int cced25519_verify(const struct ccdigest_info *di, size_t mlen, const void *inMsg, const ccec25519signature sig, const ccec25519pubkey pk) { const uint8_t * const m = (const uint8_t *) inMsg; ccdigest_di_decl(di, dc); uint8_t h[64]; uint8_t checkr[32]; ge_p3 A; ge_p2 R; ASSERT_DIGEST_SIZE(di); if (ge_frombytes_negate_vartime(&A,pk) != 0) return -1; ccdigest_init(di,dc); ccdigest_update(di,dc,32,sig); ccdigest_update(di,dc,32,pk); ccdigest_update(di,dc,mlen,m); ccdigest_final(di,dc,h); ccdigest_di_clear(di,dc); sc_reduce(h); ge_double_scalarmult_vartime(&R,h,&A,sig + 32); ge_tobytes(checkr,&R); return crypto_verify_32(checkr,sig); }
static int test_discreet(const struct ccdigest_info *di, test_vector *vector) { uint8_t answer[128]; size_t total = vector->len; size_t chunk = vector->len/2; uint8_t *p = vector->input; uint8_t ctxfrontguard[4096]; ccdigest_di_decl(di, ctx); uint8_t ctxrearguard[4096]; memset(ctxfrontguard, 0xee, 4096); memset(ctxrearguard, 0xee, 4096); // break it up into pieces. ccdigest_init(di, ctx); ok(guard_ok(ctxfrontguard, 0xee, 4096), "context is safe"); ok(guard_ok(ctxrearguard, 0xee, 4096), "context is safe"); do { ccdigest_update(di, ctx, chunk, p); total -= chunk; p += chunk; chunk /= 2; if(chunk == 0) chunk = total; } while(total); ok(guard_ok(ctxfrontguard, 0xee, 4096), "context is safe"); ok(guard_ok(ctxrearguard, 0xee, 4096), "context is safe"); ccdigest_final(di, ctx, answer); ok(guard_ok(ctxfrontguard, 0xee, 4096), "context is safe"); ok(guard_ok(ctxrearguard, 0xee, 4096), "context is safe"); ok(test_answer(di, vector, answer), "check answer"); return 1; }
void ccec_rfc6637_kdf(const struct ccdigest_info *di, const struct ccec_rfc6637_curve *curve, const struct ccec_rfc6637 *wrap, size_t skey_size, const void *skey, size_t fingerprint_size, const void *fingerprint, void *hash) { ccdigest_di_decl(di, dictx); ccdigest_init(di, dictx); ccdigest_update(di, dictx, 4, "\x00\x00\x00\x01"); ccdigest_update(di, dictx, skey_size, skey); /* params */ ccdigest_update(di, dictx, 1, &curve->curve_oid[0]); ccdigest_update(di, dictx, curve->curve_oid[0], &curve->curve_oid[1]); ccdigest_update(di, dictx, 1, &curve->public_key_alg); ccdigest_update(di, dictx, 2, "\x03\x01"); ccdigest_update(di, dictx, 1, &wrap->kdfhash_id); ccdigest_update(di, dictx, 1, &wrap->kek_id); ccdigest_update(di, dictx, 20, "Anonymous Sender "); ccdigest_update(di, dictx, fingerprint_size, fingerprint); ccdigest_final(di, dictx, hash); ccdigest_di_clear(di, dictx); }
static bool SOSDescriptionHash(SOSPeerInfoRef peer, const struct ccdigest_info *di, void *hashresult, CFErrorRef *error) { ccdigest_di_decl(di, ctx); ccdigest_init(di, ctx); void *ctx_p = ctx; if(!SOSPeerInfoUpdateDigestWithDescription(peer, di, ctx_p, error)) return false; ccdigest_final(di, ctx, hashresult); return true; }
/* The HMAC_<DIG> transform looks like: <DIG> (K XOR opad || <DIG> (K XOR ipad || text)) Where K is a n byte key ipad is the byte 0x36 repeated 64 times. opad is the byte 0x5c repeated 64 times. text is the data being protected. */ void cchmac_init(const struct ccdigest_info *di, cchmac_ctx_t hc, unsigned long key_len, const void *key_data) { const unsigned char *key = key_data; /* Set cchmac_data(di, hc) to key ^ opad. */ unsigned long byte = 0; if (key_len <= di->block_size) { for (;byte < key_len; ++byte) { cchmac_data(di, hc)[byte] = key[byte] ^ 0x5c; } } else { /* Key is longer than di->block size, reset it to key=digest(key) */ ccdigest_init(di, cchmac_digest_ctx(di, hc)); ccdigest_update(di, cchmac_digest_ctx(di, hc), key_len, key); ccdigest_final(di, cchmac_digest_ctx(di, hc), cchmac_data(di, hc)); key_len = di->output_size; for (;byte < key_len; ++byte) { cchmac_data(di, hc)[byte] ^= 0x5c; } } /* Fill remainder of cchmac_data(di, hc) with opad. */ if (key_len < di->block_size) { CC_MEMSET(cchmac_data(di, hc) + key_len, 0x5c, di->block_size - key_len); } /* Set cchmac_ostate32(di, hc) to the state of the first round of the outer digest. */ ccdigest_copy_state(di, cchmac_ostate32(di, hc), di->initial_state); di->compress(cchmac_ostate(di, hc), 1, cchmac_data(di, hc)); /* Set cchmac_data(di, hc) to key ^ ipad. */ for (byte = 0; byte < di->block_size; ++byte) { cchmac_data(di, hc)[byte] ^= (0x5c ^ 0x36); } ccdigest_copy_state(di, cchmac_istate32(di, hc), di->initial_state); di->compress(cchmac_istate(di, hc), 1, cchmac_data(di, hc)); cchmac_num(di, hc) = 0; cchmac_nbits(di, hc) = di->block_size * 8; }