1 files changed, 102 insertions, 0 deletions

diff --git a/comm/third_party/botan/src/lib/pubkey/ed25519/ed25519.cpp b/comm/third_party/botan/src/lib/pubkey/ed25519/ed25519.cpp
new file mode 100644
index 0000000000..624f82657a
--- /dev/null
+++ b/comm/third_party/botan/src/lib/pubkey/ed25519/ed25519.cpp
@@ -0,0 +1,102 @@
+/*
+* Ed25519
+* (C) 2017 Ribose Inc
+*
+* Based on the public domain code from SUPERCOP ref10 by
+* Peter Schwabe, Daniel J. Bernstein, Niels Duif, Tanja Lange, Bo-Yin Yang
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include <botan/ed25519.h>
+#include <botan/internal/ed25519_internal.h>
+#include <botan/sha2_64.h>
+#include <botan/rng.h>
+
+namespace Botan {
+
+void ed25519_gen_keypair(uint8_t* pk, uint8_t* sk, const uint8_t seed[32])
+   {
+   uint8_t az[64];
+
+   SHA_512 sha;
+   sha.update(seed, 32);
+   sha.final(az);
+   az[0] &= 248;
+   az[31] &= 63;
+   az[31] |= 64;
+
+   ge_scalarmult_base(pk, az);
+
+   // todo copy_mem
+   copy_mem(sk, seed, 32);
+   copy_mem(sk + 32, pk, 32);
+   }
+
+void ed25519_sign(uint8_t sig[64],
+                  const uint8_t m[], size_t mlen,
+                  const uint8_t sk[64],
+                  const uint8_t domain_sep[], size_t domain_sep_len)
+   {
+   uint8_t az[64];
+   uint8_t nonce[64];
+   uint8_t hram[64];
+
+   SHA_512 sha;
+
+   sha.update(sk, 32);
+   sha.final(az);
+   az[0] &= 248;
+   az[31] &= 63;
+   az[31] |= 64;
+
+   sha.update(domain_sep, domain_sep_len);
+   sha.update(az + 32, 32);
+   sha.update(m, mlen);
+   sha.final(nonce);
+
+   sc_reduce(nonce);
+   ge_scalarmult_base(sig, nonce);
+
+   sha.update(domain_sep, domain_sep_len);
+   sha.update(sig, 32);
+   sha.update(sk + 32, 32);
+   sha.update(m, mlen);
+   sha.final(hram);
+
+   sc_reduce(hram);
+   sc_muladd(sig + 32, hram, az, nonce);
+   }
+
+bool ed25519_verify(const uint8_t* m, size_t mlen,
+                    const uint8_t sig[64],
+                    const uint8_t* pk,
+                    const uint8_t domain_sep[], size_t domain_sep_len)
+   {
+   uint8_t h[64];
+   uint8_t rcheck[32];
+   ge_p3 A;
+   SHA_512 sha;
+
+   if(sig[63] & 224)
+      {
+      return false;
+      }
+   if(ge_frombytes_negate_vartime(&A, pk) != 0)
+      {
+      return false;
+      }
+
+   sha.update(domain_sep, domain_sep_len);
+   sha.update(sig, 32);
+   sha.update(pk, 32);
+   sha.update(m, mlen);
+   sha.final(h);
+   sc_reduce(h);
+
+   ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
+
+   return constant_time_compare(rcheck, sig, 32);
+   }
+
+}