lokinet/crypto/ed25519/ref10/open.c


#include <limits.h>
#include <stdint.h>
#include <string.h>

#include <sodium/crypto_hash_sha512.h>
#include <sodium/crypto_sign_ed25519.h>
#include <sodium/crypto_verify_32.h>
#include "sign_ed25519_ref10.h"
#include <sodium/private/ed25519_ref10.h>
#include <sodium/utils.h>

int
_crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                     const unsigned char *m,
                                     unsigned long long mlen,
                                     const unsigned char *pk, int prehashed)
{
  crypto_hash_sha512_state hs;
  unsigned char h[64];
  unsigned char rcheck[32];
  ge25519_p3 A;
  ge25519_p2 R;

#ifndef ED25519_COMPAT
  if(sc25519_is_canonical(sig + 32) == 0 || ge25519_has_small_order(sig) != 0)
  {
    return -1;
  }
  if(ge25519_is_canonical(pk) == 0)
  {
    return -1;
  }
#else
  if(sig[63] & 224)
  {
    return -1;
  }
#endif
  if(ge25519_has_small_order(pk) != 0
     || ge25519_frombytes_negate_vartime(&A, pk) != 0)
  {
    return -1;
  }
  _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
  crypto_hash_sha512_update(&hs, sig, 32);
  crypto_hash_sha512_update(&hs, pk, 32);
  crypto_hash_sha512_update(&hs, m, mlen);
  crypto_hash_sha512_final(&hs, h);
  sc25519_reduce(h);

  ge25519_double_scalarmult_vartime(&R, h, &A, sig + 32);
  ge25519_tobytes(rcheck, &R);

  return crypto_verify_32(rcheck, sig) | (-(rcheck == sig))
      | sodium_memcmp(sig, rcheck, 32);
}

int
crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                    const unsigned char *m,
                                    unsigned long long mlen,
                                    const unsigned char *pk)
{
  return _crypto_sign_ed25519_verify_detached(sig, m, mlen, pk, 0);
}

int
crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen_p,
                         const unsigned char *sm, unsigned long long smlen,
                         const unsigned char *pk)
{
  unsigned long long mlen;

  if(smlen < 64 || smlen - 64 > crypto_sign_ed25519_MESSAGEBYTES_MAX)
  {
    goto badsig;
  }
  mlen = smlen - 64;
  if(crypto_sign_ed25519_verify_detached(sm, sm + 64, mlen, pk) != 0)
  {
    memset(m, 0, mlen);
    goto badsig;
  }
  if(mlen_p != NULL)
  {
    *mlen_p = mlen;
  }
  memmove(m, sm + 64, mlen);

  return 0;

badsig:
  if(mlen_p != NULL)
  {
    *mlen_p = 0;
  }
  return -1;
}
bundle relevent libsodium parts 2018-10-23 11:29:37 +00:00
			`#include <limits.h>`
			`#include <stdint.h>`
			`#include <string.h>`

			`#include <sodium/crypto_hash_sha512.h>`
			`#include <sodium/crypto_sign_ed25519.h>`
			`#include <sodium/crypto_verify_32.h>`
			`#include "sign_ed25519_ref10.h"`
			`#include <sodium/private/ed25519_ref10.h>`
			`#include <sodium/utils.h>`

			`int`
			`_crypto_sign_ed25519_verify_detached(const unsigned char *sig,`
			`const unsigned char *m,`
			`unsigned long long mlen,`
			`const unsigned char *pk, int prehashed)`
			`{`
			`crypto_hash_sha512_state hs;`
			`unsigned char h[64];`
			`unsigned char rcheck[32];`
			`ge25519_p3 A;`
			`ge25519_p2 R;`

			`#ifndef ED25519_COMPAT`
			`if(sc25519_is_canonical(sig + 32) == 0 \|\| ge25519_has_small_order(sig) != 0)`
			`{`
			`return -1;`
			`}`
			`if(ge25519_is_canonical(pk) == 0)`
			`{`
			`return -1;`
			`}`
			`#else`
			`if(sig[63] & 224)`
			`{`
			`return -1;`
			`}`
			`#endif`
			`if(ge25519_has_small_order(pk) != 0`
			`\|\| ge25519_frombytes_negate_vartime(&A, pk) != 0)`
			`{`
			`return -1;`
			`}`
			`_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);`
			`crypto_hash_sha512_update(&hs, sig, 32);`
			`crypto_hash_sha512_update(&hs, pk, 32);`
			`crypto_hash_sha512_update(&hs, m, mlen);`
			`crypto_hash_sha512_final(&hs, h);`
			`sc25519_reduce(h);`

			`ge25519_double_scalarmult_vartime(&R, h, &A, sig + 32);`
			`ge25519_tobytes(rcheck, &R);`

			`return crypto_verify_32(rcheck, sig) \| (-(rcheck == sig))`
			`\| sodium_memcmp(sig, rcheck, 32);`
			`}`

			`int`
			`crypto_sign_ed25519_verify_detached(const unsigned char *sig,`
			`const unsigned char *m,`
			`unsigned long long mlen,`
			`const unsigned char *pk)`
			`{`
			`return _crypto_sign_ed25519_verify_detached(sig, m, mlen, pk, 0);`
			`}`

			`int`
			`crypto_sign_ed25519_open(unsigned char m, unsigned long long mlen_p,`
			`const unsigned char *sm, unsigned long long smlen,`
			`const unsigned char *pk)`
			`{`
			`unsigned long long mlen;`

			`if(smlen < 64 \|\| smlen - 64 > crypto_sign_ed25519_MESSAGEBYTES_MAX)`
			`{`
			`goto badsig;`
			`}`
			`mlen = smlen - 64;`
			`if(crypto_sign_ed25519_verify_detached(sm, sm + 64, mlen, pk) != 0)`
			`{`
			`memset(m, 0, mlen);`
			`goto badsig;`
			`}`
			`if(mlen_p != NULL)`
			`{`
			`*mlen_p = mlen;`
			`}`
			`memmove(m, sm + 64, mlen);`

			`return 0;`

			`badsig:`
			`if(mlen_p != NULL)`
			`{`
			`*mlen_p = 0;`
			`}`
			`return -1;`
			`}`