cpp
/
urho3d
mirror of https://github.com/urho3d/urho3d.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
							/* $OpenBSD: ed25519.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */

/*
 * Public Domain, Authors: Daniel J. Bernstein, Niels Duif, Tanja Lange,
 * Peter Schwabe, Bo-Yin Yang.
 * Copied from supercop-20130419/crypto_sign/ed25519/ref/ed25519.c
 *
 * Modified to use lws genhash by Andy Green <[email protected]>
 */

#include <libwebsockets.h>
#include <lws-ssh.h>
#include "ge25519.h"

int
crypto_hash_sha512(uint8_t *hash64, const uint8_t *data, size_t len)
{
	struct lws_genhash_ctx ctx;
	int ret;

	if (lws_genhash_init(&ctx, LWS_GENHASH_TYPE_SHA512)) {
		lwsl_notice("Failed to init SHA512\n");
		return 0;
	}

	ret = lws_genhash_update(&ctx, data, len);

	if (lws_genhash_destroy(&ctx, hash64))
		lwsl_notice("genhash destroy failed\n");

	return ret ? 0 : 64;
}


static void
get_hram(unsigned char *hram, const unsigned char *sm,
	 const unsigned char *pk, unsigned char *playground,
	 size_t smlen)
{
	unsigned long long i;

	for (i =  0; i < 32; ++i)
		playground[i] = sm[i];
	for (i = 32; i < 64; ++i)
		playground[i] = pk[i-32];
	for (i = 64; i < smlen; ++i)
		playground[i] = sm[i];

	crypto_hash_sha512(hram, playground, smlen);
}


int crypto_sign_ed25519_keypair(
    struct lws_context *context,
    unsigned char *pk,
    unsigned char *sk
    )
{
  sc25519 scsk;
  ge25519 gepk;
  unsigned char extsk[64];
  int i;

  lws_get_random(context, sk, 32);
  crypto_hash_sha512(extsk, sk, 32);
  extsk[0] &= 248;
  extsk[31] &= 127;
  extsk[31] |= 64;

  sc25519_from32bytes(&scsk,extsk);
  
  ge25519_scalarmult_base(&gepk, &scsk);
  ge25519_pack(pk, &gepk);
  for(i=0;i<32;i++)
    sk[32 + i] = pk[i];
  return 0;
}

int crypto_sign_ed25519(
    unsigned char *sm,
    unsigned long long *smlen,
    const unsigned char *m, size_t mlen,
    const unsigned char *sk
    )
{
  sc25519 sck, scs, scsk;
  ge25519 ger;
  unsigned char r[32];
  unsigned char s[32];
  unsigned char extsk[64];
  unsigned long long i;
  unsigned char hmg[crypto_hash_sha512_BYTES];
  unsigned char hram[crypto_hash_sha512_BYTES];

  crypto_hash_sha512(extsk, sk, 32);
  extsk[0] &= 248;
  extsk[31] &= 127;
  extsk[31] |= 64;

  *smlen = mlen+64;
  for(i=0;i<mlen;i++)
    sm[64 + i] = m[i];
  for(i=0;i<32;i++)
    sm[32 + i] = extsk[32+i];

  crypto_hash_sha512(hmg, sm+32, mlen+32);
  /* Generate k as h(extsk[32],...,extsk[63],m) */

  /* Computation of R */
  sc25519_from64bytes(&sck, hmg);
  ge25519_scalarmult_base(&ger, &sck);
  ge25519_pack(r, &ger);
  
  /* Computation of s */
  for (i = 0; i < 32; i++)
    sm[i] = r[i];

  get_hram(hram, sm, sk + 32, sm, (size_t)mlen + 64);

  sc25519_from64bytes(&scs, hram);
  sc25519_from32bytes(&scsk, extsk);
  sc25519_mul(&scs, &scs, &scsk);
  
  sc25519_add(&scs, &scs, &sck);

  sc25519_to32bytes(s,&scs); /* cat s */
  for (i = 0; i < 32; i++)
    sm[32 + i] = s[i]; 

  return 0;
}

int crypto_verify_32(const unsigned char *x,const unsigned char *y)
{
  unsigned int differentbits = 0;
#define F(i) differentbits |= x[i] ^ y[i];
  F(0)
  F(1)
  F(2)
  F(3)
  F(4)
  F(5)
  F(6)
  F(7)
  F(8)
  F(9)
  F(10)
  F(11)
  F(12)
  F(13)
  F(14)
  F(15)
  F(16)
  F(17)
  F(18)
  F(19)
  F(20)
  F(21)
  F(22)
  F(23)
  F(24)
  F(25)
  F(26)
  F(27)
  F(28)
  F(29)
  F(30)
  F(31)
  return (1 & ((differentbits - 1) >> 8)) - 1;
}

int crypto_sign_ed25519_open(
    unsigned char *m,unsigned long long *mlen,
    const unsigned char *sm,unsigned long long smlen,
    const unsigned char *pk
    )
{
  unsigned int i;
  int ret;
  unsigned char t2[32];
  ge25519 get1, get2;
  sc25519 schram, scs;
  unsigned char hram[crypto_hash_sha512_BYTES];

  *mlen = (unsigned long long) -1;
  if (smlen < 64) {
	  lwsl_notice("a\n");

	  return -1;
  }

  if (ge25519_unpackneg_vartime(&get1, pk)) {
	  lwsl_notice("b\n");
	  return -1;
  }

  get_hram(hram,sm,pk,m, (size_t)smlen);

  sc25519_from64bytes(&schram, hram);

  sc25519_from32bytes(&scs, sm+32);

  ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &ge25519_base, &scs);
  ge25519_pack(t2, &get2);

  ret = crypto_verify_32(sm, t2);
  lwsl_notice("vf says %d\n", ret);

  if (!ret)
  {
    for(i=0;i<smlen-64;i++)
      m[i] = sm[i + 64];
    *mlen = smlen-64;
  }
  else
  {
    for(i=0;i<smlen-64;i++)
      m[i] = 0;
  }
  return ret;
}