,
    const uint8_t *message, size_t message_len,
    const uint8_t public_key[57], const uint8_t private_key[57],
    const uint8_t *context, size_t context_len,
    const uint8_t phflag, const char *propq)
{
    return c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
               message_len, phflag, context, context_len,
               propq)
        == C448_SUCCESS;
}

/*
 * This function should not be necessary since ossl_ed448_verify() already
 * does this check internally.
 * For some reason the FIPS ACVP requires a EDDSA KeyVer test.
 */
int ossl_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len)
{
    return c448_ed448_pubkey_verify(pub, pub_len);
}

int ossl_ed448_verify(OSSL_LIB_CTX *ctx,
    const uint8_t *message, size_t message_len,
    const uint8_t signature[114], const uint8_t public_key[57],
    const uint8_t *context, size_t context_len,
    const uint8_t phflag, const char *propq)
{
    return c448_ed448_verify(ctx, signature, public_key, message,
               message_len, phflag, context, (uint8_t)context_len,
               propq)
        == C448_SUCCESS;
}

int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
    const uint8_t private_key[57], const char *propq)
{
    return c448_ed448_derive_public_key(ctx, out_public_key, private_key,
               propq)
        == C448_SUCCESS;
}

Coverage Report

Created: 2026-06-18 06:34

Line	Count	Source
1		/*
2		* Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
3		* Copyright 2015-2016 Cryptography Research, Inc.
4		*
5		* Licensed under the Apache License 2.0 (the "License"). You may not use
6		* this file except in compliance with the License. You can obtain a copy
7		* in the file LICENSE in the source distribution or at
8		* https://www.openssl.org/source/license.html
9		*
10		* Originally written by Mike Hamburg
11		*/
12		#include <string.h>
13		#include <openssl/crypto.h>
14		#include <openssl/evp.h>
15		#include "crypto/ecx.h"
16		#include "curve448_local.h"
17		#include "word.h"
18		#include "ed448.h"
19		#include "internal/numbers.h"
20
21	0	#define COFACTOR 4
22
23		static c448_error_t oneshot_hash(OSSL_LIB_CTX ctx, uint8_t out, size_t outlen,
24		const uint8_t *in, size_t inlen,
25		const char *propq)
26	0	{
27	0	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
28	0	EVP_MD *shake256 = NULL;
29	0	c448_error_t ret = C448_FAILURE;
30
31	0	if (hashctx == NULL)
32	0	return C448_FAILURE;
33
34	0	shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
35	0	if (shake256 == NULL)
36	0	goto err;
37
38	0	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
39	0	\|\| !EVP_DigestUpdate(hashctx, in, inlen)
40	0	\|\| !EVP_DigestFinalXOF(hashctx, out, outlen))
41	0	goto err;
42
43	0	ret = C448_SUCCESS;
44	0	err:
45	0	EVP_MD_CTX_free(hashctx);
46	0	EVP_MD_free(shake256);
47	0	return ret;
48	0	}
49
50		static void clamp(uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES])
51	0	{
52	0	secret_scalar_ser[0] &= -COFACTOR;
53	0	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 1] = 0;
54	0	secret_scalar_ser[EDDSA_448_PRIVATE_BYTES - 2] \|= 0x80;
55	0	}
56
57		static c448_error_t hash_init_with_dom(OSSL_LIB_CTX ctx, EVP_MD_CTX hashctx,
58		uint8_t prehashed,
59		uint8_t for_prehash,
60		const uint8_t *context,
61		size_t context_len,
62		const char *propq)
63	0	{
64		/* ASCII: "SigEd448", in hex for EBCDIC compatibility */
65	0	static const char dom_s[] = "\x53\x69\x67\x45\x64\x34\x34\x38";
66	0	uint8_t dom[2];
67	0	EVP_MD *shake256 = NULL;
68
69	0	if (context_len > UINT8_MAX)
70	0	return C448_FAILURE;
71
72	0	dom[0] = (uint8_t)(2 - (prehashed == 0 ? 1 : 0)
73	0	- (for_prehash == 0 ? 1 : 0));
74	0	dom[1] = (uint8_t)context_len;
75
76	0	shake256 = EVP_MD_fetch(ctx, "SHAKE256", propq);
77	0	if (shake256 == NULL)
78	0	return C448_FAILURE;
79
80	0	if (!EVP_DigestInit_ex(hashctx, shake256, NULL)
81	0	\|\| !EVP_DigestUpdate(hashctx, dom_s, sizeof(dom_s) - 1)
82	0	\|\| !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
83	0	\|\| !EVP_DigestUpdate(hashctx, context, context_len)) {
84	0	EVP_MD_free(shake256);
85	0	return C448_FAILURE;
86	0	}
87
88	0	EVP_MD_free(shake256);
89	0	return C448_SUCCESS;
90	0	}
91
92		/*
93		* EdDSA key generation. This function uses a different (non-Decaf) encoding.
94		*
95		* pubkey (out): The public key.
96		* privkey (in): The private key.
97		*/
98		static c448_error_t
99		c448_ed448_derive_public_key(
100		OSSL_LIB_CTX *ctx,
101		uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
102		const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
103		const char *propq)
104	0	{
105		/* only this much used for keygen */
106	0	uint8_t secret_scalar_ser[EDDSA_448_PRIVATE_BYTES];
107	0	curve448_scalar_t secret_scalar;
108	0	unsigned int c;
109	0	curve448_point_t p;
110
111	0	if (!oneshot_hash(ctx, secret_scalar_ser, sizeof(secret_scalar_ser),
112	0	privkey,
113	0	EDDSA_448_PRIVATE_BYTES,
114	0	propq))
115	0	return C448_FAILURE;
116
117	0	clamp(secret_scalar_ser);
118
119	0	ossl_curve448_scalar_decode_long(secret_scalar, secret_scalar_ser,
120	0	sizeof(secret_scalar_ser));
121
122		/*
123		* Since we are going to mul_by_cofactor during encoding, divide by it
124		* here. However, the EdDSA base point is not the same as the decaf base
125		* point if the sigma isogeny is in use: the EdDSA base point is on
126		* Etwist_d/(1-d) and the decaf base point is on Etwist_d, and when
127		* converted it effectively picks up a factor of 2 from the isogenies. So
128		* we might start at 2 instead of 1.
129		*/
130	0	for (c = 1; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
131	0	ossl_curve448_scalar_halve(secret_scalar, secret_scalar);
132
133	0	ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
134	0	secret_scalar);
135
136	0	ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(pubkey, p);
137
138		/* Cleanup */
139	0	ossl_curve448_scalar_destroy(secret_scalar);
140	0	ossl_curve448_point_destroy(p);
141	0	OPENSSL_cleanse(secret_scalar_ser, sizeof(secret_scalar_ser));
142
143	0	return C448_SUCCESS;
144	0	}
145
146		/*
147		* EdDSA signing.
148		*
149		* signature (out): The signature.
150		* privkey (in): The private key.
151		* pubkey (in): The public key.
152		* message (in): The message to sign.
153		* message_len (in): The length of the message.
154		* prehashed (in): Nonzero if the message is actually the hash of something
155		* you want to sign.
156		* context (in): A "context" for this signature of up to 255 bytes.
157		* context_len (in): Length of the context.
158		*
159		* For Ed25519, it is unsafe to use the same key for both prehashed and
160		* non-prehashed messages, at least without some very careful protocol-level
161		* disambiguation. For Ed448 it is safe.
162		*/
163		static c448_error_t
164		c448_ed448_sign(OSSL_LIB_CTX *ctx,
165		uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
166		const uint8_t privkey[EDDSA_448_PRIVATE_BYTES],
167		const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
168		const uint8_t *message, size_t message_len,
169		uint8_t prehashed, const uint8_t *context,
170		size_t context_len, const char *propq)
171	0	{
172	0	curve448_scalar_t secret_scalar;
173	0	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
174	0	c448_error_t ret = C448_FAILURE;
175	0	curve448_scalar_t nonce_scalar;
176	0	uint8_t nonce_point[EDDSA_448_PUBLIC_BYTES] = { 0 };
177	0	unsigned int c;
178	0	curve448_scalar_t challenge_scalar;
179
180	0	if (hashctx == NULL)
181	0	return C448_FAILURE;
182
183	0	{
184		/*
185		* Schedule the secret key, First EDDSA_448_PRIVATE_BYTES is serialized
186		* secret scalar,next EDDSA_448_PRIVATE_BYTES bytes is the seed.
187		*/
188	0	uint8_t expanded[EDDSA_448_PRIVATE_BYTES * 2];
189
190	0	if (!oneshot_hash(ctx, expanded, sizeof(expanded), privkey,
191	0	EDDSA_448_PRIVATE_BYTES, propq))
192	0	goto err;
193	0	clamp(expanded);
194	0	ossl_curve448_scalar_decode_long(secret_scalar, expanded,
195	0	EDDSA_448_PRIVATE_BYTES);
196
197		/* Hash to create the nonce */
198	0	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
199	0	context_len, propq)
200	0	\|\| !EVP_DigestUpdate(hashctx,
201	0	expanded + EDDSA_448_PRIVATE_BYTES,
202	0	EDDSA_448_PRIVATE_BYTES)
203	0	\|\| !EVP_DigestUpdate(hashctx, message, message_len)) {
204	0	OPENSSL_cleanse(expanded, sizeof(expanded));
205	0	goto err;
206	0	}
207	0	OPENSSL_cleanse(expanded, sizeof(expanded));
208	0	}
209
210		/* Decode the nonce */
211	0	{
212	0	uint8_t nonce[2 * EDDSA_448_PRIVATE_BYTES];
213
214	0	if (!EVP_DigestFinalXOF(hashctx, nonce, sizeof(nonce)))
215	0	goto err;
216	0	ossl_curve448_scalar_decode_long(nonce_scalar, nonce, sizeof(nonce));
217	0	OPENSSL_cleanse(nonce, sizeof(nonce));
218	0	}
219
220	0	{
221		/* Scalarmul to create the nonce-point */
222	0	curve448_scalar_t nonce_scalar_2;
223	0	curve448_point_t p;
224
225	0	ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar);
226	0	for (c = 2; c < C448_EDDSA_ENCODE_RATIO; c <<= 1)
227	0	ossl_curve448_scalar_halve(nonce_scalar_2, nonce_scalar_2);
228
229	0	ossl_curve448_precomputed_scalarmul(p, ossl_curve448_precomputed_base,
230	0	nonce_scalar_2);
231	0	ossl_curve448_point_mul_by_ratio_and_encode_like_eddsa(nonce_point, p);
232	0	ossl_curve448_point_destroy(p);
233	0	ossl_curve448_scalar_destroy(nonce_scalar_2);
234	0	}
235
236	0	{
237	0	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
238
239		/* Compute the challenge */
240	0	if (!hash_init_with_dom(ctx, hashctx, prehashed, 0, context, context_len,
241	0	propq)
242	0	\|\| !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
243	0	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
244	0	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
245	0	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
246	0	goto err;
247
248	0	ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
249	0	sizeof(challenge));
250	0	OPENSSL_cleanse(challenge, sizeof(challenge));
251	0	}
252
253	0	ossl_curve448_scalar_mul(challenge_scalar, challenge_scalar, secret_scalar);
254	0	ossl_curve448_scalar_add(challenge_scalar, challenge_scalar, nonce_scalar);
255
256	0	OPENSSL_cleanse(signature, EDDSA_448_SIGNATURE_BYTES);
257	0	memcpy(signature, nonce_point, sizeof(nonce_point));
258	0	ossl_curve448_scalar_encode(&signature[EDDSA_448_PUBLIC_BYTES],
259	0	challenge_scalar);
260
261	0	ossl_curve448_scalar_destroy(secret_scalar);
262	0	ossl_curve448_scalar_destroy(nonce_scalar);
263	0	ossl_curve448_scalar_destroy(challenge_scalar);
264
265	0	ret = C448_SUCCESS;
266	0	err:
267	0	EVP_MD_CTX_free(hashctx);
268	0	return ret;
269	0	}
270
271		static c448_error_t
272		c448_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len)
273	0	{
274	0	curve448_point_t pk_point;
275
276	0	if (pub_len != EDDSA_448_PUBLIC_BYTES)
277	0	return C448_FAILURE;
278
279	0	return ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pub);
280	0	}
281
282		/*
283		* EdDSA signature verification.
284		*
285		* Uses the standard (i.e. less-strict) verification formula.
286		*
287		* signature (in): The signature.
288		* pubkey (in): The public key.
289		* message (in): The message to verify.
290		* message_len (in): The length of the message.
291		* prehashed (in): Nonzero if the message is actually the hash of something you
292		* want to verify.
293		* context (in): A "context" for this signature of up to 255 bytes.
294		* context_len (in): Length of the context.
295		*
296		* For Ed25519, it is unsafe to use the same key for both prehashed and
297		* non-prehashed messages, at least without some very careful protocol-level
298		* disambiguation. For Ed448 it is safe.
299		*/
300		static c448_error_t
301		c448_ed448_verify(
302		OSSL_LIB_CTX *ctx,
303		const uint8_t signature[EDDSA_448_SIGNATURE_BYTES],
304		const uint8_t pubkey[EDDSA_448_PUBLIC_BYTES],
305		const uint8_t *message, size_t message_len,
306		uint8_t prehashed, const uint8_t *context,
307		uint8_t context_len, const char *propq)
308	0	{
309	0	curve448_point_t pk_point, r_point;
310	0	c448_error_t error;
311	0	curve448_scalar_t challenge_scalar;
312	0	curve448_scalar_t response_scalar;
313		/* Order in little endian format */
314	0	static const uint8_t order[] = {
315	0	0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
316	0	0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
317	0	0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
318	0	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
319	0	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
320	0	};
321	0	int i;
322
323		/*
324		* Check that s (second 57 bytes of the sig) is less than the order. Both
325		* s and the order are in little-endian format. This can be done in
326		* variable time, since if this is not the case the signature if publicly
327		* invalid.
328		*/
329	0	for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
330	0	if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
331	0	return C448_FAILURE;
332	0	if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
333	0	break;
334	0	}
335	0	if (i < 0)
336	0	return C448_FAILURE;
337
338	0	error = ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
339
340	0	if (C448_SUCCESS != error)
341	0	return error;
342
343	0	error = ossl_curve448_point_decode_like_eddsa_and_mul_by_ratio(r_point, signature);
344	0	if (C448_SUCCESS != error)
345	0	return error;
346
347	0	{
348		/* Compute the challenge */
349	0	EVP_MD_CTX *hashctx = EVP_MD_CTX_new();
350	0	uint8_t challenge[2 * EDDSA_448_PRIVATE_BYTES];
351
352	0	if (hashctx == NULL
353	0	\|\| !hash_init_with_dom(ctx, hashctx, prehashed, 0, context,
354	0	context_len, propq)
355	0	\|\| !EVP_DigestUpdate(hashctx, signature, EDDSA_448_PUBLIC_BYTES)
356	0	\|\| !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
357	0	\|\| !EVP_DigestUpdate(hashctx, message, message_len)
358	0	\|\| !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge))) {
359	0	EVP_MD_CTX_free(hashctx);
360	0	return C448_FAILURE;
361	0	}
362
363	0	EVP_MD_CTX_free(hashctx);
364	0	ossl_curve448_scalar_decode_long(challenge_scalar, challenge,
365	0	sizeof(challenge));
366	0	OPENSSL_cleanse(challenge, sizeof(challenge));
367	0	}
368	0	ossl_curve448_scalar_sub(challenge_scalar, ossl_curve448_scalar_zero,
369	0	challenge_scalar);
370
371	0	ossl_curve448_scalar_decode_long(response_scalar,
372	0	&signature[EDDSA_448_PUBLIC_BYTES],
373	0	EDDSA_448_PRIVATE_BYTES);
374
375		/* pk_point = -c(x(P)) + (cx + k)G = kG */
376	0	ossl_curve448_base_double_scalarmul_non_secret(pk_point,
377	0	response_scalar,
378	0	pk_point, challenge_scalar);
379	0	return c448_succeed_if(ossl_curve448_point_eq(pk_point, r_point));
380	0	}
381
382		int ossl_ed448_sign(OSSL_LIB_CTX ctx, uint8_t out_sig,
383		const uint8_t *message, size_t message_len,
384		const uint8_t public_key[57], const uint8_t private_key[57],
385		const uint8_t *context, size_t context_len,
386		const uint8_t phflag, const char *propq)
387	0	{
388	0	return c448_ed448_sign(ctx, out_sig, private_key, public_key, message,
389	0	message_len, phflag, context, context_len,
390	0	propq)
391	0	== C448_SUCCESS;
392	0	}
393
394		/*
395		* This function should not be necessary since ossl_ed448_verify() already
396		* does this check internally.
397		* For some reason the FIPS ACVP requires a EDDSA KeyVer test.
398		*/
399		int ossl_ed448_pubkey_verify(const uint8_t *pub, size_t pub_len)
400	0	{
401	0	return c448_ed448_pubkey_verify(pub, pub_len);
402	0	}
403
404		int ossl_ed448_verify(OSSL_LIB_CTX *ctx,
405		const uint8_t *message, size_t message_len,
406		const uint8_t signature[114], const uint8_t public_key[57],
407		const uint8_t *context, size_t context_len,
408		const uint8_t phflag, const char *propq)
409	0	{
410	0	return c448_ed448_verify(ctx, signature, public_key, message,
411	0	message_len, phflag, context, (uint8_t)context_len,
412	0	propq)
413	0	== C448_SUCCESS;
414	0	}
415
416		int ossl_ed448_public_from_private(OSSL_LIB_CTX *ctx, uint8_t out_public_key[57],
417		const uint8_t private_key[57], const char *propq)
418	0	{
419	0	return c448_ed448_derive_public_key(ctx, out_public_key, private_key,
420	0	propq)
421	0	== C448_SUCCESS;
422	0	}