2 This file has been placed in the public domain.
4 Based on TweetNaCl version 20140427
6 Originally obtained from:
7 https://tweetnacl.cr.yp.to/20140427/tweetnacl.h
9 SPDX-License-Identifier: 0BSD
13 #include "gnunet_crypto_lib.h"
14 #include "tweetnacl-gnunet.h"
15 #define FOR(i,n) for (i = 0; i < n; ++i)
23 static const u8 _9[32] = {9};
28 D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898,
29 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
30 D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130,
31 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
32 X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c,
33 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
34 Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666,
35 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
36 I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7,
37 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
40 vn (const u8 *x,const u8 *y,int n)
43 FOR (i,n) d |= x[i] ^ y[i];
44 return (1 & ((d - 1) >> 8)) - 1;
48 crypto_verify_32 (const u8 *x,const u8 *y)
54 set25519 (gf r, const gf a)
57 FOR (i,16) r[i] = a[i];
68 o[(i + 1) * (i<15)] += c - 1 + 37 * (c - 1) * (i==15);
74 sel25519 (gf p,gf q,int b)
78 t = c & (p[i] ^ q[i]);
85 pack25519 (u8 *o,const gf n)
89 FOR (i,16) t[i] = n[i];
95 for (i = 1; i<15; i++) {
96 m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1);
99 m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1);
100 b = (m[15] >> 16) & 1;
102 sel25519 (t,m,1 - b);
105 o[2 * i] = t[i] & 0xff;
106 o[2 * i + 1] = t[i] >> 8;
111 neq25519 (const gf a, const gf b)
116 return crypto_verify_32 (c,d);
120 par25519 (const gf a)
128 unpack25519 (gf o, const u8 *n)
131 FOR (i,16) o[i] = n[2 * i] + ((i64) n[2 * i + 1] << 8);
136 A (gf o,const gf a,const gf b)
139 FOR (i,16) o[i] = a[i] + b[i];
143 Z (gf o,const gf a,const gf b)
146 FOR (i,16) o[i] = a[i] - b[i];
150 M (gf o,const gf a,const gf b)
154 FOR (i,16) FOR (j,16) t[i + j] += a[i] * b[j];
155 FOR (i,15) t[i] += 38 * t[i + 16];
156 FOR (i,16) o[i] = t[i];
168 inv25519 (gf o,const gf i)
172 FOR (a,16) c[a] = i[a];
173 for (a = 253; a>=0; a--) {
178 FOR (a,16) o[a] = c[a];
181 static void pow2523 (gf o,const gf i)
185 FOR (a,16) c[a] = i[a];
186 for (a = 250; a>=0; a--) {
191 FOR (a,16) o[a] = c[a];
195 GNUNET_TWEETNACL_scalarmult_curve25519 (u8 *q,const u8 *n,const u8 *p)
200 FOR (i,31) z[i] = n[i];
201 z[31] = (n[31] & 127) | 64;
206 d[i] = a[i] = c[i] = 0;
209 for (i = 254; i>=0; --i) {
210 r = (z[i >> 3] >> (i & 7)) & 1;
240 inv25519 (x + 32,x + 32);
241 M (x + 16,x + 16,x + 32);
242 pack25519 (q,x + 16);
247 GNUNET_TWEETNACL_scalarmult_curve25519_base (u8 *q,const u8 *n)
249 return GNUNET_TWEETNACL_scalarmult_curve25519 (q,n,_9);
253 crypto_hash (u8 *out,const u8 *m,u64 n)
255 struct GNUNET_HashCode *hc = (void *) out;
256 GNUNET_CRYPTO_hash (m, n, hc);
261 add (gf p[4],gf q[4])
263 gf a,b,c,d,t,e,f,g,h;
287 cswap (gf p[4],gf q[4],u8 b)
291 sel25519 (p[i],q[i],b);
302 r[31] ^= par25519 (tx) << 7;
306 scalarmult (gf p[4],gf q[4],const u8 *s)
313 for (i = 255; i >= 0; --i) {
314 u8 b = (s[i / 8] >> (i & 7)) & 1;
323 scalarbase (gf p[4],const u8 *s)
333 static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6,
334 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0,
335 0, 0, 0, 0, 0, 0, 0, 0,
339 modL (u8 *r,i64 x[64])
342 for (i = 63; i >= 32; --i) {
344 for (j = i - 32; j < i - 12; ++j) {
345 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
346 carry = (x[j] + 128) >> 8;
354 x[j] += carry - (x[31] >> 4) * L[j];
358 FOR (j,32) x[j] -= carry * L[j];
360 x[i + 1] += x[i] >> 8;
369 FOR (i,64) x[i] = (u64) r[i];
375 unpackneg (gf r[4],const u8 p[32])
377 gf t, chk, num, den, den2, den4, den6;
379 unpack25519 (r[1],p);
399 if (neq25519 (chk, num))
404 if (neq25519 (chk, num))
407 if (par25519 (r[0]) == (p[31] >> 7))
414 /* The following functions have been added for GNUnet */
417 GNUNET_TWEETNACL_sign_pk_from_seed (u8 *pk, const u8 *seed)
422 crypto_hash (d, seed, 32);
432 GNUNET_TWEETNACL_scalarmult_gnunet_ecdsa (u8 *pk, const u8 *s)
437 // Treat s as little endian.
438 for (u32 i = 0; i < 32; i++)
441 // For GNUnet, we don't normalize d
448 GNUNET_TWEETNACL_sign_sk_from_seed (u8 *sk, const u8 *seed)
455 crypto_hash (d, seed, 32);
463 FOR (i,32) sk[i] = seed[i];
464 FOR (i,32) sk[32 + i] = pk[i];
468 GNUNET_TWEETNACL_sign_ed25519_pk_to_curve25519 (u8 *x25519_pk,
469 const u8 *ed25519_pk)
475 if (0 != unpackneg (ge_a, ed25519_pk))
478 set25519 (one_minus_y, gf1);
479 Z (one_minus_y, one_minus_y, ge_a[1]);
484 inv25519 (one_minus_y, one_minus_y);
485 M (x, x, one_minus_y);
486 pack25519 (x25519_pk, x);
491 int GNUNET_TWEETNACL_sign_detached_verify (const u8 *sig,
496 struct GNUNET_HashContext *hc;
500 if (unpackneg (q,pk))
503 hc = GNUNET_CRYPTO_hash_context_start ();
504 GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
505 GNUNET_CRYPTO_hash_context_read (hc, pk, 32);
506 GNUNET_CRYPTO_hash_context_read (hc, m, n);
507 GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
512 scalarbase (q,sig+32);
516 if (crypto_verify_32 (sig, t))
522 GNUNET_TWEETNACL_sign_detached (u8 *sig,
527 struct GNUNET_HashContext *hc;
528 u8 d[64],h[64],r[64];
532 crypto_hash (d, sk, 32);
537 hc = GNUNET_CRYPTO_hash_context_start ();
538 GNUNET_CRYPTO_hash_context_read (hc, d + 32, 32);
539 GNUNET_CRYPTO_hash_context_read (hc, m, n);
540 GNUNET_CRYPTO_hash_context_finish (hc, (void *) r);
546 hc = GNUNET_CRYPTO_hash_context_start ();
547 GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
548 GNUNET_CRYPTO_hash_context_read (hc, sk + 32, 32);
549 GNUNET_CRYPTO_hash_context_read (hc, m, n);
550 GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
555 FOR (i,32) x[i] = (u64) r[i];
556 FOR (i,32) FOR (j,32) x[i + j] += h[i] * (u64) d[j];