summaryrefslogtreecommitdiff
path: root/libs/libaxolotl/src/curve25519/ed25519
diff options
context:
space:
mode:
authorGluzskiy Alexandr <sss@sss.chaoslab.ru>2017-02-13 07:56:33 +0300
committerGluzskiy Alexandr <sss@sss.chaoslab.ru>2017-02-13 09:09:08 +0300
commit193f645f65ad4ffdec3186e4176b23af10861199 (patch)
treee1b16b48ac74c5f03f99a98798e849f6dd9752cc /libs/libaxolotl/src/curve25519/ed25519
parent36c32a13878d3bd94e88bd9c764f1eadb05ea1ed (diff)
libs:
libaxolotl: updated libaxolotl (libsignal-c) from (https://github.com/WhisperSystems/libsignal-protocol-c)
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519')
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h69
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c64
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h35
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c111
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c14
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c17
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c19
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c50
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c30
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c69
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c70
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c15
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c140
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h12
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c45
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c8
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c25
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c6
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c100
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c62
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/utility.c29
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/utility.h11
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c85
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c62
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c91
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h18
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c82
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c3
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h2
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c11
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/main/main.c107
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/tests/tests.c658
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/tests/tests.h22
39 files changed, 2071 insertions, 187 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
new file mode 100644
index 0000000000..da4a1cd07b
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
@@ -0,0 +1,69 @@
+
+#ifndef __CRYPTO_ADDITIONS__
+#define __CRYPTO_ADDITIONS__
+
+#include "crypto_uint32.h"
+#include "fe.h"
+#include "ge.h"
+
+#define MAX_MSG_LEN 256
+
+void sc_neg(unsigned char *b, const unsigned char *a);
+void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b);
+
+int fe_isequal(const fe f, const fe g);
+void fe_mont_rhs(fe v2, const fe u);
+void fe_montx_to_edy(fe y, const fe u);
+void fe_sqrt(fe b, const fe a);
+
+int ge_is_small_order(const ge_p3 *p);
+int ge_isneutral(const ge_p3* q);
+void ge_neg(ge_p3* r, const ge_p3 *p);
+void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit);
+void ge_p3_to_montx(fe u, const ge_p3 *p);
+void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A);
+void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p);
+
+void elligator(fe u, const fe r);
+void hash_to_point(ge_p3* p, const unsigned char* msg, const unsigned long in_len);
+void calculate_Bv(ge_p3* Bv,
+ unsigned char* buf,
+ const unsigned char* A,
+ const unsigned char* msg, const unsigned long msg_len);
+void calculate_Bv_and_V(ge_p3* Bv,
+ unsigned char* V,
+ unsigned char* buf,
+ const unsigned char* a,
+ const unsigned char* A,
+ const unsigned char* msg, const unsigned long msg_len);
+
+int crypto_sign_modified(
+ unsigned char *sm,
+ const unsigned char *m,unsigned long long mlen,
+ const unsigned char *sk, /* Curve/Ed25519 private key */
+ const unsigned char *pk, /* Ed25519 public key */
+ const unsigned char *random /* 64 bytes random to hash into nonce */
+ );
+
+int crypto_sign_open_modified(
+ unsigned char *m,
+ const unsigned char *sm,unsigned long long smlen,
+ const unsigned char *pk
+ );
+
+int crypto_vsign_modified(
+ unsigned char *sm,
+ const unsigned char *M,unsigned long Mlen,
+ const unsigned char *a,
+ const unsigned char *A,
+ const unsigned char *random,
+ const ge_p3 *Bu,
+ const unsigned char *U);
+
+int crypto_vsign_open_modified(
+ unsigned char *m,
+ const unsigned char *sm,unsigned long long smlen,
+ const unsigned char *pk, const ge_p3* Bu);
+
+
+#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c
index 2a0aa54d4f..7a49b18aaa 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c
@@ -3,36 +3,7 @@
#include "ge.h"
#include "curve_sigs.h"
#include "crypto_sign.h"
-
-void curve25519_keygen(unsigned char* curve25519_pubkey_out,
- const unsigned char* curve25519_privkey_in)
-{
- ge_p3 ed; /* Ed25519 pubkey point */
- fe ed_y, ed_y_plus_one, one_minus_ed_y, inv_one_minus_ed_y;
- fe mont_x;
-
- /* Perform a fixed-base multiplication of the Edwards base point,
- (which is efficient due to precalculated tables), then convert
- to the Curve25519 montgomery-format public key. In particular,
- convert Curve25519's "montgomery" x-coordinate into an Ed25519
- "edwards" y-coordinate:
-
- mont_x = (ed_y + 1) / (1 - ed_y)
-
- with projective coordinates:
-
- mont_x = (ed_y + ed_z) / (ed_z - ed_y)
-
- NOTE: ed_y=1 is converted to mont_x=0 since fe_invert is mod-exp
- */
-
- ge_scalarmult_base(&ed, curve25519_privkey_in);
- fe_add(ed_y_plus_one, ed.Y, ed.Z);
- fe_sub(one_minus_ed_y, ed.Z, ed.Y);
- fe_invert(inv_one_minus_ed_y, one_minus_ed_y);
- fe_mul(mont_x, ed_y_plus_one, inv_one_minus_ed_y);
- fe_tobytes(curve25519_pubkey_out, mont_x);
-}
+#include "crypto_additions.h"
int curve25519_sign(unsigned char* signature_out,
const unsigned char* curve25519_privkey,
@@ -71,18 +42,16 @@ int curve25519_verify(const unsigned char* signature,
const unsigned char* curve25519_pubkey,
const unsigned char* msg, const unsigned long msg_len)
{
- fe mont_x, mont_x_minus_one, mont_x_plus_one, inv_mont_x_plus_one;
- fe one;
- fe ed_y;
+ fe u;
+ fe y;
unsigned char ed_pubkey[32];
- unsigned long long some_retval;
- unsigned char *verifybuf = NULL; /* working buffer */
+ unsigned char *verifybuf = NULL; /* working buffer */
unsigned char *verifybuf2 = NULL; /* working buffer #2 */
int result;
if ((verifybuf = malloc(msg_len + 64)) == 0) {
- result = -1;
- goto err;
+ result = -1;
+ goto err;
}
if ((verifybuf2 = malloc(msg_len + 64)) == 0) {
@@ -91,22 +60,18 @@ int curve25519_verify(const unsigned char* signature,
}
/* Convert the Curve25519 public key into an Ed25519 public key. In
- particular, convert Curve25519's "montgomery" x-coordinate into an
+ particular, convert Curve25519's "montgomery" x-coordinate (u) into an
Ed25519 "edwards" y-coordinate:
- ed_y = (mont_x - 1) / (mont_x + 1)
+ y = (u - 1) / (u + 1)
- NOTE: mont_x=-1 is converted to ed_y=0 since fe_invert is mod-exp
+ NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
Then move the sign bit into the pubkey from the signature.
*/
- fe_frombytes(mont_x, curve25519_pubkey);
- fe_1(one);
- fe_sub(mont_x_minus_one, mont_x, one);
- fe_add(mont_x_plus_one, mont_x, one);
- fe_invert(inv_mont_x_plus_one, mont_x_plus_one);
- fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one);
- fe_tobytes(ed_pubkey, ed_y);
+ fe_frombytes(u, curve25519_pubkey);
+ fe_montx_to_edy(y, u);
+ fe_tobytes(ed_pubkey, y);
/* Copy the sign bit, and remove it from signature */
ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */
@@ -120,9 +85,8 @@ int curve25519_verify(const unsigned char* signature,
/* The below call has a strange API: */
/* verifybuf = R || S || message */
/* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
- replaced with pubkey for hashing, then the whole thing gets zeroized
- (if bad sig), or contains a copy of msg (good sig) */
- result = crypto_sign_open(verifybuf2, &some_retval, verifybuf, 64 + msg_len, ed_pubkey);
+ replaced with pubkey for hashing */
+ result = crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey);
err:
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h
index b3dbad0155..a2d819aef0 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h
@@ -2,47 +2,16 @@
#ifndef __CURVE_SIGS_H__
#define __CURVE_SIGS_H__
-void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */
- const unsigned char* curve25519_privkey_in); /* 32 bytes */
-
/* returns 0 on success */
int curve25519_sign(unsigned char* signature_out, /* 64 bytes */
const unsigned char* curve25519_privkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len,
+ const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */
const unsigned char* random); /* 64 bytes */
/* returns 0 on success */
int curve25519_verify(const unsigned char* signature, /* 64 bytes */
const unsigned char* curve25519_pubkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len);
-
-/* helper function - modified version of crypto_sign() to use
- explicit private key. In particular:
-
- sk : private key
- pk : public key
- msg : message
- prefix : 0xFE || [0xFF]*31
- random : 64 bytes random
- q : main subgroup order
-
- The prefix is chosen to distinguish the two SHA512 uses below, since
- prefix is an invalid encoding for R (it would encode a "field element"
- of 2^255 - 2). 0xFF*32 is set aside for use in ECDH protocols, which
- is why the first byte here ix 0xFE.
+ const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */
- sig_nonce = SHA512(prefix || sk || msg || random) % q
- R = g^sig_nonce
- M = SHA512(R || pk || m)
- S = sig_nonce + (m * sk)
- signature = (R || S)
- */
-int crypto_sign_modified(
- unsigned char *sm,
- const unsigned char *m,unsigned long long mlen,
- const unsigned char *sk, /* Curve/Ed25519 private key */
- const unsigned char *pk, /* Ed25519 public key */
- const unsigned char *random /* 64 bytes random to hash into nonce */
- );
#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
new file mode 100644
index 0000000000..8a8131ff2f
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
@@ -0,0 +1,111 @@
+#include <string.h>
+#include "fe.h"
+#include "ge.h"
+#include "crypto_uint32.h"
+#include "crypto_hash_sha512.h"
+#include "crypto_additions.h"
+
+unsigned int legendre_is_nonsquare(fe in)
+{
+ fe temp;
+ fe_pow22523(temp, in); /* temp = in^((q-5)/8) */
+ fe_sq(temp, temp); /* in^((q-5)/4) */
+ fe_sq(temp, temp); /* in^((q-5)/2) */
+ fe_mul(temp, temp, in); /* in^((q-3)/2) */
+ fe_mul(temp, temp, in); /* in^((q-1)/2) */
+
+ /* temp is now the Legendre symbol:
+ * 1 = square
+ * 0 = input is zero
+ * -1 = nonsquare
+ */
+ unsigned char bytes[32];
+ fe_tobytes(bytes, temp);
+ return 1 & bytes[31];
+}
+
+void elligator(fe u, const fe r)
+{
+ /* r = input
+ * x = -A/(1+2r^2) # 2 is nonsquare
+ * e = (x^3 + Ax^2 + x)^((q-1)/2) # legendre symbol
+ * if e == 1 (square) or e == 0 (because x == 0 and 2r^2 + 1 == 0)
+ * u = x
+ * if e == -1 (nonsquare)
+ * u = -x - A
+ */
+ fe A, one, twor2, twor2plus1, twor2plus1inv;
+ fe x, e, Atemp, uneg;
+ unsigned int nonsquare;
+
+ fe_1(one);
+ fe_0(A);
+ A[0] = 486662; /* A = 486662 */
+
+ fe_sq2(twor2, r); /* 2r^2 */
+ fe_add(twor2plus1, twor2, one); /* 1+2r^2 */
+ fe_invert(twor2plus1inv, twor2plus1); /* 1/(1+2r^2) */
+ fe_mul(x, twor2plus1inv, A); /* A/(1+2r^2) */
+ fe_neg(x, x); /* x = -A/(1+2r^2) */
+
+ fe_mont_rhs(e, x); /* e = x^3 + Ax^2 + x */
+ nonsquare = legendre_is_nonsquare(e);
+
+ fe_0(Atemp);
+ fe_cmov(Atemp, A, nonsquare); /* 0, or A if nonsquare */
+ fe_add(u, x, Atemp); /* x, or x+A if nonsquare */
+ fe_neg(uneg, u); /* -x, or -x-A if nonsquare */
+ fe_cmov(u, uneg, nonsquare); /* x, or -x-A if nonsquare */
+}
+
+void hash_to_point(ge_p3* p, const unsigned char* in, const unsigned long in_len)
+{
+ unsigned char hash[64];
+ fe h, u;
+ unsigned char sign_bit;
+ ge_p3 p3;
+
+ crypto_hash_sha512(hash, in, in_len);
+
+ /* take the high bit as Edwards sign bit */
+ sign_bit = (hash[31] & 0x80) >> 7;
+ hash[31] &= 0x7F;
+ fe_frombytes(h, hash);
+ elligator(u, h);
+
+ ge_montx_to_p3(&p3, u, sign_bit);
+ ge_scalarmult_cofactor(p, &p3);
+}
+
+
+void calculate_Bv(ge_p3* Bv,
+ unsigned char* buf,
+ const unsigned char* A,
+ const unsigned char* msg, const unsigned long msg_len)
+{
+ int count;
+
+ /* Calculate SHA512(label(2) || A || msg) */
+ buf[0] = 0xFD;
+ for (count = 1; count < 32; count++)
+ buf[count] = 0xFF;
+ memmove(buf+32, A, 32);
+ memmove(buf+64, msg, msg_len);
+
+ hash_to_point(Bv, buf, 64 + msg_len);
+}
+
+
+void calculate_Bv_and_V(ge_p3* Bv,
+ unsigned char* V,
+ unsigned char* buf,
+ const unsigned char* a,
+ const unsigned char* A,
+ const unsigned char* msg, const unsigned long msg_len)
+{
+ ge_p3 p3;
+
+ calculate_Bv(Bv, buf, A, msg, msg_len);
+ ge_scalarmult(&p3, a, Bv);
+ ge_p3_tobytes(V, &p3);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c
new file mode 100644
index 0000000000..67c5d33c96
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c
@@ -0,0 +1,14 @@
+#include "fe.h"
+#include "crypto_verify_32.h"
+
+/*
+return 1 if f == g
+return 0 if f != g
+*/
+
+int fe_isequal(const fe f, const fe g)
+{
+ fe h;
+ fe_sub(h, f, g);
+ return 1 ^ (1 & (fe_isnonzero(h) >> 8));
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c
new file mode 100644
index 0000000000..bc8393620c
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c
@@ -0,0 +1,17 @@
+#include "fe.h"
+
+void fe_mont_rhs(fe v2, fe u) {
+ fe A, one;
+ fe u2, Au, inner;
+
+ fe_1(one);
+ fe_0(A);
+ A[0] = 486662; /* A = 486662 */
+
+ fe_sq(u2, u); /* u^2 */
+ fe_mul(Au, A, u); /* Au */
+ fe_add(inner, u2, Au); /* u^2 + Au */
+ fe_add(inner, inner, one); /* u^2 + Au + 1 */
+ fe_mul(v2, u, inner); /* u(u^2 + Au + 1) */
+}
+
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c
new file mode 100644
index 0000000000..b0f8c63276
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c
@@ -0,0 +1,19 @@
+
+#include "fe.h"
+#include "crypto_additions.h"
+
+void fe_montx_to_edy(fe y, const fe u)
+{
+ /*
+ y = (u - 1) / (u + 1)
+
+ NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
+ */
+ fe one, um1, up1;
+
+ fe_1(one);
+ fe_sub(um1, u, one);
+ fe_add(up1, u, one);
+ fe_invert(up1, up1);
+ fe_mul(y, um1, up1);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
new file mode 100644
index 0000000000..906d38b93e
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
@@ -0,0 +1,50 @@
+#include <assert.h>
+#include "fe.h"
+#include "crypto_additions.h"
+
+/* sqrt(-1) */
+static unsigned char i_bytes[32] = {
+ 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
+ 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
+ 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
+ 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
+};
+
+/* Preconditions: a is square or zero */
+
+void fe_sqrt(fe out, const fe a)
+{
+ fe exp, b, b2, bi, i;
+
+ fe_frombytes(i, i_bytes);
+ fe_pow22523(exp, a); /* b = a^(q-5)/8 */
+
+ /* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */
+#ifndef NDEBUG
+ fe legendre, zero, one;
+
+ fe_sq(legendre, exp); /* in^((q-5)/4) */
+ fe_sq(legendre, legendre); /* in^((q-5)/2) */
+ fe_mul(legendre, legendre, a); /* in^((q-3)/2) */
+ fe_mul(legendre, legendre, a); /* in^((q-1)/2) */
+
+ fe_0(zero);
+ fe_1(one);
+ assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one));
+#endif
+
+ fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */
+ fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */
+
+ /* note b^4 == a^2, so b^2 == a or -a
+ * if b^2 != a, multiply it by sqrt(-1) */
+ fe_mul(bi, b, i);
+ fe_cmov(b, bi, 1 ^ fe_isequal(b2, a));
+ fe_copy(out, b);
+
+ /* PRECONDITION: out^2 == a */
+#ifndef NDEBUG
+ fe_sq(b2, out);
+ assert(fe_isequal(a, b2));
+#endif
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c
new file mode 100644
index 0000000000..845941be2a
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_is_small_order.c
@@ -0,0 +1,30 @@
+#include "crypto_additions.h"
+#include "ge.h"
+#include "utility.h"
+#include "stdio.h"
+
+/*
+return 1 if f == g
+return 0 if f != g
+*/
+
+int ge_is_small_order(const ge_p3 *p)
+{
+ ge_p1p1 p1p1;
+ ge_p2 p2;
+ fe zero;
+
+ ge_p3_dbl(&p1p1, p);
+ ge_p1p1_to_p2(&p2, &p1p1);
+
+ ge_p2_dbl(&p1p1, &p2);
+ ge_p1p1_to_p2(&p2, &p1p1);
+
+ ge_p2_dbl(&p1p1, &p2);
+ ge_p1p1_to_p2(&p2, &p1p1);
+
+ fe_0(zero);
+
+ /* Check if 8*p == neutral element == (0, 1) */
+ return (fe_isequal(p2.X, zero) & fe_isequal(p2.Y, p2.Z));
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c
new file mode 100644
index 0000000000..d40e443682
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c
@@ -0,0 +1,16 @@
+#include "crypto_additions.h"
+#include "ge.h"
+
+/*
+return 1 if p is the neutral point
+return 0 otherwise
+*/
+
+int ge_isneutral(const ge_p3 *p)
+{
+ fe zero;
+ fe_0(zero);
+
+ /* Check if p == neutral element == (0, 1) */
+ return (fe_isequal(p->X, zero) & fe_isequal(p->Y, p->Z));
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c
new file mode 100644
index 0000000000..d123d03580
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p2.c
@@ -0,0 +1,69 @@
+#include "fe.h"
+#include "ge.h"
+#include "assert.h"
+#include "crypto_additions.h"
+#include "utility.h"
+
+/* sqrt(-(A+2)) */
+static unsigned char A_bytes[32] = {
+ 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc,
+ 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5,
+ 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2,
+ 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f
+};
+
+void ge_montx_to_p2(ge_p2* p, const fe u, const unsigned char ed_sign_bit)
+{
+ fe x, y, A, v, v2, iv, nx;
+
+ fe_frombytes(A, A_bytes);
+
+ /* given u, recover edwards y */
+ /* given u, recover v */
+ /* given u and v, recover edwards x */
+
+ fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
+
+ fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
+ fe_sqrt(v, v2); /* v = sqrt(v^2) */
+
+ fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
+ fe_invert(iv, v); /* 1/v */
+ fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
+
+ fe_neg(nx, x); /* negate x to match sign bit */
+ fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit);
+
+ fe_copy(p->X, x);
+ fe_copy(p->Y, y);
+ fe_1(p->Z);
+
+ /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
+ /* -x^2 + y^2 = 1 + dx^2y^2 */
+#ifndef NDEBUG
+ {
+ fe one, d, x2, y2, x2y2, dx2y2;
+
+ unsigned char dbytes[32] = {
+ 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
+ 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
+ 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
+ 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
+ };
+
+ fe_frombytes(d, dbytes);
+ fe_1(one);
+ fe_sq(x2, p->X); /* x^2 */
+ fe_sq(y2, p->Y); /* y^2 */
+
+ fe_mul(dx2y2, x2, y2); /* x^2y^2 */
+ fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
+ fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
+
+ fe_neg(x2y2, x2); /* -x^2 */
+ fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
+
+ assert(fe_isequal(x2y2, dx2y2));
+ }
+#endif
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c
new file mode 100644
index 0000000000..7a716c5a72
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c
@@ -0,0 +1,70 @@
+#include "fe.h"
+#include "ge.h"
+#include "assert.h"
+#include "crypto_additions.h"
+#include "utility.h"
+
+/* sqrt(-(A+2)) */
+static unsigned char A_bytes[32] = {
+ 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc,
+ 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5,
+ 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2,
+ 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f
+};
+
+void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit)
+{
+ fe x, y, A, v, v2, iv, nx;
+
+ fe_frombytes(A, A_bytes);
+
+ /* given u, recover edwards y */
+ /* given u, recover v */
+ /* given u and v, recover edwards x */
+
+ fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
+
+ fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
+ fe_sqrt(v, v2); /* v = sqrt(v^2) */
+
+ fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
+ fe_invert(iv, v); /* 1/v */
+ fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
+
+ fe_neg(nx, x); /* negate x to match sign bit */
+ fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit);
+
+ fe_copy(p->X, x);
+ fe_copy(p->Y, y);
+ fe_1(p->Z);
+ fe_mul(p->T, p->X, p->Y);
+
+ /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
+ /* -x^2 + y^2 = 1 + dx^2y^2 */
+#ifndef NDEBUG
+ {
+ fe one, d, x2, y2, x2y2, dx2y2;
+
+ unsigned char dbytes[32] = {
+ 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
+ 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
+ 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
+ 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
+ };
+
+ fe_frombytes(d, dbytes);
+ fe_1(one);
+ fe_sq(x2, p->X); /* x^2 */
+ fe_sq(y2, p->Y); /* y^2 */
+
+ fe_mul(dx2y2, x2, y2); /* x^2y^2 */
+ fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
+ fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
+
+ fe_neg(x2y2, x2); /* -x^2 */
+ fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
+
+ assert(fe_isequal(x2y2, dx2y2));
+ }
+#endif
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c
new file mode 100644
index 0000000000..d679713fe0
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c
@@ -0,0 +1,15 @@
+#include "crypto_additions.h"
+#include "ge.h"
+
+/*
+return r = -p
+*/
+
+
+void ge_neg(ge_p3* r, const ge_p3 *p)
+{
+ fe_neg(r->X, p->X);
+ fe_copy(r->Y, p->Y);
+ fe_copy(r->Z, p->Z);
+ fe_neg(r->T, p->T);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c
new file mode 100644
index 0000000000..b539b2f17f
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c
@@ -0,0 +1,21 @@
+#include "fe.h"
+#include "crypto_additions.h"
+
+void ge_p3_to_montx(fe u, const ge_p3 *ed)
+{
+ /*
+ u = (y + 1) / (1 - y)
+ or
+ u = (y + z) / (z - y)
+
+ NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
+ */
+
+ fe y_plus_one, one_minus_y, inv_one_minus_y;
+
+ fe_add(y_plus_one, ed->Y, ed->Z);
+ fe_sub(one_minus_y, ed->Z, ed->Y);
+ fe_invert(inv_one_minus_y, one_minus_y);
+ fe_mul(u, y_plus_one, inv_one_minus_y);
+}
+
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c
new file mode 100644
index 0000000000..e4f741b8d8
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c
@@ -0,0 +1,140 @@
+#include "crypto_uint32.h"
+#include "ge.h"
+#include "crypto_additions.h"
+
+static unsigned char equal(signed char b,signed char c)
+{
+ unsigned char ub = b;
+ unsigned char uc = c;
+ unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
+ crypto_uint32 y = x; /* 0: yes; 1..255: no */
+ y -= 1; /* 4294967295: yes; 0..254: no */
+ y >>= 31; /* 1: yes; 0: no */
+ return y;
+}
+
+static unsigned char negative(signed char b)
+{
+ unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
+ x >>= 63; /* 1: yes; 0: no */
+ return x;
+}
+
+static void cmov(ge_cached *t,const ge_cached *u,unsigned char b)
+{
+ fe_cmov(t->YplusX,u->YplusX,b);
+ fe_cmov(t->YminusX,u->YminusX,b);
+ fe_cmov(t->Z,u->Z,b);
+ fe_cmov(t->T2d,u->T2d,b);
+}
+
+static void select(ge_cached *t,const ge_cached *pre, signed char b)
+{
+ ge_cached minust;
+ unsigned char bnegative = negative(b);
+ unsigned char babs = b - (((-bnegative) & b) << 1);
+
+ fe_1(t->YplusX);
+ fe_1(t->YminusX);
+ fe_1(t->Z);
+ fe_0(t->T2d);
+
+ cmov(t,pre+0,equal(babs,1));
+ cmov(t,pre+1,equal(babs,2));
+ cmov(t,pre+2,equal(babs,3));
+ cmov(t,pre+3,equal(babs,4));
+ cmov(t,pre+4,equal(babs,5));
+ cmov(t,pre+5,equal(babs,6));
+ cmov(t,pre+6,equal(babs,7));
+ cmov(t,pre+7,equal(babs,8));
+ fe_copy(minust.YplusX,t->YminusX);
+ fe_copy(minust.YminusX,t->YplusX);
+ fe_copy(minust.Z,t->Z);
+ fe_neg(minust.T2d,t->T2d);
+ cmov(t,&minust,bnegative);
+}
+
+/*
+h = a * B
+where a = a[0]+256*a[1]+...+256^31 a[31]
+B is the Ed25519 base point (x,4/5) with x positive.
+
+Preconditions:
+ a[31] <= 127
+*/
+
+void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A)
+{
+ signed char e[64];
+ signed char carry;
+ ge_p1p1 r;
+ ge_p2 s;
+ ge_p3 t0, t1, t2;
+ ge_cached t, pre[8];
+ int i;
+
+ for (i = 0;i < 32;++i) {
+ e[2 * i + 0] = (a[i] >> 0) & 15;
+ e[2 * i + 1] = (a[i] >> 4) & 15;
+ }
+ /* each e[i] is between 0 and 15 */
+ /* e[63] is between 0 and 7 */
+
+ carry = 0;
+ for (i = 0;i < 63;++i) {
+ e[i] += carry;
+ carry = e[i] + 8;
+ carry >>= 4;
+ e[i] -= carry << 4;
+ }
+ e[63] += carry;
+ /* each e[i] is between -8 and 8 */
+
+ // Precomputation:
+ ge_p3_to_cached(pre+0, A); // A
+
+ ge_p3_dbl(&r, A);
+ ge_p1p1_to_p3(&t0, &r);
+ ge_p3_to_cached(pre+1, &t0); // 2A
+
+ ge_add(&r, A, pre+1);
+ ge_p1p1_to_p3(&t1, &r);
+ ge_p3_to_cached(pre+2, &t1); // 3A
+
+ ge_p3_dbl(&r, &t0);
+ ge_p1p1_to_p3(&t0, &r);
+ ge_p3_to_cached(pre+3, &t0); // 4A
+
+ ge_add(&r, A, pre+3);
+ ge_p1p1_to_p3(&t2, &r);
+ ge_p3_to_cached(pre+4, &t2); // 5A
+
+ ge_p3_dbl(&r, &t1);
+ ge_p1p1_to_p3(&t1, &r);
+ ge_p3_to_cached(pre+5, &t1); // 6A
+
+ ge_add(&r, A, pre+5);
+ ge_p1p1_to_p3(&t1, &r);
+ ge_p3_to_cached(pre+6, &t1); // 7A
+
+ ge_p3_dbl(&r, &t0);
+ ge_p1p1_to_p3(&t0, &r);
+ ge_p3_to_cached(pre+7, &t0); // 8A
+
+ ge_p3_0(h);
+
+ for (i = 63;i > 0; i--) {
+ select(&t,pre,e[i]);
+ ge_add(&r, h, &t);
+ ge_p1p1_to_p2(&s,&r);
+
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r);
+
+ }
+ select(&t,pre,e[0]);
+ ge_add(&r, h, &t);
+ ge_p1p1_to_p3(h,&r);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c
new file mode 100644
index 0000000000..6affbb05d5
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c
@@ -0,0 +1,21 @@
+#include "crypto_additions.h"
+#include "ge.h"
+
+/*
+return 8 * p
+*/
+
+void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p)
+{
+ ge_p1p1 p1p1;
+ ge_p2 p2;
+
+ ge_p3_dbl(&p1p1, p);
+ ge_p1p1_to_p2(&p2, &p1p1);
+
+ ge_p2_dbl(&p1p1, &p2);
+ ge_p1p1_to_p2(&p2, &p1p1);
+
+ ge_p2_dbl(&p1p1, &p2);
+ ge_p1p1_to_p3(q, &p1p1);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c
new file mode 100644
index 0000000000..de7cdcd598
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c
@@ -0,0 +1,21 @@
+#include "ge.h"
+#include "keygen.h"
+#include "crypto_additions.h"
+
+void curve25519_keygen(unsigned char* curve25519_pubkey_out,
+ const unsigned char* curve25519_privkey_in)
+{
+ /* Perform a fixed-base multiplication of the Edwards base point,
+ (which is efficient due to precalculated tables), then convert
+ to the Curve25519 montgomery-format public key.
+
+ NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
+ */
+
+ ge_p3 ed; /* Ed25519 pubkey point */
+ fe u;
+
+ ge_scalarmult_base(&ed, curve25519_privkey_in);
+ ge_p3_to_montx(u, &ed);
+ fe_tobytes(curve25519_pubkey_out, u);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h
new file mode 100644
index 0000000000..e86e7c5582
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h
@@ -0,0 +1,12 @@
+
+#ifndef __KEYGEN_H__
+#define __KEYGEN_H__
+
+/* Sets and clears bits to make a random 32 bytes into a private key */
+void sc_clamp(unsigned char* a);
+
+/* The private key should be 32 random bytes "clamped" by sc_clamp() */
+void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */
+ const unsigned char* curve25519_privkey_in); /* 32 bytes */
+
+#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c
new file mode 100644
index 0000000000..a156098191
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c
@@ -0,0 +1,45 @@
+#include <string.h>
+#include "crypto_sign.h"
+#include "crypto_hash_sha512.h"
+#include "crypto_verify_32.h"
+#include "ge.h"
+#include "sc.h"
+#include "crypto_additions.h"
+
+int crypto_sign_open_modified(
+ unsigned char *m,
+ const unsigned char *sm,unsigned long long smlen,
+ const unsigned char *pk
+)
+{
+ unsigned char pkcopy[32];
+ unsigned char rcopy[32];
+ unsigned char scopy[32];
+ unsigned char h[64];
+ unsigned char rcheck[32];
+ ge_p3 A;
+ ge_p2 R;
+
+ if (smlen < 64) goto badsig;
+ if (sm[63] & 224) goto badsig; /* strict parsing of s */
+ if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
+
+ memmove(pkcopy,pk,32);
+ memmove(rcopy,sm,32);
+ memmove(scopy,sm + 32,32);
+
+ memmove(m,sm,smlen);
+ memmove(m + 32,pkcopy,32);
+ crypto_hash_sha512(h,m,smlen);
+ sc_reduce(h);
+
+ ge_double_scalarmult_vartime(&R,h,&A,scopy);
+ ge_tobytes(rcheck,&R);
+
+ if (crypto_verify_32(rcheck,rcopy) == 0) {
+ return 0;
+ }
+
+badsig:
+ return -1;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c
new file mode 100644
index 0000000000..7788be9071
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c
@@ -0,0 +1,8 @@
+#include "crypto_additions.h"
+
+void sc_clamp(unsigned char* a)
+{
+ a[0] &= 248;
+ a[31] &= 127;
+ a[31] |= 64;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c
new file mode 100644
index 0000000000..443a5bb71e
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c
@@ -0,0 +1,21 @@
+#include "crypto_additions.h"
+
+/*
+Replace (f,g) with (g,g) if b == 1;
+replace (f,g) with (f,g) if b == 0.
+
+Preconditions: b in {0,1}.
+*/
+
+void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b)
+{
+ int count=32;
+ unsigned char x[32];
+ for (count=0; count < 32; count++)
+ x[count] = f[count] ^ g[count];
+ b = -b;
+ for (count=0; count < 32; count++)
+ x[count] &= b;
+ for (count=0; count < 32; count++)
+ f[count] = f[count] ^ x[count];
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c
new file mode 100644
index 0000000000..ef407d405e
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c
@@ -0,0 +1,25 @@
+#include <string.h>
+#include "crypto_additions.h"
+#include "sc.h"
+
+/* l = order of base point = 2^252 + 27742317777372353535851937790883648493 */
+
+/*
+static unsigned char l[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+ 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0, 0x10};
+*/
+
+static unsigned char lminus1[32] = {0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+ 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
+
+/* b = -a (mod l) */
+void sc_neg(unsigned char *b, const unsigned char *a)
+{
+ unsigned char zero[32];
+ memset(zero, 0, 32);
+ sc_muladd(b, lminus1, a, zero); /* b = (-1)a + 0 (mod l) */
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c
index 61332e70e7..b2fb8c20d3 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c
@@ -4,6 +4,7 @@
#include "ge.h"
#include "sc.h"
#include "zeroize.h"
+#include "crypto_additions.h"
/* NEW: Compare to pristine crypto_sign()
Uses explicit private key for nonce derivation and as scalar,
@@ -36,6 +37,7 @@ int crypto_sign_modified(
memmove(sm + 32,pk,32);
sc_reduce(nonce);
+
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(sm,&R);
@@ -43,5 +45,9 @@ int crypto_sign_modified(
sc_reduce(hram);
sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */
+ /* Erase any traces of private scalar or
+ nonce left in the stack from sc_muladd */
+ zeroize_stack();
+ zeroize(nonce, 64);
return 0;
}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c
new file mode 100644
index 0000000000..412f8c4c9b
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/uopen_modified.c
@@ -0,0 +1,100 @@
+#include <string.h>
+#include "sc.h"
+#include "ge.h"
+#include "crypto_hash_sha512.h"
+#include "crypto_verify_32.h"
+#include "crypto_additions.h"
+#include "crypto_sign.h"
+
+int crypto_usign_open_modified(
+ unsigned char *m,unsigned long long *mlen,
+ const unsigned char *sm,unsigned long long smlen,
+ const unsigned char *pk, const ge_p3* Bu
+)
+{
+ ge_p3 U;
+ unsigned char h[64];
+ unsigned char s[64];
+ unsigned char strict[64];
+ ge_p3 A;
+ ge_p2 R;
+ unsigned char hcheck[64];
+ int count;
+
+ if (smlen < 96) goto badsig;
+ if (sm[63] & 224) goto badsig; /* strict parsing of h */
+ if (sm[95] & 224) goto badsig; /* strict parsing of s */
+
+ /* Load -A */
+ if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
+
+ /* Load -U, h, s */
+ ge_frombytes_negate_vartime(&U, sm);
+ memset(h, 0, 64);
+ memset(s, 0, 64);
+ memmove(h, sm + 32, 32);
+ memmove(s, sm + 64, 32);
+
+ /* Insist that s and h are reduced scalars (strict parsing) */
+ memcpy(strict, h, 64);
+ sc_reduce(strict);
+ if (memcmp(strict, h, 32) != 0)
+ goto badsig;
+ memcpy(strict, s, 64);
+ sc_reduce(strict);
+ if (memcmp(strict, s, 32) != 0)
+ goto badsig;
+
+ /* Reject U (actually -U) if small order */
+ if (ge_is_small_order(&U))
+ goto badsig;
+
+ // R = sB + h(-A)
+ ge_double_scalarmult_vartime(&R,h,&A,s);
+
+ // Ru = sBu + h(-U)
+ ge_p3 sBu, hU;
+
+ // sBu
+ ge_scalarmult(&sBu, s, Bu);
+
+ // h(-U)
+ ge_scalarmult(&hU, h, &U);
+
+ // Ru = sBu + h(-U)
+ ge_p1p1 Rp1p1;
+ ge_p3 Ru;
+ ge_cached hUcached;
+ ge_p3_to_cached(&hUcached, &hU);
+ ge_add(&Rp1p1, &sBu, &hUcached);
+ ge_p1p1_to_p3(&Ru, &Rp1p1);
+
+
+ // Check h == SHA512(label(4) || A || U || R || Ru || M)
+ m[0] = 0xFB;
+ for (count = 1; count < 32; count++)
+ m[count] = 0xFF;
+ memmove(m+32, pk, 32);
+ /* undo the negation for U */
+ fe_neg(U.X, U.X);
+ fe_neg(U.T, U.T);
+ ge_p3_tobytes(m+64, &U);
+ ge_tobytes(m+96, &R);
+ ge_p3_tobytes(m+128, &Ru);
+ memmove(m+160, sm+96, smlen - 96);
+
+ crypto_hash_sha512(hcheck, m, smlen + 64);
+ sc_reduce(hcheck);
+
+ if (crypto_verify_32(hcheck, h) == 0) {
+ memmove(m,m + 64,smlen - 64);
+ memset(m + smlen - 64,0,64);
+ *mlen = smlen - 64;
+ return 0;
+ }
+
+badsig:
+ *mlen = -1;
+ memset(m,0,smlen);
+ return -1;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c
new file mode 100644
index 0000000000..3bbd871b7a
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/usign_modified.c
@@ -0,0 +1,62 @@
+#include <string.h>
+#include "crypto_sign.h"
+#include "crypto_hash_sha512.h"
+#include "ge.h"
+#include "sc.h"
+#include "zeroize.h"
+#include "crypto_additions.h"
+
+/* NEW: Compare to pristine crypto_sign()
+ Uses explicit private key for nonce derivation and as scalar,
+ instead of deriving both from a master key.
+*/
+int crypto_usign_modified(
+ unsigned char *sm,
+ const unsigned char *M,unsigned long Mlen,
+ const unsigned char *a,
+ const unsigned char *A,
+ const unsigned char *random,
+ const ge_p3 *Bu,
+ const unsigned char *U
+)
+{
+ unsigned char r[64];
+ unsigned char h[64];
+ ge_p3 R, Ru;
+ int count=0;
+
+ /* r = SHA512(label(3) || a || U || random(64)) */
+ sm[0] = 0xFC;
+ for (count = 1; count < 32; count++)
+ sm[count] = 0xFF;
+
+ memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */
+ memmove(sm + 64, U, 32);
+
+ memmove(sm + 96, random, 64); /* Add suffix of random data */
+ crypto_hash_sha512(r, sm, 160);
+
+ sc_reduce(r);
+ ge_scalarmult_base(&R, r);
+ ge_scalarmult(&Ru, r, Bu);
+
+ /* h = SHA512(label(4) || A || U || R || Ru || M) */
+ sm[0] = 0xFB;
+ memmove(sm + 32, A, 32);
+ memmove(sm + 64, U, 32);
+ ge_p3_tobytes(sm+96, &R);
+ ge_p3_tobytes(sm+128, &Ru);
+ memmove(sm + 160, M, Mlen);
+
+ crypto_hash_sha512(h, sm, Mlen + 160);
+ sc_reduce(h);
+
+ memmove(sm, h, 32); /* Write h */
+ sc_muladd(sm + 32, h, a, r); /* Write s */
+
+ /* Erase any traces of private scalar or
+ nonce left in the stack from sc_muladd. */
+ zeroize_stack();
+ zeroize(r, 64);
+ return 0;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c
new file mode 100644
index 0000000000..c59099a9e3
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c
@@ -0,0 +1,29 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include "utility.h"
+
+void print_vector(const char* name, const unsigned char* v)
+{
+ int count;
+ printf("%s = \n", name);
+ for (count = 0; count < 32; count++)
+ printf("%02x ", v[count]);
+ printf("\n");
+}
+
+void print_bytes(const char* name, const unsigned char* v, int numbytes)
+{
+ int count;
+ printf("%s = \n", name);
+ for (count = 0; count < numbytes; count++)
+ printf("%02x ", v[count]);
+ printf("\n");
+}
+
+void print_fe(const char* name, const fe in)
+{
+ unsigned char bytes[32];
+ fe_tobytes(bytes, in);
+ print_vector(name, bytes);
+}
+
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h
new file mode 100644
index 0000000000..35348782df
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h
@@ -0,0 +1,11 @@
+
+#ifndef __UTILITY_H__
+#define __UTILITY_H__
+
+#include "fe.h"
+
+void print_vector(const char* name, const unsigned char* v);
+void print_bytes(const char* name, const unsigned char* v, int numbytes);
+void print_fe(const char* name, const fe in);
+
+#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c
new file mode 100644
index 0000000000..3dfc7fba6f
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vopen_modified.c
@@ -0,0 +1,85 @@
+#include <string.h>
+#include "sc.h"
+#include "ge.h"
+#include "crypto_hash_sha512.h"
+#include "crypto_verify_32.h"
+#include "crypto_additions.h"
+#include "crypto_sign.h"
+
+int crypto_vsign_open_modified(
+ unsigned char *m,
+ const unsigned char *sm,unsigned long long smlen,
+ const unsigned char *pk, const ge_p3* Bv
+)
+{
+ ge_p3 Vneg, V, Aneg, A, c_V, c_A, h_Vneg, s_Bv;
+ unsigned char h[32];
+ unsigned char s[32];
+ ge_p2 R;
+ unsigned char hcheck[64];
+ unsigned char vrf_output[64];
+ int count;
+
+ if (smlen < 96) goto badsig;
+ if (sm[63] & 224) goto badsig; /* strict parsing of h */
+ if (sm[95] & 224) goto badsig; /* strict parsing of s */
+
+ /* Load -A */
+ if (ge_frombytes_negate_vartime(&Aneg,pk) != 0) goto badsig;
+
+ /* Load -V, h, s */
+ if (ge_frombytes_negate_vartime(&Vneg, sm) != 0) goto badsig;
+ memmove(h, sm + 32, 32);
+ memmove(s, sm + 64, 32);
+ if (h[31] & 224) goto badsig; /* strict parsing of h */
+ if (s[31] & 224) goto badsig; /* strict parsing of s */
+
+ ge_neg(&A, &Aneg);
+ ge_neg(&V, &Vneg);
+ ge_scalarmult_cofactor(&c_A, &A);
+ ge_scalarmult_cofactor(&c_V, &V);
+ if (ge_isneutral(&c_A) || ge_isneutral(&c_V) || ge_isneutral(Bv))
+ goto badsig;
+
+ // R = (s*B) + (h * -A))
+ ge_double_scalarmult_vartime(&R, h, &Aneg, s);
+
+ // s * Bv
+ ge_scalarmult(&s_Bv, s, Bv);
+
+ // h * -V
+ ge_scalarmult(&h_Vneg, h, &Vneg);
+
+ // Rv = (sc * Bv) + (hc * (-V))
+ ge_p1p1 Rp1p1;
+ ge_p3 Rv;
+ ge_cached h_Vnegcached;
+ ge_p3_to_cached(&h_Vnegcached, &h_Vneg);
+ ge_add(&Rp1p1, &s_Bv, &h_Vnegcached);
+ ge_p1p1_to_p3(&Rv, &Rp1p1);
+
+ // Check h == SHA512(label(4) || A || V || R || Rv || M)
+ m[0] = 0xFB; // label 4
+ for (count = 1; count < 32; count++)
+ m[count] = 0xFF;
+ memmove(m+32, pk, 32);
+ ge_p3_tobytes(m+64, &V);
+ ge_tobytes(m+96, &R);
+ ge_p3_tobytes(m+128, &Rv);
+ memmove(m+160, sm+96, smlen - 96);
+
+ crypto_hash_sha512(hcheck, m, smlen + 64);
+ sc_reduce(hcheck);
+
+ if (crypto_verify_32(hcheck, h) == 0) {
+ ge_p3_tobytes(m+32, &c_V);
+ m[0] = 0xFA; // label 5
+ crypto_hash_sha512(vrf_output, m, 64);
+ memmove(m, vrf_output, 32);
+ return 0;
+ }
+
+badsig:
+ memset(m, 0, 32);
+ return -1;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c
new file mode 100644
index 0000000000..518b851d63
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vsign_modified.c
@@ -0,0 +1,62 @@
+#include <string.h>
+#include "crypto_sign.h"
+#include "crypto_hash_sha512.h"
+#include "ge.h"
+#include "sc.h"
+#include "zeroize.h"
+#include "crypto_additions.h"
+
+/* NEW: Compare to pristine crypto_sign()
+ Uses explicit private key for nonce derivation and as scalar,
+ instead of deriving both from a master key.
+*/
+int crypto_vsign_modified(
+ unsigned char *sm,
+ const unsigned char *M,unsigned long Mlen,
+ const unsigned char *a,
+ const unsigned char *A,
+ const unsigned char *random,
+ const ge_p3 *Bv,
+ const unsigned char *V
+)
+{
+ unsigned char r[64];
+ unsigned char h[64];
+ ge_p3 R, Rv;
+ int count=0;
+
+ /* r = SHA512(label(3) || a || V || random(64)) */
+ sm[0] = 0xFC;
+ for (count = 1; count < 32; count++)
+ sm[count] = 0xFF;
+
+ memmove(sm + 32, a, 32); /* Use privkey directly for nonce derivation */
+ memmove(sm + 64, V, 32);
+
+ memmove(sm + 96, random, 64); /* Add suffix of random data */
+ crypto_hash_sha512(r, sm, 160);
+
+ sc_reduce(r);
+ ge_scalarmult_base(&R, r);
+ ge_scalarmult(&Rv, r, Bv);
+
+ /* h = SHA512(label(4) || A || V || R || Rv || M) */
+ sm[0] = 0xFB;
+ memmove(sm + 32, A, 32);
+ memmove(sm + 64, V, 32);
+ ge_p3_tobytes(sm+96, &R);
+ ge_p3_tobytes(sm+128, &Rv);
+ memmove(sm + 160, M, Mlen);
+
+ crypto_hash_sha512(h, sm, Mlen + 160);
+ sc_reduce(h);
+
+ memmove(sm, h, 32); /* Write h */
+ sc_muladd(sm + 32, h, a, r); /* Write s */
+
+ /* Erase any traces of private scalar or
+ nonce left in the stack from sc_muladd. */
+ zeroize_stack();
+ zeroize(r, 64);
+ return 0;
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c
new file mode 100644
index 0000000000..802a73563d
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.c
@@ -0,0 +1,91 @@
+#include <string.h>
+#include "ge.h"
+#include "crypto_additions.h"
+#include "zeroize.h"
+#include "vxeddsa.h"
+#include "crypto_verify_32.h"
+
+int vxed25519_sign(unsigned char* signature_out,
+ const unsigned char* curve25519_privkey,
+ const unsigned char* msg, const unsigned long msg_len,
+ const unsigned char* random)
+{
+ unsigned char a[32], aneg[32];
+ unsigned char A[32];
+ ge_p3 Bv, ed_pubkey_point;
+ unsigned char sigbuf[MAX_MSG_LEN + 160]; /* working buffer */
+ unsigned char sign_bit = 0;
+
+ if (msg_len > MAX_MSG_LEN) {
+ memset(signature_out, 0, 96);
+ return -1;
+ }
+ /* Convert the Curve25519 privkey to an Ed25519 public key */
+ ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
+ ge_p3_tobytes(A, &ed_pubkey_point);
+
+ /* Force Edwards sign bit to zero */
+ sign_bit = (A[31] & 0x80) >> 7;
+ memcpy(a, curve25519_privkey, 32);
+ sc_neg(aneg, a);
+ sc_cmov(a, aneg, sign_bit);
+ A[31] &= 0x7F;
+
+ calculate_Bv_and_V(&Bv, signature_out, sigbuf, a, A, msg, msg_len);
+
+ /* Perform an Ed25519 signature with explicit private key */
+ crypto_vsign_modified(sigbuf, msg, msg_len, a, A, random, &Bv, signature_out /*V*/);
+ memmove(signature_out+32, sigbuf, 64);
+
+ zeroize(a, 32);
+ zeroize(aneg, 32);
+ return 0;
+}
+
+int vxed25519_verify(unsigned char* vrf_out,
+ const unsigned char* signature,
+ const unsigned char* curve25519_pubkey,
+ const unsigned char* msg, const unsigned long msg_len)
+{
+ fe u;
+ fe y;
+ unsigned char ed_pubkey[32];
+ unsigned char strict[32];
+ unsigned char verifybuf[MAX_MSG_LEN + 160]; /* working buffer */
+ unsigned char verifybuf2[MAX_MSG_LEN + 160]; /* working buffer #2 ?? !!! */
+ ge_p3 Bv;
+
+ if (msg_len > MAX_MSG_LEN) {
+ return -1;
+ }
+
+ /* Convert the Curve25519 public key (u) into an Ed25519 public key.
+
+ y = (u - 1) / (u + 1)
+
+ NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
+ */
+ fe_frombytes(u, curve25519_pubkey);
+ fe_tobytes(strict, u);
+ if (crypto_verify_32(strict, curve25519_pubkey) != 0)
+ return 0;
+ fe_montx_to_edy(y, u);
+ fe_tobytes(ed_pubkey, y);
+
+ calculate_Bv(&Bv, verifybuf, ed_pubkey, msg, msg_len);
+
+ memmove(verifybuf, signature, 96);
+ memmove(verifybuf+96, msg, msg_len);
+
+ /* Then perform a signature verification, return 0 on success */
+ /* The below call has a strange API: */
+ /* verifybuf = V || h || s || message */
+ /* verifybuf2 = used as buffer, gets the VRF output if success */
+ if (crypto_vsign_open_modified(verifybuf2, verifybuf, 96 + msg_len, ed_pubkey, &Bv) == 0) {
+ memmove(vrf_out, verifybuf2, 32);
+ return 0;
+ } else {
+ memset(vrf_out, 0, 32);
+ return -1;
+ }
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h
new file mode 100644
index 0000000000..4e48844170
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/vxeddsa.h
@@ -0,0 +1,18 @@
+
+#ifndef __VXEDDSA_H__
+#define __VXEDDSA_H__
+
+/* returns 0 on success */
+int vxed25519_sign(unsigned char* signature_out, /* 96 bytes */
+ const unsigned char* curve25519_privkey, /* 32 bytes */
+ const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */
+ const unsigned char* random); /* 64 bytes */
+
+/* returns 0 on success */
+int vxed25519_verify(unsigned char* vrf_out, /* 32 bytes */
+ const unsigned char* signature, /* 96 bytes */
+ const unsigned char* curve25519_pubkey, /* 32 bytes */
+ const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */
+
+
+#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
new file mode 100644
index 0000000000..ee2964a0d5
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
@@ -0,0 +1,82 @@
+#include <string.h>
+#include "ge.h"
+#include "crypto_additions.h"
+#include "zeroize.h"
+#include "xeddsa.h"
+#include "crypto_verify_32.h"
+
+int xed25519_sign(unsigned char* signature_out,
+ const unsigned char* curve25519_privkey,
+ const unsigned char* msg, const unsigned long msg_len,
+ const unsigned char* random)
+{
+ unsigned char a[32], aneg[32];
+ unsigned char A[32];
+ ge_p3 ed_pubkey_point;
+ unsigned char *sigbuf; /* working buffer */
+ unsigned char sign_bit = 0;
+
+ if ((sigbuf = malloc(msg_len + 128)) == 0) {
+ memset(signature_out, 0, 64);
+ return -1;
+ }
+
+ /* Convert the Curve25519 privkey to an Ed25519 public key */
+ ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
+ ge_p3_tobytes(A, &ed_pubkey_point);
+
+ /* Force Edwards sign bit to zero */
+ sign_bit = (A[31] & 0x80) >> 7;
+ memcpy(a, curve25519_privkey, 32);
+ sc_neg(aneg, a);
+ sc_cmov(a, aneg, sign_bit);
+ A[31] &= 0x7F;
+
+ /* Perform an Ed25519 signature with explicit private key */
+ crypto_sign_modified(sigbuf, msg, msg_len, a, A, random);
+ memmove(signature_out, sigbuf, 64);
+
+ zeroize(a, 32);
+ zeroize(aneg, 32);
+ free(sigbuf);
+ return 0;
+}
+
+int xed25519_verify(const unsigned char* signature,
+ const unsigned char* curve25519_pubkey,
+ const unsigned char* msg, const unsigned long msg_len)
+{
+ fe u;
+ fe y;
+ unsigned char ed_pubkey[32];
+ unsigned char strict[32];
+ unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */
+ unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */
+
+ if (msg_len > MAX_MSG_LEN) {
+ return -1;
+ }
+
+ /* Convert the Curve25519 public key into an Ed25519 public key.
+
+ y = (u - 1) / (u + 1)
+
+ NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
+ */
+ fe_frombytes(u, curve25519_pubkey);
+ fe_tobytes(strict, u);
+ if (crypto_verify_32(strict, curve25519_pubkey) != 0)
+ return 0;
+ fe_montx_to_edy(y, u);
+ fe_tobytes(ed_pubkey, y);
+
+ memmove(verifybuf, signature, 64);
+ memmove(verifybuf+64, msg, msg_len);
+
+ /* Then perform a normal Ed25519 verification, return 0 on success */
+ /* The below call has a strange API: */
+ /* verifybuf = R || S || message */
+ /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
+ replaced with pubkey for hashing */
+ return crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey);
+}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h
new file mode 100644
index 0000000000..b86d7f0d9d
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h
@@ -0,0 +1,16 @@
+
+#ifndef __XEDDSA_H__
+#define __XEDDSA_H__
+
+/* returns 0 on success */
+int xed25519_sign(unsigned char* signature_out, /* 64 bytes */
+ const unsigned char* curve25519_privkey, /* 32 bytes */
+ const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */
+ const unsigned char* random); /* 64 bytes */
+
+/* returns 0 on success */
+int xed25519_verify(const unsigned char* signature, /* 64 bytes */
+ const unsigned char* curve25519_pubkey, /* 32 bytes */
+ const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */
+
+#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c
index 37c1f708bc..187e725eb5 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c
@@ -3,7 +3,6 @@
void zeroize(unsigned char* b, size_t len)
{
size_t count = 0;
- unsigned long retval = 0;
volatile unsigned char *p = b;
for (count = 0; count < len; count++)
@@ -13,5 +12,5 @@ void zeroize(unsigned char* b, size_t len)
void zeroize_stack()
{
unsigned char m[ZEROIZE_STACK_SIZE];
- zeroize(m, sizeof m);
+ zeroize(m, ZEROIZE_STACK_SIZE);
}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h
index 80fcffb768..0db68bb4c6 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h
+++ b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h
@@ -3,7 +3,7 @@
#include <stdlib.h>
-#define ZEROIZE_STACK_SIZE 2048
+#define ZEROIZE_STACK_SIZE 1024
void zeroize(unsigned char* b, size_t len);
diff --git a/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c b/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c
index 47568001ce..0e087a783d 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/fe_isnonzero.c
@@ -2,13 +2,22 @@
#include "crypto_verify_32.h"
/*
-return 1 if f == 0
+return nonzero if f == 0
return 0 if f != 0
Preconditions:
|f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*/
+/* TREVOR'S COMMENT
+ *
+ * I think the above comment is wrong. Instead:
+ *
+ * return 0 if f == 0
+ * return -1 if f != 0
+ *
+ * */
+
static const unsigned char zero[32];
int fe_isnonzero(const fe f)
diff --git a/libs/libaxolotl/src/curve25519/ed25519/main/main.c b/libs/libaxolotl/src/curve25519/ed25519/main/main.c
index 5fbe39956d..a6ff569b9e 100644
--- a/libs/libaxolotl/src/curve25519/ed25519/main/main.c
+++ b/libs/libaxolotl/src/curve25519/ed25519/main/main.c
@@ -1,106 +1,13 @@
-#include <stdio.h>
-#include <string.h>
-#include "crypto_hash_sha512.h"
-#include "curve_sigs.h"
+#include "tests.h"
-#define MSG_LEN 200
int main(int argc, char* argv[])
{
- unsigned char privkey[32];
- unsigned char pubkey[32];
- unsigned char signature[64];
- unsigned char msg[MSG_LEN];
- unsigned char random[64];
+ all_fast_tests(0);
+ curvesigs_slow_test(0, 10000);
+ xeddsa_slow_test(0, 10000);
+ xeddsa_to_curvesigs_slow_test(0, 10000);
+ vxeddsa_slow_test(0, 10000000);
- /* Initialize pubkey, privkey, msg */
- memset(msg, 0, MSG_LEN);
- memset(privkey, 0, 32);
- memset(pubkey, 0, 32);
- privkey[0] &= 248;
- privkey[31] &= 63;
- privkey[31] |= 64;
-
- privkey[8] = 189; /* just so there's some bits set */
-
-
- /* SHA512 test */
- unsigned char sha512_input[112] = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
- unsigned char sha512_correct_output[64] =
-{
-0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
-0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
-0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
-0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
-0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
-0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
-0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
-0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09
-};
- unsigned char sha512_actual_output[64];
-
- crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input));
- if (memcmp(sha512_actual_output, sha512_correct_output, 64) != 0)
- printf("SHA512 bad #1\n");
- else
- printf("SHA512 good #1\n");
-
- sha512_input[111] ^= 1;
-
- crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input));
- if (memcmp(sha512_actual_output, sha512_correct_output, 64) != 0)
- printf("SHA512 good #2\n");
- else
- printf("SHA512 bad #2\n");
-
- /* Signature test */
- curve25519_keygen(pubkey, privkey);
-
- curve25519_sign(signature, privkey, msg, MSG_LEN, random);
-
- if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
- printf("Signature good #1\n");
- else
- printf("Signature bad #1\n");
-
- signature[0] ^= 1;
-
- if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
- printf("Signature bad #2\n");
- else
- printf("Signature good #2\n");
-
-
- printf("Random testing...\n");
- for (int count = 0; count < 10000; count++) {
- unsigned char b[64];
- crypto_hash_sha512(b, privkey, 32);
- memmove(privkey, b, 32);
- crypto_hash_sha512(b, privkey, 32);
- memmove(random, b, 64);
-
- privkey[0] &= 248;
- privkey[31] &= 63;
- privkey[31] |= 64;
-
- curve25519_keygen(pubkey, privkey);
-
- curve25519_sign(signature, privkey, msg, MSG_LEN, random);
-
- if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0) {
- printf("failure #1 %d\n", count);
- return -1;
- }
-
- if (b[63] & 1)
- signature[count % 64] ^= 1;
- else
- msg[count % MSG_LEN] ^= 1;
- if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0) {
- printf("failure #2 %d\n", count);
- return -1;
- }
- }
- printf("OK\n");
- return 1;
+ return 0;
}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c
new file mode 100644
index 0000000000..79adae5d16
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.c
@@ -0,0 +1,658 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include "crypto_hash_sha512.h"
+#include "keygen.h"
+#include "curve_sigs.h"
+#include "xeddsa.h"
+#include "vxeddsa.h"
+#include "crypto_additions.h"
+#include "ge.h"
+#include "utility.h"
+#include "tests.h"
+#include <assert.h>
+
+
+#define ERROR(...) do {if (!silent) { printf(__VA_ARGS__); abort(); } else return -1; } while (0)
+#define INFO(...) do {if (!silent) printf(__VA_ARGS__);} while (0)
+
+#define TEST(msg, cond) \
+ do { \
+ if ((cond)) { \
+ INFO("%s good\n", msg); \
+ } \
+ else { \
+ ERROR("%s BAD!!!\n", msg); \
+ } \
+ } while (0)
+
+
+int sha512_fast_test(int silent)
+{
+ unsigned char sha512_input[112] =
+ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu";
+ unsigned char sha512_correct_output[64] =
+ {
+ 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+ 0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+ 0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+ 0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+ 0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+ 0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+ 0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+ 0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09
+ };
+ unsigned char sha512_actual_output[64];
+
+ crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input));
+ TEST("SHA512 #1", memcmp(sha512_actual_output, sha512_correct_output, 64) == 0);
+
+ sha512_input[111] ^= 1;
+
+ crypto_hash_sha512(sha512_actual_output, sha512_input, sizeof(sha512_input));
+ TEST("SHA512 #2", memcmp(sha512_actual_output, sha512_correct_output, 64) != 0);
+
+ return 0;
+}
+
+int elligator_fast_test(int silent)
+{
+ unsigned char elligator_correct_output[32] =
+ {
+ 0x5f, 0x35, 0x20, 0x00, 0x1c, 0x6c, 0x99, 0x36,
+ 0xa3, 0x12, 0x06, 0xaf, 0xe7, 0xc7, 0xac, 0x22,
+ 0x4e, 0x88, 0x61, 0x61, 0x9b, 0xf9, 0x88, 0x72,
+ 0x44, 0x49, 0x15, 0x89, 0x9d, 0x95, 0xf4, 0x6e
+ };
+
+ unsigned char hashtopoint_correct_output1[32] =
+ {
+ 0xce, 0x89, 0x9f, 0xb2, 0x8f, 0xf7, 0x20, 0x91,
+ 0x5e, 0x14, 0xf5, 0xb7, 0x99, 0x08, 0xab, 0x17,
+ 0xaa, 0x2e, 0xe2, 0x45, 0xb4, 0xfc, 0x2b, 0xf6,
+ 0x06, 0x36, 0x29, 0x40, 0xed, 0x7d, 0xe7, 0xed
+ };
+
+ unsigned char hashtopoint_correct_output2[32] =
+ {
+ 0xa0, 0x35, 0xbb, 0xa9, 0x4d, 0x30, 0x55, 0x33,
+ 0x0d, 0xce, 0xc2, 0x7f, 0x83, 0xde, 0x79, 0xd0,
+ 0x89, 0x67, 0x72, 0x4c, 0x07, 0x8d, 0x68, 0x9d,
+ 0x61, 0x52, 0x1d, 0xf9, 0x2c, 0x5c, 0xba, 0x77
+ };
+
+ unsigned char calculatev_correct_output[32] =
+ {
+ 0x1b, 0x77, 0xb5, 0xa0, 0x44, 0x84, 0x7e, 0xb9,
+ 0x23, 0xd7, 0x93, 0x18, 0xce, 0xc2, 0xc5, 0xe2,
+ 0x84, 0xd5, 0x79, 0x6f, 0x65, 0x63, 0x1b, 0x60,
+ 0x9b, 0xf1, 0xf8, 0xce, 0x88, 0x0b, 0x50, 0x9c,
+ };
+
+ int count;
+ fe in, out;
+ unsigned char bytes[32];
+ fe_0(in);
+ fe_0(out);
+ for (count = 0; count < 32; count++) {
+ bytes[count] = count;
+ }
+ fe_frombytes(in, bytes);
+ elligator(out, in);
+ fe_tobytes(bytes, out);
+ TEST("Elligator vector", memcmp(bytes, elligator_correct_output, 32) == 0);
+
+ /* Elligator(0) == 0 test */
+ fe_0(in);
+ elligator(out, in);
+ TEST("Elligator(0) == 0", memcmp(in, out, 32) == 0);
+
+ /* ge_montx_to_p3(0) -> order2 point test */
+ fe one, negone, zero;
+ fe_1(one);
+ fe_0(zero);
+ fe_sub(negone, zero, one);
+ ge_p3 p3;
+ ge_montx_to_p3(&p3, zero, 0);
+ TEST("ge_montx_to_p3(0) == order 2 point",
+ fe_isequal(p3.X, zero) &&
+ fe_isequal(p3.Y, negone) &&
+ fe_isequal(p3.Z, one) &&
+ fe_isequal(p3.T, zero));
+
+ /* Hash to point vector test */
+ unsigned char htp[32];
+
+ for (count=0; count < 32; count++) {
+ htp[count] = count;
+ }
+
+ hash_to_point(&p3, htp, 32);
+ ge_p3_tobytes(htp, &p3);
+ TEST("hash_to_point #1", memcmp(htp, hashtopoint_correct_output1, 32) == 0);
+
+ for (count=0; count < 32; count++) {
+ htp[count] = count+1;
+ }
+
+ hash_to_point(&p3, htp, 32);
+ ge_p3_tobytes(htp, &p3);
+ TEST("hash_to_point #2", memcmp(htp, hashtopoint_correct_output2, 32) == 0);
+
+ /* calculate_U vector test */
+ ge_p3 Bv;
+ unsigned char V[32];
+ unsigned char Vbuf[200];
+ unsigned char a[32];
+ unsigned char A[32];
+ unsigned char Vmsg[3];
+ Vmsg[0] = 0;
+ Vmsg[1] = 1;
+ Vmsg[2] = 2;
+ for (count=0; count < 32; count++) {
+ a[count] = 8 + count;
+ A[count] = 9 + count;
+ }
+ sc_clamp(a);
+ calculate_Bv_and_V(&Bv, V, Vbuf, a, A, Vmsg, 3);
+ TEST("calculate_Bv_and_V vector", memcmp(V, calculatev_correct_output, 32) == 0);
+ return 0;
+}
+
+int curvesigs_fast_test(int silent)
+{
+ unsigned char signature_correct[64] = {
+ 0xcf, 0x87, 0x3d, 0x03, 0x79, 0xac, 0x20, 0xe8,
+ 0x89, 0x3e, 0x55, 0x67, 0xee, 0x0f, 0x89, 0x51,
+ 0xf8, 0xdb, 0x84, 0x0d, 0x26, 0xb2, 0x43, 0xb4,
+ 0x63, 0x52, 0x66, 0x89, 0xd0, 0x1c, 0xa7, 0x18,
+ 0xac, 0x18, 0x9f, 0xb1, 0x67, 0x85, 0x74, 0xeb,
+ 0xdd, 0xe5, 0x69, 0x33, 0x06, 0x59, 0x44, 0x8b,
+ 0x0b, 0xd6, 0xc1, 0x97, 0x3f, 0x7d, 0x78, 0x0a,
+ 0xb3, 0x95, 0x18, 0x62, 0x68, 0x03, 0xd7, 0x82,
+ };
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[64];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 0, 64);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ privkey[8] = 189; /* just so there's some bits set */
+ sc_clamp(privkey);
+
+ /* Signature vector test */
+ curve25519_keygen(pubkey, privkey);
+
+ curve25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ TEST("Curvesig sign", memcmp(signature, signature_correct, 64) == 0);
+ TEST("Curvesig verify #1", curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0);
+ signature[0] ^= 1;
+ TEST("Curvesig verify #2", curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0);
+ return 0;
+}
+
+int xeddsa_fast_test(int silent)
+{
+ unsigned char signature_correct[64] = {
+ 0x11, 0xc7, 0xf3, 0xe6, 0xc4, 0xdf, 0x9e, 0x8a,
+ 0x51, 0x50, 0xe1, 0xdb, 0x3b, 0x30, 0xf9, 0x2d,
+ 0xe3, 0xa3, 0xb3, 0xaa, 0x43, 0x86, 0x56, 0x54,
+ 0x5f, 0xa7, 0x39, 0x0f, 0x4b, 0xcc, 0x7b, 0xb2,
+ 0x6c, 0x43, 0x1d, 0x9e, 0x90, 0x64, 0x3e, 0x4f,
+ 0x0e, 0xaa, 0x0e, 0x9c, 0x55, 0x77, 0x66, 0xfa,
+ 0x69, 0xad, 0xa5, 0x76, 0xd6, 0x3d, 0xca, 0xf2,
+ 0xac, 0x32, 0x6c, 0x11, 0xd0, 0xb9, 0x77, 0x02,
+ };
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[64];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 0, 64);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ privkey[8] = 189; /* just so there's some bits set */
+ sc_clamp(privkey);
+
+ /* Signature vector test */
+ curve25519_keygen(pubkey, privkey);
+
+ xed25519_sign(signature, privkey, msg, MSG_LEN, random);
+ TEST("XEdDSA sign", memcmp(signature, signature_correct, 64) == 0);
+ TEST("XEdDSA verify #1", xed25519_verify(signature, pubkey, msg, MSG_LEN) == 0);
+ signature[0] ^= 1;
+ TEST("XEdDSA verify #2", xed25519_verify(signature, pubkey, msg, MSG_LEN) != 0);
+ return 0;
+}
+
+int vxeddsa_fast_test(int silent)
+{
+ unsigned char signature_correct[96] = {
+ 0x23, 0xc6, 0xe5, 0x93, 0x3f, 0xcd, 0x56, 0x47,
+ 0x7a, 0x86, 0xc9, 0x9b, 0x76, 0x2c, 0xb5, 0x24,
+ 0xc3, 0xd6, 0x05, 0x55, 0x38, 0x83, 0x4d, 0x4f,
+ 0x8d, 0xb8, 0xf0, 0x31, 0x07, 0xec, 0xeb, 0xa0,
+ 0xa0, 0x01, 0x50, 0xb8, 0x4c, 0xbb, 0x8c, 0xcd,
+ 0x23, 0xdc, 0x65, 0xfd, 0x0e, 0x81, 0xb2, 0x86,
+ 0x06, 0xa5, 0x6b, 0x0c, 0x4f, 0x53, 0x6d, 0xc8,
+ 0x8b, 0x8d, 0xc9, 0x04, 0x6e, 0x4a, 0xeb, 0x08,
+ 0xce, 0x08, 0x71, 0xfc, 0xc7, 0x00, 0x09, 0xa4,
+ 0xd6, 0xc0, 0xfd, 0x2d, 0x1a, 0xe5, 0xb6, 0xc0,
+ 0x7c, 0xc7, 0x22, 0x3b, 0x69, 0x59, 0xa8, 0x26,
+ 0x2b, 0x57, 0x78, 0xd5, 0x46, 0x0e, 0x0f, 0x05,
+ };
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[96];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+ unsigned char vrf_out[32];
+ unsigned char vrf_outprev[32];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 0, 96);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ privkey[8] = 189; /* just so there's some bits set */
+ sc_clamp(privkey);
+
+ /* Signature vector test */
+ curve25519_keygen(pubkey, privkey);
+
+ vxed25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ TEST("VXEdDSA sign", memcmp(signature, signature_correct, 96) == 0);
+ TEST("VXEdDSA verify #1", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0);
+ memcpy(vrf_outprev, vrf_out, 32);
+ signature[0] ^= 1;
+ TEST("VXEdDSA verify #2", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) != 0);
+
+ /* Test U */
+ unsigned char sigprev[96];
+ memcpy(sigprev, signature, 96);
+ sigprev[0] ^= 1; /* undo prev disturbance */
+
+ random[0] ^= 1;
+ vxed25519_sign(signature, privkey, msg, MSG_LEN, random);
+ TEST("VXEdDSA verify #3", vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0);
+
+ TEST("VXEdDSA VRF value unchanged", memcmp(vrf_out, vrf_outprev, 32) == 0);
+ TEST("VXEdDSA (h, s) changed", memcmp(signature+32, sigprev+32, 64) != 0);
+ return 0;
+}
+
+int curvesigs_slow_test(int silent, int iterations)
+{
+
+ unsigned char signature_10k_correct[64] = {
+ 0xfc, 0xba, 0x55, 0xc4, 0x85, 0x4a, 0x42, 0x25,
+ 0x19, 0xab, 0x08, 0x8d, 0xfe, 0xb5, 0x13, 0xb6,
+ 0x0d, 0x24, 0xbb, 0x16, 0x27, 0x55, 0x71, 0x48,
+ 0xdd, 0x20, 0xb1, 0xcd, 0x2a, 0xd6, 0x7e, 0x35,
+ 0xef, 0x33, 0x4c, 0x7b, 0x6d, 0x94, 0x6f, 0x52,
+ 0xec, 0x43, 0xd7, 0xe6, 0x35, 0x24, 0xcd, 0x5b,
+ 0x5d, 0xdc, 0xb2, 0x32, 0xc6, 0x22, 0x53, 0xf3,
+ 0x38, 0x02, 0xf8, 0x28, 0x28, 0xc5, 0x65, 0x05,
+ };
+
+ int count;
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[64];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 0, 64);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ /* Signature random test */
+ INFO("Pseudorandom curvesigs...\n");
+ for (count = 1; count <= iterations; count++) {
+ unsigned char b[64];
+ crypto_hash_sha512(b, signature, 64);
+ memmove(privkey, b, 32);
+ crypto_hash_sha512(b, privkey, 32);
+ memmove(random, b, 64);
+
+ sc_clamp(privkey);
+ curve25519_keygen(pubkey, privkey);
+
+ curve25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
+ ERROR("Curvesig verify failure #1 %d\n", count);
+
+ if (b[63] & 1)
+ signature[count % 64] ^= 1;
+ else
+ msg[count % MSG_LEN] ^= 1;
+ if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
+ ERROR("Curvesig verify failure #2 %d\n", count);
+
+ if (count == 10000) {
+ if (memcmp(signature, signature_10k_correct, 64) != 0)
+ ERROR("Curvesig signature 10K doesn't match %d\n", count);
+ }
+ if (count == 100000)
+ print_bytes("100K curvesigs", signature, 64);
+ if (count == 1000000)
+ print_bytes("1M curvesigs", signature, 64);
+ if (count == 10000000)
+ print_bytes("10M curvesigs", signature, 64);
+ }
+ INFO("good\n");
+ return 0;
+}
+
+int xeddsa_slow_test(int silent, int iterations)
+{
+
+ unsigned char signature_10k_correct[64] = {
+ 0x15, 0x29, 0x03, 0x38, 0x66, 0x16, 0xcd, 0x26,
+ 0xbb, 0x3e, 0xec, 0xe2, 0x9f, 0x72, 0xa2, 0x5c,
+ 0x7d, 0x05, 0xc9, 0xcb, 0x84, 0x3f, 0x92, 0x96,
+ 0xb3, 0xfb, 0xb9, 0xdd, 0xd6, 0xed, 0x99, 0x04,
+ 0xc1, 0xa8, 0x02, 0x16, 0xcf, 0x49, 0x3f, 0xf1,
+ 0xbe, 0x69, 0xf9, 0xf1, 0xcc, 0x16, 0xd7, 0xdc,
+ 0x6e, 0xd3, 0x78, 0xaa, 0x04, 0xeb, 0x71, 0x51,
+ 0x9d, 0xe8, 0x7a, 0x5b, 0xd8, 0x49, 0x7b, 0x05,
+ };
+
+ int count;
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[96];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 1, 64);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ /* Signature random test */
+ INFO("Pseudorandom XEdDSA...\n");
+ for (count = 1; count <= iterations; count++) {
+ unsigned char b[64];
+ crypto_hash_sha512(b, signature, 64);
+ memmove(privkey, b, 32);
+ crypto_hash_sha512(b, privkey, 32);
+ memmove(random, b, 64);
+
+ sc_clamp(privkey);
+ curve25519_keygen(pubkey, privkey);
+
+ xed25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ if (xed25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
+ ERROR("XEdDSA verify failure #1 %d\n", count);
+
+ if (b[63] & 1)
+ signature[count % 64] ^= 1;
+ else
+ msg[count % MSG_LEN] ^= 1;
+ if (xed25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
+ ERROR("XEdDSA verify failure #2 %d\n", count);
+
+ if (count == 10000) {
+ if (memcmp(signature, signature_10k_correct, 64) != 0)
+ ERROR("XEDSA signature 10K doesn't match %d\n", count);
+ }
+ if (count == 100000)
+ print_bytes("100K XEdDSA", signature, 64);
+ if (count == 1000000)
+ print_bytes("1M XEdDSA", signature, 64);
+ if (count == 10000000)
+ print_bytes("10M XEdDSA", signature, 64);
+ }
+ INFO("good\n");
+ return 0;
+}
+
+int xeddsa_to_curvesigs_slow_test(int silent, int iterations)
+{
+
+ unsigned char signature_10k_correct[64] = {
+ 0x33, 0x50, 0xa8, 0x68, 0xcd, 0x9e, 0x74, 0x99,
+ 0xa3, 0x5c, 0x33, 0x75, 0x2b, 0x22, 0x03, 0xf8,
+ 0xb5, 0x0f, 0xea, 0x8c, 0x33, 0x1c, 0x68, 0x8b,
+ 0xbb, 0xf3, 0x31, 0xcf, 0x7c, 0x42, 0x37, 0x35,
+ 0xa0, 0x0e, 0x15, 0xb8, 0x5d, 0x2b, 0xe1, 0xa2,
+ 0x03, 0x77, 0x94, 0x3d, 0x13, 0x5c, 0xd4, 0x9b,
+ 0x6a, 0x31, 0xf4, 0xdc, 0xfe, 0x24, 0xad, 0x54,
+ 0xeb, 0xd2, 0x98, 0x47, 0xf1, 0xcc, 0xbf, 0x0d
+
+ };
+
+ int count;
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[96];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 2, 64);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ /* Signature random test */
+ INFO("Pseudorandom XEdDSA/Curvesigs...\n");
+ for (count = 1; count <= iterations; count++) {
+ unsigned char b[64];
+ crypto_hash_sha512(b, signature, 64);
+ memmove(privkey, b, 32);
+ crypto_hash_sha512(b, privkey, 32);
+ memmove(random, b, 64);
+
+ sc_clamp(privkey);
+ curve25519_keygen(pubkey, privkey);
+
+ xed25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ if (curve25519_verify(signature, pubkey, msg, MSG_LEN) != 0)
+ ERROR("XEdDSA/Curvesigs verify failure #1 %d\n", count);
+
+ if (b[63] & 1)
+ signature[count % 64] ^= 1;
+ else
+ msg[count % MSG_LEN] ^= 1;
+ if (curve25519_verify(signature, pubkey, msg, MSG_LEN) == 0)
+ ERROR("XEdDSA/Curvesigs verify failure #2 %d\n", count);
+
+ if (count == 10000) {
+ if (memcmp(signature, signature_10k_correct, 64) != 0)
+ ERROR("XEdDSA/Curvesigs signature 10K doesn't match %d\n", count);
+ }
+ if (count == 100000)
+ print_bytes("100K XEdDSA/C", signature, 64);
+ if (count == 1000000)
+ print_bytes("1M XEdDSA/C", signature, 64);
+ if (count == 10000000)
+ print_bytes("10M XEdDSA/C", signature, 64);
+ }
+ INFO("good\n");
+ return 0;
+}
+
+int vxeddsa_slow_test(int silent, int iterations)
+{
+
+ unsigned char signature_10k_correct[96] = {
+ 0xa1, 0x96, 0x96, 0xe5, 0x87, 0x3f, 0x6e, 0x5c,
+ 0x2e, 0xd3, 0x73, 0xab, 0x04, 0x0c, 0x1f, 0x26,
+ 0x3c, 0xca, 0x52, 0xc4, 0x7e, 0x49, 0xaa, 0xce,
+ 0xb5, 0xd6, 0xa2, 0x29, 0x46, 0x3f, 0x1b, 0x54,
+ 0x45, 0x94, 0x9b, 0x6c, 0x27, 0xf9, 0x2a, 0xed,
+ 0x17, 0xa4, 0x72, 0xbf, 0x35, 0x37, 0xc1, 0x90,
+ 0xac, 0xb3, 0xfd, 0x2d, 0xf1, 0x01, 0x05, 0xbe,
+ 0x56, 0x5c, 0xaf, 0x63, 0x65, 0xad, 0x38, 0x04,
+ 0x70, 0x53, 0xdf, 0x2b, 0xc1, 0x45, 0xc8, 0xee,
+ 0x02, 0x0d, 0x2b, 0x22, 0x23, 0x7a, 0xbf, 0xfa,
+ 0x43, 0x31, 0xb3, 0xac, 0x26, 0xd9, 0x76, 0xfc,
+ 0xfe, 0x30, 0xa1, 0x7c, 0xce, 0x10, 0x67, 0x0e,
+ };
+
+ unsigned char signature_100k_correct[96] = {
+ 0xc9, 0x11, 0x2b, 0x55, 0xfa, 0xc4, 0xb2, 0xfe,
+ 0x00, 0x7d, 0xf6, 0x45, 0xcb, 0xd2, 0x73, 0xc9,
+ 0x43, 0xba, 0x20, 0xf6, 0x9c, 0x18, 0x84, 0xef,
+ 0x6c, 0x65, 0x7a, 0xdb, 0x49, 0xfc, 0x1e, 0xbe,
+ 0x31, 0xb3, 0xe6, 0xa4, 0x68, 0x2f, 0xd0, 0x30,
+ 0x81, 0xfc, 0x0d, 0xcd, 0x2d, 0x00, 0xab, 0xae,
+ 0x9f, 0x08, 0xf0, 0x99, 0xff, 0x9f, 0xdc, 0x2d,
+ 0x68, 0xd6, 0xe7, 0xe8, 0x44, 0x2a, 0x5b, 0x0e,
+ 0x48, 0x67, 0xe2, 0x41, 0x4a, 0xd9, 0x0c, 0x2a,
+ 0x2b, 0x4e, 0x66, 0x09, 0x87, 0xa0, 0x6b, 0x3b,
+ 0xd1, 0xd9, 0xa3, 0xe3, 0xa5, 0x69, 0xed, 0xc1,
+ 0x42, 0x03, 0x93, 0x0d, 0xbc, 0x7e, 0xe9, 0x08,
+ };
+
+ unsigned char signature_1m_correct[96] = {
+ 0xf8, 0xb1, 0x20, 0xf2, 0x1e, 0x5c, 0xbf, 0x5f,
+ 0xea, 0x07, 0xcb, 0xb5, 0x77, 0xb8, 0x03, 0xbc,
+ 0xcb, 0x6d, 0xf1, 0xc1, 0xa5, 0x03, 0x05, 0x7b,
+ 0x01, 0x63, 0x9b, 0xf9, 0xed, 0x3e, 0x57, 0x47,
+ 0xd2, 0x5b, 0xf4, 0x7e, 0x7c, 0x45, 0xce, 0xfc,
+ 0x06, 0xb3, 0xf4, 0x05, 0x81, 0x9f, 0x53, 0xb0,
+ 0x18, 0xe3, 0xfa, 0xcb, 0xb2, 0x52, 0x3e, 0x57,
+ 0xcb, 0x34, 0xcc, 0x81, 0x60, 0xb9, 0x0b, 0x04,
+ 0x07, 0x79, 0xc0, 0x53, 0xad, 0xc4, 0x4b, 0xd0,
+ 0xb5, 0x7d, 0x95, 0x4e, 0xbe, 0xa5, 0x75, 0x0c,
+ 0xd4, 0xbf, 0xa7, 0xc0, 0xcf, 0xba, 0xe7, 0x7c,
+ 0xe2, 0x90, 0xef, 0x61, 0xa9, 0x29, 0x66, 0x0d,
+ };
+
+ unsigned char signature_10m_correct[96] = {
+ 0xf5, 0xa4, 0xbc, 0xec, 0xc3, 0x3d, 0xd0, 0x43,
+ 0xd2, 0x81, 0x27, 0x9e, 0xf0, 0x4c, 0xbe, 0xf3,
+ 0x77, 0x01, 0x56, 0x41, 0x0e, 0xff, 0x0c, 0xb9,
+ 0x66, 0xec, 0x4d, 0xe0, 0xb7, 0x25, 0x63, 0x6b,
+ 0x5c, 0x08, 0x39, 0x80, 0x4e, 0x37, 0x1b, 0x2c,
+ 0x46, 0x6f, 0x86, 0x99, 0x1c, 0x4e, 0x31, 0x60,
+ 0xdb, 0x4c, 0xfe, 0xc5, 0xa2, 0x4d, 0x71, 0x2b,
+ 0xd6, 0xd0, 0xc3, 0x98, 0x88, 0xdb, 0x0e, 0x0c,
+ 0x68, 0x4a, 0xd3, 0xc7, 0x56, 0xac, 0x8d, 0x95,
+ 0x7b, 0xbd, 0x99, 0x50, 0xe8, 0xd3, 0xea, 0xf3,
+ 0x7b, 0x26, 0xf2, 0xa2, 0x2b, 0x02, 0x58, 0xca,
+ 0xbd, 0x2c, 0x2b, 0xf7, 0x77, 0x58, 0xfe, 0x09,
+ };
+
+ int count;
+ const int MSG_LEN = 200;
+ unsigned char privkey[32];
+ unsigned char pubkey[32];
+ unsigned char signature[96];
+ unsigned char msg[MSG_LEN];
+ unsigned char random[64];
+ unsigned char vrf_out[32];
+
+ memset(privkey, 0, 32);
+ memset(pubkey, 0, 32);
+ memset(signature, 3, 96);
+ memset(msg, 0, MSG_LEN);
+ memset(random, 0, 64);
+
+ INFO("Pseudorandom VXEdDSA...\n");
+ for (count = 1; count <= iterations; count++) {
+ unsigned char b[64];
+ crypto_hash_sha512(b, signature, 96);
+ memmove(privkey, b, 32);
+ crypto_hash_sha512(b, privkey, 32);
+ memmove(random, b, 64);
+
+ sc_clamp(privkey);
+ curve25519_keygen(pubkey, privkey);
+
+ vxed25519_sign(signature, privkey, msg, MSG_LEN, random);
+
+ if (vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) != 0)
+ ERROR("VXEdDSA verify failure #1 %d\n", count);
+
+ if (b[63] & 1)
+ signature[count % 96] ^= 1;
+ else
+ msg[count % MSG_LEN] ^= 1;
+
+ if (vxed25519_verify(vrf_out, signature, pubkey, msg, MSG_LEN) == 0)
+ ERROR("VXEdDSA verify failure #2 %d\n", count);
+
+ if (count == 10000)
+ print_bytes("10K VXEdDSA", signature, 96);
+ if (count == 100000)
+ print_bytes("100K VXEdDSA", signature, 96);
+ if (count == 1000000)
+ print_bytes("1M VXEdDSA", signature, 96);
+ if (count == 10000000)
+ print_bytes("10M VXEdDSA", signature, 96);
+ if (count == 100000000)
+ print_bytes("100M VXEdDSA", signature, 96);
+
+ if (count == 10000) {
+ if (memcmp(signature, signature_10k_correct, 96) != 0)
+ ERROR("VXEDDSA 10K doesn't match %d\n", count);
+ }
+ if (count == 100000) {
+ if (memcmp(signature, signature_100k_correct, 96) != 0)
+ ERROR("VXEDDSA 100K doesn't match %d\n", count);
+ }
+ if (count == 1000000) {
+ if (memcmp(signature, signature_1m_correct, 96) != 0)
+ ERROR("VXEDDSA 1m doesn't match %d\n", count);
+ }
+ if (count == 10000000) {
+ if (memcmp(signature, signature_10m_correct, 96) != 0)
+ ERROR("VXEDDSA 10m doesn't match %d\n", count);
+ }
+ /*
+ if (count == 100000000) {
+ if (memcmp(signature, signature_100m_correct, 96) != 0)
+ ERROR("VXEDDSA 100m doesn't match %d\n", count);
+ }
+ */
+ }
+ INFO("good\n");
+ return 0;
+}
+
+int all_fast_tests(int silent)
+{
+ int result;
+ if ((result = sha512_fast_test(silent)) != 0)
+ return result;
+ if ((result = elligator_fast_test(silent)) != 0)
+ return result;
+ if ((result = curvesigs_fast_test(silent)) != 0)
+ return result;
+ if ((result = xeddsa_fast_test(silent)) != 0)
+ return result;
+ if ((result = vxeddsa_fast_test(silent)) != 0)
+ return result;
+
+ return 0;
+}
+
diff --git a/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h
new file mode 100644
index 0000000000..1623268bde
--- /dev/null
+++ b/libs/libaxolotl/src/curve25519/ed25519/tests/tests.h
@@ -0,0 +1,22 @@
+#ifndef __TESTS_H__
+#define __TESTS_H__
+
+/* silent = 0 : prints info+error messages to stdout, abort() on test failure
+ * silent = 1 : returns 0 for success, anything else for failure
+ * iterations : hardcoded known-good values are at 10000, so run at least this many
+ */
+
+int sha512_fast_test(int silent);
+int elligator_fast_test(int silent);
+int curvesigs_fast_test(int silent);
+int xeddsa_fast_test(int silent);
+int vxeddsa_fast_test(int silent);
+
+int curvesigs_slow_test(int silent, int iterations);
+int xeddsa_slow_test(int silent, int iterations);
+int xeddsa_to_curvesigs_slow_test(int silent, int iterations);
+int vxeddsa_slow_test(int silent, int iterations);
+
+int all_fast_tests(int silent);
+
+#endif