int
pairing_session_finish(pairing_session_t *session, const unsigned char signature[64])
{
unsigned char sig_buffer[64];
unsigned char sig_msg[64];
unsigned char key[16];
unsigned char iv[16];
AES_CTR_CTX aes_ctx;
assert(session);
if (session->status != STATUS_HANDSHAKE) {
return -1;
}
/* First decrypt the signature with keys derived from the shared secret */
derive_key_internal(session, (const unsigned char *) SALT_KEY, strlen(SALT_KEY), key, sizeof(key));
derive_key_internal(session, (const unsigned char *) SALT_IV, strlen(SALT_IV), iv, sizeof(key));
AES_ctr_set_key(&aes_ctx, key, iv, AES_MODE_128);
/* One fake round for the initial handshake encryption */
AES_ctr_encrypt(&aes_ctx, sig_buffer, sig_buffer, 64);
AES_ctr_encrypt(&aes_ctx, signature, sig_buffer, 64);
/* Then verify the signature with public ECDH keys of both parties */
memcpy(&sig_msg[0], session->ecdh_theirs, 32);
memcpy(&sig_msg[32], session->ecdh_ours, 32);
if (!ed25519_verify(sig_buffer, sig_msg, sizeof(sig_msg), session->ed_theirs)) {
return -2;
}
session->status = STATUS_FINISHED;
return 0;
}
bool verify_mutable_item(
span<char const> v
, span<char const> salt
, sequence_number const seq
, public_key const& pk
, signature const& sig)
{
char str[1200];
int len = canonical_string(v, seq, salt, str);
return ed25519_verify(sig, {str, size_t(len)}, pk);
}
bool_t org_signet_verify(prime_org_signet_t *org) {
stringer_t *holder = MANAGEDBUF(69);
if (!org || !org->signing || !org->encryption || !org->signature || st_length_get(org->signature) != 64) {
return false;
}
else if (st_write(holder, prime_field_write(PRIME_ORG_SIGNET, 1, ED25519_KEY_PUB_LEN, ed25519_public_get(org->signing, MANAGEDBUF(32)), MANAGEDBUF(34)),
prime_field_write(PRIME_ORG_SIGNET, 3, SECP256K1_KEY_PUB_LEN, secp256k1_public_get(org->encryption, MANAGEDBUF(33)), MANAGEDBUF(35))) != 69) {
return false;
}
else if (ed25519_verify(org->signing, holder, org->signature)) {
return false;
}
return true;
}
bool verify_mutable_item(
std::pair<char const*, int> v,
std::pair<char const*, int> salt,
boost::uint64_t seq,
char const* pk,
char const* sig)
{
#ifdef TORRENT_USE_VALGRIND
VALGRIND_CHECK_MEM_IS_DEFINED(v.first, v.second);
VALGRIND_CHECK_MEM_IS_DEFINED(pk, item_pk_len);
VALGRIND_CHECK_MEM_IS_DEFINED(sig, item_sig_len);
#endif
char str[canonical_length];
int len = canonical_string(v, seq, salt, str);
return ed25519_verify((unsigned char const*)sig,
(unsigned char const*)str,
len,
(unsigned char const*)pk) == 1;
}
/* functions
*/
static u3_noun
_cqee_veri(u3_noun s, u3_noun m, u3_noun pk)
{
c3_y sig_y[64];
c3_y pub_y[32];
c3_w ret;
c3_y* mes_y;
c3_w mesm_w = u3r_met(3, m);
memset(sig_y, 0, 64);
memset(pub_y, 0, 32);
mes_y = c3_malloc(mesm_w);
u3r_bytes(0, 64, sig_y, s);
u3r_bytes(0, 32, pub_y, pk);
u3r_bytes(0, mesm_w, mes_y, m);
ret = ed25519_verify(sig_y, mes_y, mesm_w, pub_y) == 1 ? c3y : c3n;
free(mes_y);
return ret;
}
int
ED25519_FN(ed25519_sign_open) (const unsigned char *m, size_t mlen, const ed25519_public_key pk, const ed25519_signature RS) {
ge25519 MM16 R, A;
hash_512bits hash;
bignum256modm hram, S;
unsigned char checkR[32];
if ((RS[63] & 224) || !ge25519_unpack_negative_vartime(&A, pk))
return -1;
/* hram = H(R,A,m) */
ed25519_hram(hash, RS, pk, m, mlen);
expand256_modm(hram, hash, 64);
/* S */
expand256_modm(S, RS + 32, 32);
/* SB - H(R,A,m)A */
ge25519_double_scalarmult_vartime(&R, &A, hram, S);
ge25519_pack(checkR, &R);
/* check that R = SB - H(R,A,m)A */
return ed25519_verify(RS, checkR, 32) ? 0 : -1;
}
bool c_crypto_ed25519::verify_sign (const string &msg, const unsigned char *signature, const unsigned char *public_key) const {
return ed25519_verify(signature, reinterpret_cast<const unsigned char *>(msg.c_str()), msg.length(), public_key) != 0;
}
int main(int argc, char *argv[]) {
unsigned char public_key[32], private_key[64], seed[32], scalar[32];
unsigned char other_public_key[32], other_private_key[64];
unsigned char shared_secret[32], other_shared_secret[32];
unsigned char signature[64];
clock_t start;
clock_t end;
int i;
/* create a random seed, and a keypair out of that seed */
ed25519_create_seed(seed);
ed25519_create_keypair(public_key, private_key, seed);
/* create signature on the message with the keypair */
ed25519_sign(signature, message, strlen(message), public_key, private_key);
/* verify the signature */
if (ed25519_verify(signature, message, strlen(message), public_key)) {
printf("valid signature\n");
} else {
printf("invalid signature\n");
}
/* create scalar and add it to the keypair */
ed25519_create_seed(scalar);
ed25519_add_scalar(public_key, private_key, scalar);
/* create signature with the new keypair */
ed25519_sign(signature, message, strlen(message), public_key, private_key);
/* verify the signature with the new keypair */
if (ed25519_verify(signature, message, strlen(message), public_key)) {
printf("valid signature\n");
} else {
printf("invalid signature\n");
}
/* make a slight adjustment and verify again */
signature[44] ^= 0x10;
if (ed25519_verify(signature, message, strlen(message), public_key)) {
printf("did not detect signature change\n");
} else {
printf("correctly detected signature change\n");
}
/* generate two keypairs for testing key exchange */
ed25519_create_seed(seed);
ed25519_create_keypair(public_key, private_key, seed);
ed25519_create_seed(seed);
ed25519_create_keypair(other_public_key, other_private_key, seed);
/* create two shared secrets - from both perspectives - and check if they're equal */
ed25519_key_exchange(shared_secret, other_public_key, private_key);
ed25519_key_exchange(other_shared_secret, public_key, other_private_key);
for (i = 0; i < 32; ++i) {
if (shared_secret[i] != other_shared_secret[i]) {
printf("key exchange was incorrect\n");
break;
}
}
if (i == 32) {
printf("key exchange was correct\n");
}
/* test performance */
printf("testing seed generation performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_create_seed(seed);
}
end = clock();
printf("%fus per seed\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing key generation performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_create_keypair(public_key, private_key, seed);
}
end = clock();
printf("%fus per keypair\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing sign performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_sign(signature, message, strlen(message), public_key, private_key);
}
end = clock();
printf("%fus per signature\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing verify performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_verify(signature, message, strlen(message), public_key);
}
end = clock();
printf("%fus per signature\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing keypair scalar addition performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_add_scalar(public_key, private_key, scalar);
}
end = clock();
printf("%fus per keypair\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing public key scalar addition performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_add_scalar(public_key, NULL, scalar);
}
end = clock();
printf("%fus per key\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
printf("testing key exchange performance: ");
start = clock();
for (i = 0; i < 10000; ++i) {
ed25519_key_exchange(shared_secret, other_public_key, private_key);
}
end = clock();
printf("%fus per shared secret\n", ((double) ((end - start) * 1000)) / CLOCKS_PER_SEC / i * 1000);
return 0;
}
int ed25519Verify(CC *cond, CCVisitor visitor) {
if (cond->type->typeId != CC_Ed25519Type.typeId) return 1;
// TODO: test failure mode: empty sig / null pointer
return ed25519_verify(cond->signature, visitor.msg, visitor.msgLength, cond->publicKey);
}
//Return 1 if sig is ok, 0 if sig fails
inline int sw_verify(uint8_t *sig, uint8_t *msg, uint8_t *key)
{
return ed25519_verify(sig, msg, 32, key);
}
