void crypto_sha512hmac(uint8_t* hash, uint8_t* salt, uint8_t salt_length, uint8_t* data, uint8_t data_length)
{
uint8_t message1[128 + data_length];
uint8_t message2[128 + 64];
memset(message1, 0x36, 128);
memset(message2, 0x5C, 128);
for (unsigned i = salt_length; i--; )
{
message1[i] = 0x36 ^ salt[i];
message2[i] = 0x5C ^ salt[i];
}
memcpy(message1 + 128, data, data_length);
crypto_hash_sha512(message2 + 128, message1, sizeof(message1));
crypto_hash_sha512(hash, message2, sizeof(message2));
}
static char * createGUID()
{
sodium_init();
unsigned char out[crypto_hash_sha512_BYTES];
unsigned char sk[crypto_sign_SECRETKEYBYTES];
int valid_pow = 0;
while (valid_pow == 0){
//Generate a key pair
unsigned char pk[crypto_sign_PUBLICKEYBYTES];
unsigned char sk[crypto_sign_SECRETKEYBYTES];
crypto_sign_keypair(pk, sk);
//Sign the public key
const unsigned char * message = pk;
int message_len = crypto_sign_PUBLICKEYBYTES;
unsigned char signed_message[crypto_sign_BYTES + message_len];
unsigned long long signed_message_len;
crypto_sign(signed_message, &signed_message_len,
message, message_len, sk);
//Hash the signed key with sha512
crypto_hash_sha512(out, signed_message, signed_message_len);
char proof_of_work[32];
memcpy(proof_of_work, &out[32], 32);
char * pow = to_hex(proof_of_work, 3);
valid_pow = test_pow(pow);
}
to_hex(sk, 32);
return to_hex(sk, 32);
}
int main(void)
{
size_t i;
crypto_hash_sha512(h,x,sizeof x - 1U);
for (i = 0;i < crypto_hash_sha512_BYTES;++i) printf("%02x",(unsigned int) h[i]);
printf("\n");
return 0;
}
int crypto_sign_seckey_expand(unsigned char *sk, const unsigned char *skseed)
{
crypto_hash_sha512(sk,skseed,32);
sk[0] &= 248;
sk[31] &= 63;
sk[31] |= 64;
return 0;
}
static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
{
unsigned long long i;
for (i = 0;i < 32;++i) playground[i] = sm[i];
for (i = 32;i < 64;++i) playground[i] = pk[i-32];
for (i = 64;i < smlen;++i) playground[i] = sm[i];
crypto_hash_sha512(hram,playground,smlen);
}
/* NEW: Compare to pristine crypto_sign()
Uses explicit private key for nonce derivation and as scalar,
instead of deriving both from a master key.
*/
int crypto_sign_modified(
unsigned char *sm,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk, const unsigned char* pk,
const unsigned char* random
)
{
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
int count=0;
memmove(sm + 64,m,mlen);
memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */
/* NEW : add prefix to separate hash uses - see .h */
sm[0] = 0xFE;
for (count = 1; count < 32; count++)
sm[count] = 0xFF;
/* NEW: add suffix of random data */
memmove(sm + mlen + 64, random, 64);
crypto_hash_sha512(nonce,sm,mlen + 128);
memmove(sm + 32,pk,32);
sc_reduce(nonce);
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(sm,&R);
crypto_hash_sha512(hram,sm,mlen + 64);
sc_reduce(hram);
sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */
/* NEW: Try to erase any traces of privkey or
nonce left in the stack from sc_muladd. */
zeroize_stack();
zeroize(nonce, 64);
return 0;
}
PyObject *pycrypto_hash_sha512(PyObject *self, PyObject *args, PyObject *kw){
char *m;
Py_ssize_t msize=0;
unsigned char h[crypto_hash_sha512_BYTES];
static const char *kwlist[] = {"m",0};
if (!PyArg_ParseTupleAndKeywords(args, kw, "|s#:crypto_hash_sha512", (char **)kwlist, &m, &msize)){
return (PyObject *)0;}
crypto_hash_sha512(h, (const unsigned char *)m, msize);
return PyBytes_FromStringAndSize((char *)h, crypto_hash_sha512_BYTES);}
int crypto_sign_ed25519_tinynacl(unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long n, const unsigned char *skorig) {
long long i;
unsigned char nonce[64], hram[64], sk[64], pk[32];
ge25519 R;
/* compute secret key from seed sk = H(skorig), H = sha512 */
crypto_hash_sha512(sk, skorig, 32);
sk[0] &= 248;
sk[31] &= 63;
sk[31] |= 64;
/* copy m to sm, copy secret key and public key */
*smlen = n + 64;
for (i = 31; i >= 0; --i) pk[i ] = skorig[i + 32];
for (i = n - 1; i >= 0; --i) sm[i + 64] = m[i];
for (i = 31; i >= 0; --i) sm[i + 32] = sk[i + 32];
/* get pseudorandom nonce = H(sk2, m) */
crypto_hash_sha512(nonce, sm + 32, n + 32);
sc25519_reduce(nonce);
/* copy pk to sm */
for (i = 31; i >= 0; --i) sm[i + 32] = pk[i];
/* compute R */
ge25519_scalarmult_base(R, nonce);
ge25519_tobytes(sm, R);
/* calculate hram = H(r, a, m) */
crypto_hash_sha512(hram, sm, n + 64);
sc25519_reduce(hram);
/* compute S */
sc25519_muladd(sm + 32, hram, sk, nonce);
/* cleanup */
cleanup(nonce); cleanup(hram); cleanup(sk); cleanup(pk); cleanup(R);
return 0;
}
int crypto_sign_ed25519_tinynacl_open(unsigned char *m, unsigned long long *mlen, const unsigned char *sm, unsigned long long n, const unsigned char *pk) {
long long i;
unsigned char pkcopy[32], rcopy[32], scopy[32], hram[64], rcheck[32];
ge25519 R, S, A;
int ret = -1;
/* check input */
if (n < 64) goto fail;
if (sm[63] & 224) goto fail;
/* unpack pk */
if (ge25519_frombytes_negate_vartime(A, pk) != 0) goto fail;
/* copy pk, r, s */
for (i = 0; i < 32; ++i) pkcopy[i] = pk[i];
for (i = 0; i < 32; ++i) rcopy[i] = sm[i];
for (i = 0; i < 32; ++i) scopy[i] = sm[i + 32];
/* copy sm to m and copy pk to m */
for (i = n - 1; i >= 0; --i) m[i] = sm[i];
for (i = 0; i < 32; ++i) m[i + 32] = pkcopy[i];
/* calculate hram = H(r, a, m) */
crypto_hash_sha512(hram, m, n);
sc25519_reduce(hram);
/* compute R */
ge25519_scalarmult(A, A, hram);
ge25519_scalarmult_base(S, scopy);
ge25519_add(R, S, A);
/* check R */
ge25519_tobytes(rcheck, R);
if (crypto_verify_32(rcheck, rcopy) != 0) goto fail;
/* copy message */
n -= 64; *mlen = n;
for (i = 0; i < n; ++i) m[i] = m[i + 64];
for (i = 0; i < 64; ++i) m[i + n] = 0;
ret = 0;
goto cleanup;
fail:
for (i = 0; i < n; ++i) m[i] = 0;
cleanup:
cleanup(pkcopy); cleanup(rcopy); cleanup(scopy);
cleanup(hram); cleanup(rcheck);
cleanup(R); cleanup(S); cleanup(A);
return ret;
}
int
crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk,
unsigned char *sk,
const unsigned char *seed)
{
unsigned char hash[64];
crypto_hash_sha512(hash, seed, 32);
memcpy(sk, hash, 32);
sodium_memzero(hash, sizeof hash);
return crypto_scalarmult_curve25519_base(pk, sk);
}
int crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk,
unsigned char *sk)
{
ge_p3 A;
randombytes_buf(sk, 32);
crypto_hash_sha512(sk, sk, 32);
sk[0] &= 248;
sk[31] &= 63;
sk[31] |= 64;
ge_scalarmult_base(&A, sk);
ge_p3_tobytes(pk, &A);
return 0;
}
int main()
{
struct stat st;
int ch;
if (fstat(0,&st) == 0) {
input = mmap(0,st.st_size,PROT_READ,MAP_SHARED,0,0);
if (input != MAP_FAILED) {
crypto_hash_sha512(h,input,st.st_size);
h_print();
return 0;
}
}
input = 0;
inputalloc = 0;
inputlen = 0;
while ((ch = getchar()) != EOF) {
if (inputlen >= inputalloc) {
void *newinput;
while (inputlen >= inputalloc)
inputalloc = inputalloc * 2 + 1;
if (posix_memalign(&newinput,16,inputalloc) != 0) return 111;
memcpy(newinput,input,inputlen);
free(input);
input = newinput;
}
input[inputlen++] = ch;
}
crypto_hash_sha512(h,input,inputlen);
h_print();
return 0;
}
int keyring_identity_mac(keyring_context *c,keyring_identity *id,
unsigned char *pkrsalt,unsigned char *mac)
{
int ofs;
unsigned char work[65536];
#define APPEND(b,l) if (ofs+(l)>=65536) { bzero(work,ofs); return WHY("Input too long"); } bcopy((b),&work[ofs],(l)); ofs+=(l)
ofs=0;
APPEND(&pkrsalt[0],32);
APPEND(id->keypairs[0]->private_key,id->keypairs[0]->private_key_len);
APPEND(id->keypairs[0]->public_key,id->keypairs[0]->public_key_len);
APPEND(id->PKRPin,strlen(id->PKRPin));
crypto_hash_sha512(mac,work,ofs);
return 0;
}
int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
const unsigned char *ed25519_sk)
{
unsigned char h[crypto_hash_sha512_BYTES];
crypto_hash_sha512(h, ed25519_sk,
crypto_sign_ed25519_SECRETKEYBYTES -
crypto_sign_ed25519_PUBLICKEYBYTES);
h[0] &= 248;
h[31] &= 127;
h[31] |= 64;
memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES);
sodium_memzero(h, sizeof h);
return 0;
}
int
_crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk, int prehashed)
{
crypto_hash_sha512_state hs;
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
#ifdef ED25519_NONDETERMINISTIC
memcpy(az, sk, 32);
_crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
#else
crypto_hash_sha512(az, sk, 32);
crypto_hash_sha512_update(&hs, az + 32, 32);
#endif
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, sk + 32, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
_crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
_crypto_sign_ed25519_clamp(az);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen_p != NULL) {
*siglen_p = 64U;
}
return 0;
}
int crypto_sign_edwards25519sha512batch_open(unsigned char *m,
unsigned long long *mlen_p,
const unsigned char *sm,
unsigned long long smlen,
const unsigned char *pk)
{
unsigned char h[64];
unsigned char t1[32], t2[32];
unsigned long long mlen;
ge_cached Ai;
ge_p1p1 csa;
ge_p2 cs;
ge_p3 A;
ge_p3 R;
ge_p3 cs3;
*mlen_p = 0;
if (smlen < 64 || smlen > SIZE_MAX) {
return -1;
}
mlen = smlen - 64;
if (sm[smlen - 1] & 224) {
return -1;
}
if (ge_frombytes_negate_vartime(&A, pk) != 0 ||
ge_frombytes_negate_vartime(&R, sm) != 0) {
return -1;
}
ge_p3_to_cached(&Ai, &A);
crypto_hash_sha512(h, sm, mlen + 32);
sc_reduce(h);
ge_scalarmult_vartime(&cs3, h, &R);
ge_add(&csa, &cs3, &Ai);
ge_p1p1_to_p2(&cs, &csa);
ge_tobytes(t1, &cs);
t1[31] ^= 1 << 7;
ge_scalarmult_base(&R, sm + 32 + mlen);
ge_p3_tobytes(t2, &R);
if (crypto_verify_32(t1, t2) != 0) {
return -1;
}
*mlen_p = mlen;
memmove(m, sm + 32, mlen);
return 0;
}
int crypto_sign_compute_public_key(const unsigned char *skin, unsigned char *pk)
{
IN();
unsigned char h[64];
ge_p3 A;
crypto_hash_sha512(h,skin,32);
h[0] &= 248;
h[31] &= 63;
h[31] |= 64;
ge_scalarmult_base(&A,h);
ge_p3_tobytes(pk,&A);
RETURN(0);
OUT();
}
int
crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *sk)
{
crypto_hash_sha512_state hs;
unsigned char pk[32];
unsigned char az[64];
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
memmove(pk, sk + 32, 32);
crypto_hash_sha512(az, sk, 32);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, az + 32, 32);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, nonce);
memmove(sig + 32, pk, 32);
sc_reduce(nonce);
ge_scalarmult_base(&R, nonce);
ge_p3_tobytes(sig, &R);
crypto_hash_sha512_init(&hs);
crypto_hash_sha512_update(&hs, sig, 64);
crypto_hash_sha512_update(&hs, m, mlen);
crypto_hash_sha512_final(&hs, hram);
sc_reduce(hram);
sc_muladd(sig + 32, hram, az, nonce);
sodium_memzero(az, sizeof az);
sodium_memzero(nonce, sizeof nonce);
if (siglen != NULL) {
*siglen = 64U;
}
return 0;
}
int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
const unsigned char *seed)
{
ge_p3 A;
crypto_hash_sha512(sk,seed,32);
sk[0] &= 248;
sk[31] &= 63;
sk[31] |= 64;
ge_scalarmult_base(&A,sk);
ge_p3_tobytes(pk,&A);
memmove(sk, seed, 32);
memmove(sk + 32, pk, 32);
return 0;
}
// sign the hash of a message, adding the signature to the end of the message buffer.
int crypto_sign_message(struct keyring_identity *identity, unsigned char *content, size_t buffer_len, size_t *content_len)
{
if (*content_len + SIGNATURE_BYTES > buffer_len)
return WHYF("Insufficient space in message buffer to add signature. %zu, need %zu",buffer_len, *content_len + SIGNATURE_BYTES);
struct keypair *key = keyring_find_sas_private(keyring, identity);
if (!key)
return WHY("Could not find signing key");
unsigned char hash[crypto_hash_sha512_BYTES];
crypto_hash_sha512(hash, content, *content_len);
int sig_length = SIGNATURE_BYTES;
int ret=crypto_create_signature(key->private_key, hash, crypto_hash_sha512_BYTES, &content[*content_len], &sig_length);
*content_len+=sig_length;
return ret;
}
int crypto_sign_keypair(unsigned char *pk,unsigned char *sk)
{
unsigned char h[64];
ge_p3 A;
int i;
randombytes(sk,32);
crypto_hash_sha512(h,sk,32);
h[0] &= 248;
h[31] &= 63;
h[31] |= 64;
ge_scalarmult_base(&A,h);
ge_p3_tobytes(pk,&A);
for (i = 0;i < 32;++i) sk[32 + i] = pk[i];
return 0;
}
// verify the signature at the end of a message, on return message_len will be reduced by the length of the signature.
int crypto_verify_message(struct subscriber *subscriber, unsigned char *message, int *message_len)
{
if (!subscriber->sas_valid){
keyring_send_sas_request(subscriber);
return WHY("SAS key not currently on record, cannot verify");
}
if (*message_len < SIGNATURE_BYTES)
return WHY("Message is too short to include a signature");
*message_len -= SIGNATURE_BYTES;
unsigned char hash[crypto_hash_sha512_BYTES];
crypto_hash_sha512(hash,message,*message_len);
return crypto_verify_signature(subscriber->sas_public, hash,
crypto_hash_sha512_BYTES, &message[*message_len], SIGNATURE_BYTES);
}
int crypto_sign_open(
unsigned char *m,unsigned long long *mlen,
const unsigned char *sm,unsigned long long smlen,
const unsigned char *pk
)
{
unsigned char pkcopy[32];
unsigned char rcopy[32];
unsigned char hram[64];
unsigned char rcheck[32];
ge25519 get1, get2;
sc25519 schram, scs;
if (smlen < 64) goto badsig;
if (sm[63] & 224) goto badsig;
if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig;
memmove(pkcopy,pk,32);
memmove(rcopy,sm,32);
sc25519_from32bytes(&scs, sm+32);
memmove(m,sm,smlen);
memmove(m + 32,pkcopy,32);
crypto_hash_sha512(hram,m,smlen);
sc25519_from64bytes(&schram, hram);
ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
ge25519_pack(rcheck, &get2);
if (crypto_verify_32(rcopy,rcheck) == 0) {
memmove(m,m + 64,smlen - 64);
memset(m + smlen - 64,0,64);
*mlen = smlen - 64;
return 0;
}
badsig:
*mlen = (unsigned long long) -1;
memset(m,0,smlen);
return -1;
}
int
crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
const unsigned char *ed25519_sk)
{
unsigned char h[crypto_hash_sha512_BYTES];
#ifdef ED25519_NONDETERMINISTIC
memcpy(h, ed25519_sk, 32);
#else
crypto_hash_sha512(h, ed25519_sk, 32);
#endif
h[0] &= 248;
h[31] &= 127;
h[31] |= 64;
memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES);
sodium_memzero(h, sizeof h);
return 0;
}
int crypto_sign_ed25519_tinynacl_keypair(unsigned char *pk, unsigned char *sk) {
unsigned char h[64];
ge25519 A;
long long i;
randombytes(sk, 32);
crypto_hash_sha512(h, sk, 32);
h[0] &= 248;
h[31] &= 63;
h[31] |= 64;
ge25519_scalarmult_base(A, h);
ge25519_tobytes(pk, A);
for (i = 31; i >= 0; --i) sk[i + 32] = pk[i];
cleanup(h); cleanup(A);
return 0;
}
static int serval_create_signature(unsigned char *key,
const unsigned char *msg,
const size_t msg_len,
unsigned char *sig_buffer,
const size_t sig_size) {
unsigned long long sig_length = SIGNATURE_BYTES;
CHECK(sig_size >= msg_len + SIGNATURE_BYTES,"Signature buffer too small");
unsigned char hash[crypto_hash_sha512_BYTES];
crypto_hash_sha512(hash, msg, msg_len); // create sha512 hash of message, which will then be signed
memcpy(sig_buffer,msg,msg_len);
if (crypto_create_signature(key, hash, crypto_hash_sha512_BYTES, &sig_buffer[msg_len], &sig_length) != 0) // create signature of message hash, append it to end of message
return 0;
return 1;
error:
return 0;
}
int crypto_sign_publickey(
unsigned char *pk, // write 32 bytes into this
unsigned char *sk, // write 64 bytes into this (seed+pubkey)
unsigned char *seed // 32 bytes input
)
{
unsigned char h[64];
ge_p3 A;
int i;
crypto_hash_sha512(h,seed,32);
h[0] &= 248;
h[31] &= 63;
h[31] |= 64;
ge_scalarmult_base(&A,h);
ge_p3_tobytes(pk,&A);
for (i = 0;i < 32;++i) sk[i] = seed[i];
for (i = 0;i < 32;++i) sk[32 + i] = pk[i];
return 0;
}
int
crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
const unsigned char *seed)
{
ge25519_p3 A;
#ifdef ED25519_NONDETERMINISTIC
memmove(sk, seed, 32);
#else
crypto_hash_sha512(sk, seed, 32);
#endif
sk[0] &= 248;
sk[31] &= 127;
sk[31] |= 64;
ge25519_scalarmult_base(&A, sk);
ge25519_p3_tobytes(pk, &A);
memmove(sk, seed, 32);
memmove(sk + 32, pk, 32);
return 0;
}
int
cmd_serval_verify(svl_crypto_ctx *ctx)
{
int verdict = 0;
CHECK_ERR(ctx && ctx->msg && ctx->signature[0] && ctx->sas_public[0],"Invalid ctx");
DEBUG("Message to verify:\n%s", ctx->msg);
unsigned char hash[crypto_hash_sha512_BYTES];
crypto_hash_sha512(hash, ctx->msg, ctx->msg_len);
int sig_ret = crypto_verify_signature(ctx->sas_public,
hash,
crypto_hash_sha512_BYTES,
ctx->signature,
SIGNATURE_BYTES);
if (sig_ret == 0)
verdict = 1; // successfully verified
error:
return verdict;
}
static int
serval_create_signature(svl_crypto_ctx *ctx)
{
CHECK(ctx && ctx->sas_private[0] && ctx->msg && ctx->msg_len,"Invalid ctx");
unsigned long long sig_length = SIGNATURE_BYTES;
unsigned char hash[crypto_hash_sha512_BYTES];
// create sha512 hash of message, which will then be signed
crypto_hash_sha512(hash, ctx->msg, ctx->msg_len);
// create signature of message hash, append it to end of message
int sig_ret = crypto_create_signature(ctx->sas_private,
hash,
crypto_hash_sha512_BYTES,
ctx->signature,
&sig_length);
if (sig_ret != 0)
return 0;
return 1;
error:
return 0;
}
