GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.bin/ssh/lib/../ed25519.c Lines: 0 69 0.0 %
Date: 2017-11-13 Branches: 0 26 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
2
3
/*
4
 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
5
 * Peter Schwabe, Bo-Yin Yang.
6
 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
7
 */
8
9
#include "crypto_api.h"
10
11
#include "ge25519.h"
12
13
static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
14
{
15
  unsigned long long i;
16
17
  for (i =  0;i < 32;++i)    playground[i] = sm[i];
18
  for (i = 32;i < 64;++i)    playground[i] = pk[i-32];
19
  for (i = 64;i < smlen;++i) playground[i] = sm[i];
20
21
  crypto_hash_sha512(hram,playground,smlen);
22
}
23
24
25
int crypto_sign_ed25519_keypair(
26
    unsigned char *pk,
27
    unsigned char *sk
28
    )
29
{
30
  sc25519 scsk;
31
  ge25519 gepk;
32
  unsigned char extsk[64];
33
  int i;
34
35
  randombytes(sk, 32);
36
  crypto_hash_sha512(extsk, sk, 32);
37
  extsk[0] &= 248;
38
  extsk[31] &= 127;
39
  extsk[31] |= 64;
40
41
  sc25519_from32bytes(&scsk,extsk);
42
43
  ge25519_scalarmult_base(&gepk, &scsk);
44
  ge25519_pack(pk, &gepk);
45
  for(i=0;i<32;i++)
46
    sk[32 + i] = pk[i];
47
  return 0;
48
}
49
50
int crypto_sign_ed25519(
51
    unsigned char *sm,unsigned long long *smlen,
52
    const unsigned char *m,unsigned long long mlen,
53
    const unsigned char *sk
54
    )
55
{
56
  sc25519 sck, scs, scsk;
57
  ge25519 ger;
58
  unsigned char r[32];
59
  unsigned char s[32];
60
  unsigned char extsk[64];
61
  unsigned long long i;
62
  unsigned char hmg[crypto_hash_sha512_BYTES];
63
  unsigned char hram[crypto_hash_sha512_BYTES];
64
65
  crypto_hash_sha512(extsk, sk, 32);
66
  extsk[0] &= 248;
67
  extsk[31] &= 127;
68
  extsk[31] |= 64;
69
70
  *smlen = mlen+64;
71
  for(i=0;i<mlen;i++)
72
    sm[64 + i] = m[i];
73
  for(i=0;i<32;i++)
74
    sm[32 + i] = extsk[32+i];
75
76
  crypto_hash_sha512(hmg, sm+32, mlen+32); /* Generate k as h(extsk[32],...,extsk[63],m) */
77
78
  /* Computation of R */
79
  sc25519_from64bytes(&sck, hmg);
80
  ge25519_scalarmult_base(&ger, &sck);
81
  ge25519_pack(r, &ger);
82
83
  /* Computation of s */
84
  for(i=0;i<32;i++)
85
    sm[i] = r[i];
86
87
  get_hram(hram, sm, sk+32, sm, mlen+64);
88
89
  sc25519_from64bytes(&scs, hram);
90
  sc25519_from32bytes(&scsk, extsk);
91
  sc25519_mul(&scs, &scs, &scsk);
92
93
  sc25519_add(&scs, &scs, &sck);
94
95
  sc25519_to32bytes(s,&scs); /* cat s */
96
  for(i=0;i<32;i++)
97
    sm[32 + i] = s[i];
98
99
  return 0;
100
}
101
102
int crypto_sign_ed25519_open(
103
    unsigned char *m,unsigned long long *mlen,
104
    const unsigned char *sm,unsigned long long smlen,
105
    const unsigned char *pk
106
    )
107
{
108
  unsigned int i;
109
  int ret;
110
  unsigned char t2[32];
111
  ge25519 get1, get2;
112
  sc25519 schram, scs;
113
  unsigned char hram[crypto_hash_sha512_BYTES];
114
115
  *mlen = (unsigned long long) -1;
116
  if (smlen < 64) return -1;
117
118
  if (ge25519_unpackneg_vartime(&get1, pk)) return -1;
119
120
  get_hram(hram,sm,pk,m,smlen);
121
122
  sc25519_from64bytes(&schram, hram);
123
124
  sc25519_from32bytes(&scs, sm+32);
125
126
  ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
127
  ge25519_pack(t2, &get2);
128
129
  ret = crypto_verify_32(sm, t2);
130
131
  if (!ret)
132
  {
133
    for(i=0;i<smlen-64;i++)
134
      m[i] = sm[i + 64];
135
    *mlen = smlen-64;
136
  }
137
  else
138
  {
139
    for(i=0;i<smlen-64;i++)
140
      m[i] = 0;
141
  }
142
  return ret;
143
}