1 /* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
4 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
5 * Peter Schwabe, Bo-Yin Yang.
6 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
8 * Modified to use lws genhash by Andy Green <andy@warmcat.com>
11 #include <libwebsockets.h>
16 crypto_hash_sha512(uint8_t *hash64, const uint8_t *data, size_t len)
18 struct lws_genhash_ctx ctx;
21 if (lws_genhash_init(&ctx, LWS_GENHASH_TYPE_SHA512)) {
22 lwsl_notice("Failed to init SHA512\n");
26 ret = lws_genhash_update(&ctx, data, len);
28 if (lws_genhash_destroy(&ctx, hash64))
29 lwsl_notice("genhash destroy failed\n");
36 get_hram(unsigned char *hram, const unsigned char *sm,
37 const unsigned char *pk, unsigned char *playground,
42 for (i = 0; i < 32; ++i)
43 playground[i] = sm[i];
44 for (i = 32; i < 64; ++i)
45 playground[i] = pk[i-32];
46 for (i = 64; i < smlen; ++i)
47 playground[i] = sm[i];
49 crypto_hash_sha512(hram, playground, smlen);
53 int crypto_sign_ed25519_keypair(
54 struct lws_context *context,
61 unsigned char extsk[64];
64 lws_get_random(context, sk, 32);
65 crypto_hash_sha512(extsk, sk, 32);
70 sc25519_from32bytes(&scsk,extsk);
72 ge25519_scalarmult_base(&gepk, &scsk);
73 ge25519_pack(pk, &gepk);
79 int crypto_sign_ed25519(
81 unsigned long long *smlen,
82 const unsigned char *m, size_t mlen,
83 const unsigned char *sk
86 sc25519 sck, scs, scsk;
90 unsigned char extsk[64];
92 unsigned char hmg[crypto_hash_sha512_BYTES];
93 unsigned char hram[crypto_hash_sha512_BYTES];
95 crypto_hash_sha512(extsk, sk, 32);
104 sm[32 + i] = extsk[32+i];
106 crypto_hash_sha512(hmg, sm+32, mlen+32);
107 /* Generate k as h(extsk[32],...,extsk[63],m) */
109 /* Computation of R */
110 sc25519_from64bytes(&sck, hmg);
111 ge25519_scalarmult_base(&ger, &sck);
112 ge25519_pack(r, &ger);
114 /* Computation of s */
115 for (i = 0; i < 32; i++)
118 get_hram(hram, sm, sk + 32, sm, (size_t)mlen + 64);
120 sc25519_from64bytes(&scs, hram);
121 sc25519_from32bytes(&scsk, extsk);
122 sc25519_mul(&scs, &scs, &scsk);
124 sc25519_add(&scs, &scs, &sck);
126 sc25519_to32bytes(s,&scs); /* cat s */
127 for (i = 0; i < 32; i++)
133 int crypto_verify_32(const unsigned char *x,const unsigned char *y)
135 unsigned int differentbits = 0;
136 #define F(i) differentbits |= x[i] ^ y[i];
169 return (1 & ((differentbits - 1) >> 8)) - 1;
172 int crypto_sign_ed25519_open(
173 unsigned char *m,unsigned long long *mlen,
174 const unsigned char *sm,unsigned long long smlen,
175 const unsigned char *pk
180 unsigned char t2[32];
183 unsigned char hram[crypto_hash_sha512_BYTES];
185 *mlen = (unsigned long long) -1;
192 if (ge25519_unpackneg_vartime(&get1, pk)) {
197 get_hram(hram,sm,pk,m, (size_t)smlen);
199 sc25519_from64bytes(&schram, hram);
201 sc25519_from32bytes(&scs, sm+32);
203 ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
204 ge25519_pack(t2, &get2);
206 ret = crypto_verify_32(sm, t2);
207 lwsl_notice("vf says %d\n", ret);
211 for(i=0;i<smlen-64;i++)
217 for(i=0;i<smlen-64;i++)