mld6query(8): Rename mld6.c -> mld6query.c
[dragonfly.git] / crypto / openssh / ed25519.c
blob767ec24d6df5c6c030a04cd2193d3070d7b067aa
1 /* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
3 /*
4 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
5 * Peter Schwabe, Bo-Yin Yang.
6 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
7 */
9 #include "includes.h"
10 #include "crypto_api.h"
12 #include "ge25519.h"
14 static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
16 unsigned long long i;
18 for (i = 0;i < 32;++i) playground[i] = sm[i];
19 for (i = 32;i < 64;++i) playground[i] = pk[i-32];
20 for (i = 64;i < smlen;++i) playground[i] = sm[i];
22 crypto_hash_sha512(hram,playground,smlen);
26 int crypto_sign_ed25519_keypair(
27 unsigned char *pk,
28 unsigned char *sk
31 sc25519 scsk;
32 ge25519 gepk;
33 unsigned char extsk[64];
34 int i;
36 randombytes(sk, 32);
37 crypto_hash_sha512(extsk, sk, 32);
38 extsk[0] &= 248;
39 extsk[31] &= 127;
40 extsk[31] |= 64;
42 sc25519_from32bytes(&scsk,extsk);
44 ge25519_scalarmult_base(&gepk, &scsk);
45 ge25519_pack(pk, &gepk);
46 for(i=0;i<32;i++)
47 sk[32 + i] = pk[i];
48 return 0;
51 int crypto_sign_ed25519(
52 unsigned char *sm,unsigned long long *smlen,
53 const unsigned char *m,unsigned long long mlen,
54 const unsigned char *sk
57 sc25519 sck, scs, scsk;
58 ge25519 ger;
59 unsigned char r[32];
60 unsigned char s[32];
61 unsigned char extsk[64];
62 unsigned long long i;
63 unsigned char hmg[crypto_hash_sha512_BYTES];
64 unsigned char hram[crypto_hash_sha512_BYTES];
66 crypto_hash_sha512(extsk, sk, 32);
67 extsk[0] &= 248;
68 extsk[31] &= 127;
69 extsk[31] |= 64;
71 *smlen = mlen+64;
72 for(i=0;i<mlen;i++)
73 sm[64 + i] = m[i];
74 for(i=0;i<32;i++)
75 sm[32 + i] = extsk[32+i];
77 crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
79 /* Computation of R */
80 sc25519_from64bytes(&sck, hmg);
81 ge25519_scalarmult_base(&ger, &sck);
82 ge25519_pack(r, &ger);
84 /* Computation of s */
85 for(i=0;i<32;i++)
86 sm[i] = r[i];
88 get_hram(hram, sm, sk+32, sm, mlen+64);
90 sc25519_from64bytes(&scs, hram);
91 sc25519_from32bytes(&scsk, extsk);
92 sc25519_mul(&scs, &scs, &scsk);
94 sc25519_add(&scs, &scs, &sck);
96 sc25519_to32bytes(s,&scs); /* cat s */
97 for(i=0;i<32;i++)
98 sm[32 + i] = s[i];
100 return 0;
103 int crypto_sign_ed25519_open(
104 unsigned char *m,unsigned long long *mlen,
105 const unsigned char *sm,unsigned long long smlen,
106 const unsigned char *pk
109 unsigned int i;
110 int ret;
111 unsigned char t2[32];
112 ge25519 get1, get2;
113 sc25519 schram, scs;
114 unsigned char hram[crypto_hash_sha512_BYTES];
116 *mlen = (unsigned long long) -1;
117 if (smlen < 64) return -1;
119 if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
121 get_hram(hram,sm,pk,m,smlen);
123 sc25519_from64bytes(&schram, hram);
125 sc25519_from32bytes(&scs, sm+32);
127 ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
128 ge25519_pack(t2, &get2);
130 ret = crypto_verify_32(sm, t2);
132 if (!ret)
134 for(i=0;i<smlen-64;i++)
135 m[i] = sm[i + 64];
136 *mlen = smlen-64;
138 else
140 for(i=0;i<smlen-64;i++)
141 m[i] = 0;
143 return ret;