int
crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state,
unsigned char *out)
{
unsigned char ihash[64];
crypto_hash_sha512_final(&state->ictx, ihash);
crypto_hash_sha512_update(&state->octx, ihash, 64);
crypto_hash_sha512_final(&state->octx, out);
sodium_memzero((void *) ihash, sizeof ihash);
return 0;
}
int
crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state,
unsigned char *out)
{
unsigned char ihash[64];
crypto_hash_sha512_final(&state->ictx, ihash);
crypto_hash_sha512_update(&state->octx, ihash, 64);
crypto_hash_sha512_final(&state->octx, out);
memset(ihash, 0, sizeof ihash);
return 0;
}
int
crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state,
const unsigned char *key,
size_t keylen)
{
unsigned char pad[128];
unsigned char khash[64];
size_t i;
if (keylen > 128) {
crypto_hash_sha512_init(&state->ictx);
crypto_hash_sha512_update(&state->ictx, key, keylen);
crypto_hash_sha512_final(&state->ictx, khash);
key = khash;
keylen = 64;
}
crypto_hash_sha512_init(&state->ictx);
memset(pad, 0x36, 128);
for (i = 0; i < keylen; i++) {
pad[i] ^= key[i];
}
crypto_hash_sha512_update(&state->ictx, pad, 128);
crypto_hash_sha512_init(&state->octx);
memset(pad, 0x5c, 128);
for (i = 0; i < keylen; i++) {
pad[i] ^= key[i];
}
crypto_hash_sha512_update(&state->octx, pad, 128);
sodium_memzero((void *) pad, sizeof pad);
sodium_memzero((void *) khash, sizeof khash);
return 0;
}
int
_crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk, int prehashed)
{
crypto_hash_sha512_state hs;
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
#ifdef ED25519_NONDETERMINISTIC
memcpy(az, sk, 32);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
#else
crypto_hash_sha512(az, sk, 32);
crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, sk + 32, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
_crypto_sign_ed25519_clamp(az);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen_p != NULL) {
*siglen_p = 64U;
}
return 0;
}
int
crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk)
{
crypto_hash_sha512_state hs;
unsigned char pk[32];
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
memmove(pk, sk + 32, 32);
crypto_hash_sha512(az, sk, 32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, az + 32, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, pk, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen != NULL) {
*siglen = 64U;
}
return 0;
}
int
crypto_sign_ed25519ph_final_verify(crypto_sign_ed25519ph_state *state,
unsigned char *sig,
const unsigned char *pk)
{
unsigned char ph[crypto_hash_sha512_BYTES];
crypto_hash_sha512_final(&state->hs, ph);
return _crypto_sign_ed25519_verify_detached(sig, ph, sizeof ph, pk, 1);
}
int
crypto_sign_ed25519ph_final_create(crypto_sign_ed25519ph_state *state,
unsigned char *sig,
unsigned long long *siglen_p,
const unsigned char *sk)
{
unsigned char ph[crypto_hash_sha512_BYTES];
crypto_hash_sha512_final(&state->hs, ph);
return _crypto_sign_ed25519_detached(sig, siglen_p, ph, sizeof ph, sk, 1);
}
int crypto_sign_edwards25519sha512batch(unsigned char *sm,
unsigned long long *smlen_p,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *sk)
{
crypto_hash_sha512_state hs;
unsigned char nonce[64];
unsigned char hram[64];
unsigned char sig[64];
ge_p3 A;
ge_p3 R;
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sk + 32, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
ge_scalarmult_base(&A, sk);
ge_p3_tobytes(sig + 32, &A);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
sc_muladd(sig + 32, hram, nonce, sk);
sodium_memzero(hram, sizeof hram);
memmove(sm + 32, m, (size_t) mlen);
memcpy(sm, sig, 32);
memcpy(sm + 32 + mlen, sig + 32, 32);
*smlen_p = mlen + 64U;
return 0;
}
int
crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m,
unsigned long long mlen, const unsigned char *pk)
{
crypto_hash_sha512_state hs;
unsigned char h[64];
unsigned char rcheck[32];
unsigned int i;
unsigned char d = 0;
ge_p3 A;
ge_p2 R;
#ifdef ED25519_PREVENT_MALLEABILITY
if (crypto_sign_check_S_lt_l(sig + 32) != 0) {
return -1;
}
#else
if (sig[63] & 224) {
return -1;
}
#endif
if (ge_frombytes_negate_vartime(&A, pk) != 0) {
return -1;
}
for (i = 0; i < 32; ++i) {
d |= pk[i];
}
if (d == 0) {
return -1;
}
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 32);
crypto_hash_sha512_update(&hs, pk, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, h);
sc_reduce(h);
ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
ge_tobytes(rcheck, &R);
return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) |
sodium_memcmp(sig, rcheck, 32);
}
