1/* $OpenBSD: mod_ed25519.c,v 1.1 2014/01/08 05:00:01 tedu Exp $ */ 2 3/* 4 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange, 5 * Peter Schwabe, Bo-Yin Yang. 6 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c 7 */ 8 9#include "crypto_api.h" 10 11#include "ge25519.h" 12 13static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) 14{ 15 unsigned long long i; 16 17 for (i = 0;i < 32;++i) playground[i] = sm[i]; 18 for (i = 32;i < 64;++i) playground[i] = pk[i-32]; 19 for (i = 64;i < smlen;++i) playground[i] = sm[i]; 20 21 crypto_hash_sha512(hram,playground,smlen); 22} 23 24#ifndef VERIFYONLY 25int crypto_sign_ed25519_keypair( 26 unsigned char *pk, 27 unsigned char *sk 28 ) 29{ 30 sc25519 scsk; 31 ge25519 gepk; 32 unsigned char extsk[64]; 33 int i; 34 35 randombytes(sk, 32); 36 crypto_hash_sha512(extsk, sk, 32); 37 extsk[0] &= 248; 38 extsk[31] &= 127; 39 extsk[31] |= 64; 40 41 sc25519_from32bytes(&scsk,extsk); 42 43 ge25519_scalarmult_base(&gepk, &scsk); 44 ge25519_pack(pk, &gepk); 45 for(i=0;i<32;i++) 46 sk[32 + i] = pk[i]; 47 return 0; 48} 49 50int crypto_sign_ed25519( 51 unsigned char *sm,unsigned long long *smlen, 52 const unsigned char *m,unsigned long long mlen, 53 const unsigned char *sk 54 ) 55{ 56 sc25519 sck, scs, scsk; 57 ge25519 ger; 58 unsigned char r[32]; 59 unsigned char s[32]; 60 unsigned char extsk[64]; 61 unsigned long long i; 62 unsigned char hmg[crypto_hash_sha512_BYTES]; 63 unsigned char hram[crypto_hash_sha512_BYTES]; 64 65 crypto_hash_sha512(extsk, sk, 32); 66 extsk[0] &= 248; 67 extsk[31] &= 127; 68 extsk[31] |= 64; 69 70 *smlen = mlen+64; 71 for(i=0;i<mlen;i++) 72 sm[64 + i] = m[i]; 73 for(i=0;i<32;i++) 74 sm[32 + i] = extsk[32+i]; 75 76 crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */ 77 78 /* Computation of R */ 79 sc25519_from64bytes(&sck, hmg); 80 ge25519_scalarmult_base(&ger, &sck); 81 ge25519_pack(r, &ger); 82 83 /* Computation of s */ 84 for(i=0;i<32;i++) 85 sm[i] = r[i]; 86 87 get_hram(hram, sm, sk+32, sm, mlen+64); 88 89 sc25519_from64bytes(&scs, hram); 90 sc25519_from32bytes(&scsk, extsk); 91 sc25519_mul(&scs, &scs, &scsk); 92 93 sc25519_add(&scs, &scs, &sck); 94 95 sc25519_to32bytes(s,&scs); /* cat s */ 96 for(i=0;i<32;i++) 97 sm[32 + i] = s[i]; 98 99 return 0; 100} 101#endif 102int crypto_sign_ed25519_open( 103 unsigned char *m,unsigned long long *mlen, 104 const unsigned char *sm,unsigned long long smlen, 105 const unsigned char *pk 106 ) 107{ 108 unsigned int i; 109 int ret; 110 unsigned char t2[32]; 111 ge25519 get1, get2; 112 sc25519 schram, scs; 113 unsigned char hram[crypto_hash_sha512_BYTES]; 114 115 *mlen = (unsigned long long) -1; 116 if (smlen < 64) return -1; 117 118 if (ge25519_unpackneg_vartime(&get1, pk)) return -1; 119 120 get_hram(hram,sm,pk,m,smlen); 121 122 sc25519_from64bytes(&schram, hram); 123 124 sc25519_from32bytes(&scs, sm+32); 125 126 ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs); 127 ge25519_pack(t2, &get2); 128 129 ret = crypto_verify_32(sm, t2); 130 131 if (!ret) 132 { 133 for(i=0;i<smlen-64;i++) 134 m[i] = sm[i + 64]; 135 *mlen = smlen-64; 136 } 137 else 138 { 139 for(i=0;i<smlen-64;i++) 140 m[i] = 0; 141 } 142 return ret; 143} 144