summaryrefslogtreecommitdiff
path: root/libs/libaxolotl/src/curve25519/ed25519/additions
diff options
context:
space:
mode:
Diffstat (limited to 'libs/libaxolotl/src/curve25519/ed25519/additions')
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/compare.c44
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/compare.h6
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h45
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h6
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c102
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h17
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c80
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c14
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c14
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c17
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c19
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c51
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c70
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c15
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c140
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c15
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h19
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c349
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h65
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c157
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h23
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c312
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h23
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c131
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h37
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c12
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c17
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h12
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c45
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c8
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c21
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c25
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c53
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/utility.c29
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/utility.h11
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c80
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c16
-rw-r--r--libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h12
44 files changed, 0 insertions, 2223 deletions
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c b/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c
deleted file mode 100644
index 8b1e31389f..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.c
+++ /dev/null
@@ -1,44 +0,0 @@
-#include <string.h>
-#include "compare.h"
-
-/* Const-time comparison from SUPERCOP, but here it's only used for
- signature verification, so doesn't need to be const-time. But
- copied the nacl version anyways. */
-int crypto_verify_32_ref(const unsigned char *x, const unsigned char *y)
-{
- unsigned int differentbits = 0;
-#define F(i) differentbits |= x[i] ^ y[i];
- F(0)
- F(1)
- F(2)
- F(3)
- F(4)
- F(5)
- F(6)
- F(7)
- F(8)
- F(9)
- F(10)
- F(11)
- F(12)
- F(13)
- F(14)
- F(15)
- F(16)
- F(17)
- F(18)
- F(19)
- F(20)
- F(21)
- F(22)
- F(23)
- F(24)
- F(25)
- F(26)
- F(27)
- F(28)
- F(29)
- F(30)
- F(31)
- return (1 & ((differentbits - 1) >> 8)) - 1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h b/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h
deleted file mode 100644
index 5a2fa910d4..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/compare.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef __COMPARE_H__
-#define __COMPARE_H__
-
-int crypto_verify_32_ref(const unsigned char *b1, const unsigned char *b2);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
deleted file mode 100644
index 5c4b8f47bf..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_additions.h
+++ /dev/null
@@ -1,45 +0,0 @@
-
-#ifndef __CRYPTO_ADDITIONS__
-#define __CRYPTO_ADDITIONS__
-
-#include "crypto_uint32.h"
-#include "fe.h"
-#include "ge.h"
-
-#define MAX_MSG_LEN 256
-
-void sc_neg(unsigned char *b, const unsigned char *a);
-void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b);
-
-int fe_isequal(const fe f, const fe g);
-int fe_isreduced(const unsigned char* s);
-void fe_mont_rhs(fe v2, const fe u);
-void fe_montx_to_edy(fe y, const fe u);
-void fe_sqrt(fe b, const fe a);
-
-int ge_isneutral(const ge_p3* q);
-void ge_neg(ge_p3* r, const ge_p3 *p);
-void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit);
-void ge_p3_to_montx(fe u, const ge_p3 *p);
-void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A);
-void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p);
-
-void elligator(fe u, const fe r);
-void hash_to_point(ge_p3* p, const unsigned char* msg, const unsigned long in_len);
-
-int crypto_sign_modified(
- unsigned char *sm,
- const unsigned char *m,unsigned long long mlen,
- const unsigned char *sk, /* Curve/Ed25519 private key */
- const unsigned char *pk, /* Ed25519 public key */
- const unsigned char *random /* 64 bytes random to hash into nonce */
- );
-
-int crypto_sign_open_modified(
- unsigned char *m,
- const unsigned char *sm,unsigned long long smlen,
- const unsigned char *pk
- );
-
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h b/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h
deleted file mode 100644
index a51a190d25..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/crypto_hash_sha512.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef crypto_hash_sha512_H
-#define crypto_hash_sha512_H
-
-extern int crypto_hash_sha512(unsigned char *,const unsigned char *,unsigned long long);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c
deleted file mode 100644
index 325472427c..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.c
+++ /dev/null
@@ -1,102 +0,0 @@
-#include <stdlib.h>
-#include <string.h>
-#include "ge.h"
-#include "curve_sigs.h"
-#include "crypto_sign.h"
-#include "crypto_additions.h"
-
-int curve25519_sign(unsigned char* signature_out,
- const unsigned char* curve25519_privkey,
- const unsigned char* msg, const unsigned long msg_len,
- const unsigned char* random)
-{
- ge_p3 ed_pubkey_point; /* Ed25519 pubkey point */
- unsigned char ed_pubkey[32]; /* Ed25519 encoded pubkey */
- unsigned char *sigbuf; /* working buffer */
- unsigned char sign_bit = 0;
-
- if ((sigbuf = malloc(msg_len + 128)) == 0) {
- memset(signature_out, 0, 64);
- return -1;
- }
-
- /* Convert the Curve25519 privkey to an Ed25519 public key */
- ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
- ge_p3_tobytes(ed_pubkey, &ed_pubkey_point);
- sign_bit = ed_pubkey[31] & 0x80;
-
- /* Perform an Ed25519 signature with explicit private key */
- crypto_sign_modified(sigbuf, msg, msg_len, curve25519_privkey,
- ed_pubkey, random);
- memmove(signature_out, sigbuf, 64);
-
- /* Encode the sign bit into signature (in unused high bit of S) */
- signature_out[63] &= 0x7F; /* bit should be zero already, but just in case */
- signature_out[63] |= sign_bit;
-
- free(sigbuf);
- return 0;
-}
-
-int curve25519_verify(const unsigned char* signature,
- const unsigned char* curve25519_pubkey,
- const unsigned char* msg, const unsigned long msg_len)
-{
- fe u;
- fe y;
- unsigned char ed_pubkey[32];
- unsigned char *verifybuf = NULL; /* working buffer */
- unsigned char *verifybuf2 = NULL; /* working buffer #2 */
- int result;
-
- if ((verifybuf = malloc(msg_len + 64)) == 0) {
- result = -1;
- goto err;
- }
-
- if ((verifybuf2 = malloc(msg_len + 64)) == 0) {
- result = -1;
- goto err;
- }
-
- /* Convert the Curve25519 public key into an Ed25519 public key. In
- particular, convert Curve25519's "montgomery" x-coordinate (u) into an
- Ed25519 "edwards" y-coordinate:
-
- y = (u - 1) / (u + 1)
-
- NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
-
- Then move the sign bit into the pubkey from the signature.
- */
- fe_frombytes(u, curve25519_pubkey);
- fe_montx_to_edy(y, u);
- fe_tobytes(ed_pubkey, y);
-
- /* Copy the sign bit, and remove it from signature */
- ed_pubkey[31] &= 0x7F; /* bit should be zero already, but just in case */
- ed_pubkey[31] |= (signature[63] & 0x80);
- memmove(verifybuf, signature, 64);
- verifybuf[63] &= 0x7F;
-
- memmove(verifybuf+64, msg, msg_len);
-
- /* Then perform a normal Ed25519 verification, return 0 on success */
- /* The below call has a strange API: */
- /* verifybuf = R || S || message */
- /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
- replaced with pubkey for hashing */
- result = crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey);
-
- err:
-
- if (verifybuf != NULL) {
- free(verifybuf);
- }
-
- if (verifybuf2 != NULL) {
- free(verifybuf2);
- }
-
- return result;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h b/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h
deleted file mode 100644
index a2d819aef0..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/curve_sigs.h
+++ /dev/null
@@ -1,17 +0,0 @@
-
-#ifndef __CURVE_SIGS_H__
-#define __CURVE_SIGS_H__
-
-/* returns 0 on success */
-int curve25519_sign(unsigned char* signature_out, /* 64 bytes */
- const unsigned char* curve25519_privkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */
- const unsigned char* random); /* 64 bytes */
-
-/* returns 0 on success */
-int curve25519_verify(const unsigned char* signature, /* 64 bytes */
- const unsigned char* curve25519_pubkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */
-
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c b/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
deleted file mode 100644
index 17b03a71f6..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/elligator.c
+++ /dev/null
@@ -1,80 +0,0 @@
-#include <string.h>
-#include "fe.h"
-#include "ge.h"
-#include "crypto_uint32.h"
-#include "crypto_hash_sha512.h"
-#include "crypto_additions.h"
-
-unsigned int legendre_is_nonsquare(fe in)
-{
- fe temp;
- unsigned char bytes[32];
- fe_pow22523(temp, in); /* temp = in^((q-5)/8) */
- fe_sq(temp, temp); /* in^((q-5)/4) */
- fe_sq(temp, temp); /* in^((q-5)/2) */
- fe_mul(temp, temp, in); /* in^((q-3)/2) */
- fe_mul(temp, temp, in); /* in^((q-1)/2) */
-
- /* temp is now the Legendre symbol:
- * 1 = square
- * 0 = input is zero
- * -1 = nonsquare
- */
- fe_tobytes(bytes, temp);
- return 1 & bytes[31];
-}
-
-void elligator(fe u, const fe r)
-{
- /* r = input
- * x = -A/(1+2r^2) # 2 is nonsquare
- * e = (x^3 + Ax^2 + x)^((q-1)/2) # legendre symbol
- * if e == 1 (square) or e == 0 (because x == 0 and 2r^2 + 1 == 0)
- * u = x
- * if e == -1 (nonsquare)
- * u = -x - A
- */
- fe A, one, twor2, twor2plus1, twor2plus1inv;
- fe x, e, Atemp, uneg;
- unsigned int nonsquare;
-
- fe_1(one);
- fe_0(A);
- A[0] = 486662; /* A = 486662 */
-
- fe_sq2(twor2, r); /* 2r^2 */
- fe_add(twor2plus1, twor2, one); /* 1+2r^2 */
- fe_invert(twor2plus1inv, twor2plus1); /* 1/(1+2r^2) */
- fe_mul(x, twor2plus1inv, A); /* A/(1+2r^2) */
- fe_neg(x, x); /* x = -A/(1+2r^2) */
-
- fe_mont_rhs(e, x); /* e = x^3 + Ax^2 + x */
- nonsquare = legendre_is_nonsquare(e);
-
- fe_0(Atemp);
- fe_cmov(Atemp, A, nonsquare); /* 0, or A if nonsquare */
- fe_add(u, x, Atemp); /* x, or x+A if nonsquare */
- fe_neg(uneg, u); /* -x, or -x-A if nonsquare */
- fe_cmov(u, uneg, nonsquare); /* x, or -x-A if nonsquare */
-}
-
-void hash_to_point(ge_p3* p, const unsigned char* in, const unsigned long in_len)
-{
- unsigned char hash[64];
- fe h, u;
- unsigned char sign_bit;
- ge_p3 p3;
-
- crypto_hash_sha512(hash, in, in_len);
-
- /* take the high bit as Edwards sign bit */
- sign_bit = (hash[31] & 0x80) >> 7;
- hash[31] &= 0x7F;
- fe_frombytes(h, hash);
- elligator(u, h);
-
- ge_montx_to_p3(&p3, u, sign_bit);
- ge_scalarmult_cofactor(p, &p3);
-}
-
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c
deleted file mode 100644
index 67c5d33c96..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isequal.c
+++ /dev/null
@@ -1,14 +0,0 @@
-#include "fe.h"
-#include "crypto_verify_32.h"
-
-/*
-return 1 if f == g
-return 0 if f != g
-*/
-
-int fe_isequal(const fe f, const fe g)
-{
- fe h;
- fe_sub(h, f, g);
- return 1 ^ (1 & (fe_isnonzero(h) >> 8));
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c
deleted file mode 100644
index 6fbb3beccd..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_isreduced.c
+++ /dev/null
@@ -1,14 +0,0 @@
-#include "fe.h"
-#include "crypto_verify_32.h"
-
-int fe_isreduced(const unsigned char* s)
-{
- fe f;
- unsigned char strict[32];
-
- fe_frombytes(f, s);
- fe_tobytes(strict, f);
- if (crypto_verify_32(strict, s) != 0)
- return 0;
- return 1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c
deleted file mode 100644
index bc8393620c..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_mont_rhs.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include "fe.h"
-
-void fe_mont_rhs(fe v2, fe u) {
- fe A, one;
- fe u2, Au, inner;
-
- fe_1(one);
- fe_0(A);
- A[0] = 486662; /* A = 486662 */
-
- fe_sq(u2, u); /* u^2 */
- fe_mul(Au, A, u); /* Au */
- fe_add(inner, u2, Au); /* u^2 + Au */
- fe_add(inner, inner, one); /* u^2 + Au + 1 */
- fe_mul(v2, u, inner); /* u(u^2 + Au + 1) */
-}
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c
deleted file mode 100644
index b0f8c63276..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_montx_to_edy.c
+++ /dev/null
@@ -1,19 +0,0 @@
-
-#include "fe.h"
-#include "crypto_additions.h"
-
-void fe_montx_to_edy(fe y, const fe u)
-{
- /*
- y = (u - 1) / (u + 1)
-
- NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
- */
- fe one, um1, up1;
-
- fe_1(one);
- fe_sub(um1, u, one);
- fe_add(up1, u, one);
- fe_invert(up1, up1);
- fe_mul(y, um1, up1);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c b/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
deleted file mode 100644
index a0c9785821..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/fe_sqrt.c
+++ /dev/null
@@ -1,51 +0,0 @@
-#include <assert.h>
-#include "fe.h"
-#include "crypto_additions.h"
-
-/* sqrt(-1) */
-static unsigned char i_bytes[32] = {
- 0xb0, 0xa0, 0x0e, 0x4a, 0x27, 0x1b, 0xee, 0xc4,
- 0x78, 0xe4, 0x2f, 0xad, 0x06, 0x18, 0x43, 0x2f,
- 0xa7, 0xd7, 0xfb, 0x3d, 0x99, 0x00, 0x4d, 0x2b,
- 0x0b, 0xdf, 0xc1, 0x4f, 0x80, 0x24, 0x83, 0x2b
-};
-
-/* Preconditions: a is square or zero */
-
-void fe_sqrt(fe out, const fe a)
-{
- fe exp, b, b2, bi, i;
-#ifndef NDEBUG
- fe legendre, zero, one;
-#endif
-
- fe_frombytes(i, i_bytes);
- fe_pow22523(exp, a); /* b = a^(q-5)/8 */
-
- /* PRECONDITION: legendre symbol == 1 (square) or 0 (a == zero) */
-#ifndef NDEBUG
- fe_sq(legendre, exp); /* in^((q-5)/4) */
- fe_sq(legendre, legendre); /* in^((q-5)/2) */
- fe_mul(legendre, legendre, a); /* in^((q-3)/2) */
- fe_mul(legendre, legendre, a); /* in^((q-1)/2) */
-
- fe_0(zero);
- fe_1(one);
- assert(fe_isequal(legendre, zero) || fe_isequal(legendre, one));
-#endif
-
- fe_mul(b, a, exp); /* b = a * a^(q-5)/8 */
- fe_sq(b2, b); /* b^2 = a * a^(q-1)/4 */
-
- /* note b^4 == a^2, so b^2 == a or -a
- * if b^2 != a, multiply it by sqrt(-1) */
- fe_mul(bi, b, i);
- fe_cmov(b, bi, 1 ^ fe_isequal(b2, a));
- fe_copy(out, b);
-
- /* PRECONDITION: out^2 == a */
-#ifndef NDEBUG
- fe_sq(b2, out);
- assert(fe_isequal(a, b2));
-#endif
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c
deleted file mode 100644
index d40e443682..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_isneutral.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include "crypto_additions.h"
-#include "ge.h"
-
-/*
-return 1 if p is the neutral point
-return 0 otherwise
-*/
-
-int ge_isneutral(const ge_p3 *p)
-{
- fe zero;
- fe_0(zero);
-
- /* Check if p == neutral element == (0, 1) */
- return (fe_isequal(p->X, zero) & fe_isequal(p->Y, p->Z));
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c
deleted file mode 100644
index 7a716c5a72..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_montx_to_p3.c
+++ /dev/null
@@ -1,70 +0,0 @@
-#include "fe.h"
-#include "ge.h"
-#include "assert.h"
-#include "crypto_additions.h"
-#include "utility.h"
-
-/* sqrt(-(A+2)) */
-static unsigned char A_bytes[32] = {
- 0x06, 0x7e, 0x45, 0xff, 0xaa, 0x04, 0x6e, 0xcc,
- 0x82, 0x1a, 0x7d, 0x4b, 0xd1, 0xd3, 0xa1, 0xc5,
- 0x7e, 0x4f, 0xfc, 0x03, 0xdc, 0x08, 0x7b, 0xd2,
- 0xbb, 0x06, 0xa0, 0x60, 0xf4, 0xed, 0x26, 0x0f
-};
-
-void ge_montx_to_p3(ge_p3* p, const fe u, const unsigned char ed_sign_bit)
-{
- fe x, y, A, v, v2, iv, nx;
-
- fe_frombytes(A, A_bytes);
-
- /* given u, recover edwards y */
- /* given u, recover v */
- /* given u and v, recover edwards x */
-
- fe_montx_to_edy(y, u); /* y = (u - 1) / (u + 1) */
-
- fe_mont_rhs(v2, u); /* v^2 = u(u^2 + Au + 1) */
- fe_sqrt(v, v2); /* v = sqrt(v^2) */
-
- fe_mul(x, u, A); /* x = u * sqrt(-(A+2)) */
- fe_invert(iv, v); /* 1/v */
- fe_mul(x, x, iv); /* x = (u/v) * sqrt(-(A+2)) */
-
- fe_neg(nx, x); /* negate x to match sign bit */
- fe_cmov(x, nx, fe_isnegative(x) ^ ed_sign_bit);
-
- fe_copy(p->X, x);
- fe_copy(p->Y, y);
- fe_1(p->Z);
- fe_mul(p->T, p->X, p->Y);
-
- /* POSTCONDITION: check that p->X and p->Y satisfy the Ed curve equation */
- /* -x^2 + y^2 = 1 + dx^2y^2 */
-#ifndef NDEBUG
- {
- fe one, d, x2, y2, x2y2, dx2y2;
-
- unsigned char dbytes[32] = {
- 0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
- 0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
- 0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
- 0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52
- };
-
- fe_frombytes(d, dbytes);
- fe_1(one);
- fe_sq(x2, p->X); /* x^2 */
- fe_sq(y2, p->Y); /* y^2 */
-
- fe_mul(dx2y2, x2, y2); /* x^2y^2 */
- fe_mul(dx2y2, dx2y2, d); /* dx^2y^2 */
- fe_add(dx2y2, dx2y2, one); /* dx^2y^2 + 1 */
-
- fe_neg(x2y2, x2); /* -x^2 */
- fe_add(x2y2, x2y2, y2); /* -x^2 + y^2 */
-
- assert(fe_isequal(x2y2, dx2y2));
- }
-#endif
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c
deleted file mode 100644
index d679713fe0..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_neg.c
+++ /dev/null
@@ -1,15 +0,0 @@
-#include "crypto_additions.h"
-#include "ge.h"
-
-/*
-return r = -p
-*/
-
-
-void ge_neg(ge_p3* r, const ge_p3 *p)
-{
- fe_neg(r->X, p->X);
- fe_copy(r->Y, p->Y);
- fe_copy(r->Z, p->Z);
- fe_neg(r->T, p->T);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c
deleted file mode 100644
index b539b2f17f..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_p3_to_montx.c
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "fe.h"
-#include "crypto_additions.h"
-
-void ge_p3_to_montx(fe u, const ge_p3 *ed)
-{
- /*
- u = (y + 1) / (1 - y)
- or
- u = (y + z) / (z - y)
-
- NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
- */
-
- fe y_plus_one, one_minus_y, inv_one_minus_y;
-
- fe_add(y_plus_one, ed->Y, ed->Z);
- fe_sub(one_minus_y, ed->Z, ed->Y);
- fe_invert(inv_one_minus_y, one_minus_y);
- fe_mul(u, y_plus_one, inv_one_minus_y);
-}
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c
deleted file mode 100644
index e4f741b8d8..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult.c
+++ /dev/null
@@ -1,140 +0,0 @@
-#include "crypto_uint32.h"
-#include "ge.h"
-#include "crypto_additions.h"
-
-static unsigned char equal(signed char b,signed char c)
-{
- unsigned char ub = b;
- unsigned char uc = c;
- unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
- crypto_uint32 y = x; /* 0: yes; 1..255: no */
- y -= 1; /* 4294967295: yes; 0..254: no */
- y >>= 31; /* 1: yes; 0: no */
- return y;
-}
-
-static unsigned char negative(signed char b)
-{
- unsigned long long x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
- x >>= 63; /* 1: yes; 0: no */
- return x;
-}
-
-static void cmov(ge_cached *t,const ge_cached *u,unsigned char b)
-{
- fe_cmov(t->YplusX,u->YplusX,b);
- fe_cmov(t->YminusX,u->YminusX,b);
- fe_cmov(t->Z,u->Z,b);
- fe_cmov(t->T2d,u->T2d,b);
-}
-
-static void select(ge_cached *t,const ge_cached *pre, signed char b)
-{
- ge_cached minust;
- unsigned char bnegative = negative(b);
- unsigned char babs = b - (((-bnegative) & b) << 1);
-
- fe_1(t->YplusX);
- fe_1(t->YminusX);
- fe_1(t->Z);
- fe_0(t->T2d);
-
- cmov(t,pre+0,equal(babs,1));
- cmov(t,pre+1,equal(babs,2));
- cmov(t,pre+2,equal(babs,3));
- cmov(t,pre+3,equal(babs,4));
- cmov(t,pre+4,equal(babs,5));
- cmov(t,pre+5,equal(babs,6));
- cmov(t,pre+6,equal(babs,7));
- cmov(t,pre+7,equal(babs,8));
- fe_copy(minust.YplusX,t->YminusX);
- fe_copy(minust.YminusX,t->YplusX);
- fe_copy(minust.Z,t->Z);
- fe_neg(minust.T2d,t->T2d);
- cmov(t,&minust,bnegative);
-}
-
-/*
-h = a * B
-where a = a[0]+256*a[1]+...+256^31 a[31]
-B is the Ed25519 base point (x,4/5) with x positive.
-
-Preconditions:
- a[31] <= 127
-*/
-
-void ge_scalarmult(ge_p3 *h, const unsigned char *a, const ge_p3 *A)
-{
- signed char e[64];
- signed char carry;
- ge_p1p1 r;
- ge_p2 s;
- ge_p3 t0, t1, t2;
- ge_cached t, pre[8];
- int i;
-
- for (i = 0;i < 32;++i) {
- e[2 * i + 0] = (a[i] >> 0) & 15;
- e[2 * i + 1] = (a[i] >> 4) & 15;
- }
- /* each e[i] is between 0 and 15 */
- /* e[63] is between 0 and 7 */
-
- carry = 0;
- for (i = 0;i < 63;++i) {
- e[i] += carry;
- carry = e[i] + 8;
- carry >>= 4;
- e[i] -= carry << 4;
- }
- e[63] += carry;
- /* each e[i] is between -8 and 8 */
-
- // Precomputation:
- ge_p3_to_cached(pre+0, A); // A
-
- ge_p3_dbl(&r, A);
- ge_p1p1_to_p3(&t0, &r);
- ge_p3_to_cached(pre+1, &t0); // 2A
-
- ge_add(&r, A, pre+1);
- ge_p1p1_to_p3(&t1, &r);
- ge_p3_to_cached(pre+2, &t1); // 3A
-
- ge_p3_dbl(&r, &t0);
- ge_p1p1_to_p3(&t0, &r);
- ge_p3_to_cached(pre+3, &t0); // 4A
-
- ge_add(&r, A, pre+3);
- ge_p1p1_to_p3(&t2, &r);
- ge_p3_to_cached(pre+4, &t2); // 5A
-
- ge_p3_dbl(&r, &t1);
- ge_p1p1_to_p3(&t1, &r);
- ge_p3_to_cached(pre+5, &t1); // 6A
-
- ge_add(&r, A, pre+5);
- ge_p1p1_to_p3(&t1, &r);
- ge_p3_to_cached(pre+6, &t1); // 7A
-
- ge_p3_dbl(&r, &t0);
- ge_p1p1_to_p3(&t0, &r);
- ge_p3_to_cached(pre+7, &t0); // 8A
-
- ge_p3_0(h);
-
- for (i = 63;i > 0; i--) {
- select(&t,pre,e[i]);
- ge_add(&r, h, &t);
- ge_p1p1_to_p2(&s,&r);
-
- ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
- ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
- ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
- ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r);
-
- }
- select(&t,pre,e[0]);
- ge_add(&r, h, &t);
- ge_p1p1_to_p3(h,&r);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c b/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c
deleted file mode 100644
index 6affbb05d5..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/ge_scalarmult_cofactor.c
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "crypto_additions.h"
-#include "ge.h"
-
-/*
-return 8 * p
-*/
-
-void ge_scalarmult_cofactor(ge_p3 *q, const ge_p3 *p)
-{
- ge_p1p1 p1p1;
- ge_p2 p2;
-
- ge_p3_dbl(&p1p1, p);
- ge_p1p1_to_p2(&p2, &p1p1);
-
- ge_p2_dbl(&p1p1, &p2);
- ge_p1p1_to_p2(&p2, &p1p1);
-
- ge_p2_dbl(&p1p1, &p2);
- ge_p1p1_to_p3(q, &p1p1);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c
deleted file mode 100644
index 75d9673d01..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/ge_p3_add.c
+++ /dev/null
@@ -1,15 +0,0 @@
-#include "ge.h"
-
-/*
-r = p + q
-*/
-
-void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q)
-{
- ge_cached p_cached;
- ge_p1p1 r_p1p1;
-
- ge_p3_to_cached(&p_cached, p);
- ge_add(&r_p1p1, q, &p_cached);
- ge_p1p1_to_p3(r, &r_p1p1);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h
deleted file mode 100644
index 392a88e57b..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_constants.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _GEN_CONSTANTS_H__
-#define _GEN_CONSTANTS_H__
-
-#define LABELSETMAXLEN 512
-#define LABELMAXLEN 128
-#define BUFLEN 1024
-#define BLOCKLEN 128 /* SHA512 */
-#define HASHLEN 64 /* SHA512 */
-#define POINTLEN 32
-#define SCALARLEN 32
-#define RANDLEN 32
-#define SIGNATURELEN 64
-#define VRFSIGNATURELEN 96
-#define VRFOUTPUTLEN 32
-#define MSTART 2048
-#define MSGMAXLEN 1048576
-
-#endif
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h
deleted file mode 100644
index 569ae26f4d..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_crypto_additions.h
+++ /dev/null
@@ -1,16 +0,0 @@
-
-#ifndef __GEN_CRYPTO_ADDITIONS__
-#define __GEN_CRYPTO_ADDITIONS__
-
-#include "crypto_uint32.h"
-#include "fe.h"
-#include "ge.h"
-
-int sc_isreduced(const unsigned char* s);
-
-int point_isreduced(const unsigned char* p);
-
-void ge_p3_add(ge_p3 *r, const ge_p3 *p, const ge_p3 *q);
-
-#endif
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c
deleted file mode 100644
index 9755d28ede..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.c
+++ /dev/null
@@ -1,349 +0,0 @@
-#include <string.h>
-#include "gen_eddsa.h"
-#include "gen_labelset.h"
-#include "gen_constants.h"
-#include "gen_crypto_additions.h"
-#include "crypto_hash_sha512.h"
-#include "crypto_verify_32.h"
-#include "zeroize.h"
-#include "ge.h"
-#include "sc.h"
-#include "crypto_additions.h"
-#include "utility.h"
-
-/* B: base point
- * R: commitment (point),
- r: private nonce (scalar)
- K: encoded public key
- k: private key (scalar)
- Z: 32-bytes random
- M: buffer containing message, message starts at M_start, continues for M_len
-
- r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q)
-*/
-int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar,
- const unsigned char* labelset, const unsigned long labelset_len,
- const unsigned char* extra, const unsigned long extra_len,
- const unsigned char* K_bytes, const unsigned char* k_scalar,
- const unsigned char* Z,
- unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len)
-{
- ge_p3 R_point;
- unsigned char hash[HASHLEN];
- unsigned char* bufstart = NULL;
- unsigned char* bufptr = NULL;
- unsigned char* bufend = NULL;
- unsigned long prefix_len = 0;
-
- if (labelset_validate(labelset, labelset_len) != 0)
- goto err;
- if (R_bytes == NULL || r_scalar == NULL ||
- K_bytes == NULL || k_scalar == NULL ||
- Z == NULL || M_buf == NULL)
- goto err;
- if (extra == NULL && extra_len != 0)
- goto err;
- if (extra != NULL && extra_len == 0)
- goto err;
- if (extra != NULL && labelset_is_empty(labelset, labelset_len))
- goto err;
- if (HASHLEN != 64)
- goto err;
-
- prefix_len = 0;
- prefix_len += POINTLEN + labelset_len + RANDLEN;
- prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN);
- prefix_len += SCALARLEN;
- prefix_len += ((BLOCKLEN - (prefix_len % BLOCKLEN)) % BLOCKLEN);
- prefix_len += labelset_len + POINTLEN + extra_len;
- if (prefix_len > M_start)
- goto err;
-
- bufstart = M_buf + M_start - prefix_len;
- bufptr = bufstart;
- bufend = M_buf + M_start;
- bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, labelset, labelset_len);
- bufptr = buffer_add(bufptr, bufend, Z, RANDLEN);
- bufptr = buffer_pad(bufstart, bufptr, bufend);
- bufptr = buffer_add(bufptr, bufend, k_scalar, SCALARLEN);
- bufptr = buffer_pad(bufstart, bufptr, bufend);
- bufptr = buffer_add(bufptr, bufend, labelset, labelset_len);
- bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, extra, extra_len);
- if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len)
- goto err;
-
- crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len);
- sc_reduce(hash);
- ge_scalarmult_base(&R_point, hash);
- ge_p3_tobytes(R_bytes, &R_point);
- memcpy(r_scalar, hash, SCALARLEN);
-
- zeroize(hash, HASHLEN);
- zeroize(bufstart, prefix_len);
- return 0;
-
-err:
- zeroize(hash, HASHLEN);
- zeroize(M_buf, M_start);
- return -1;
-}
-
-/* if is_labelset_empty(labelset):
- return hash(R || K || M) (mod q)
- else:
- return hash(B || labelset || R || labelset || K || extra || M) (mod q)
-*/
-int generalized_challenge(unsigned char* h_scalar,
- const unsigned char* labelset, const unsigned long labelset_len,
- const unsigned char* extra, const unsigned long extra_len,
- const unsigned char* R_bytes,
- const unsigned char* K_bytes,
- unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len)
-{
- unsigned char hash[HASHLEN];
- unsigned char* bufstart = NULL;
- unsigned char* bufptr = NULL;
- unsigned char* bufend = NULL;
- unsigned long prefix_len = 0;
-
- if (h_scalar == NULL)
- goto err;
- memset(h_scalar, 0, SCALARLEN);
-
- if (labelset_validate(labelset, labelset_len) != 0)
- goto err;
- if (R_bytes == NULL || K_bytes == NULL || M_buf == NULL)
- goto err;
- if (extra == NULL && extra_len != 0)
- goto err;
- if (extra != NULL && extra_len == 0)
- goto err;
- if (extra != NULL && labelset_is_empty(labelset, labelset_len))
- goto err;
- if (HASHLEN != 64)
- goto err;
-
- if (labelset_is_empty(labelset, labelset_len)) {
- if (2*POINTLEN > M_start)
- goto err;
- if (extra != NULL || extra_len != 0)
- goto err;
- memcpy(M_buf + M_start - (2*POINTLEN), R_bytes, POINTLEN);
- memcpy(M_buf + M_start - (1*POINTLEN), K_bytes, POINTLEN);
- prefix_len = 2*POINTLEN;
- } else {
- prefix_len = 3*POINTLEN + 2*labelset_len + extra_len;
- if (prefix_len > M_start)
- goto err;
-
- bufstart = M_buf + M_start - prefix_len;
- bufptr = bufstart;
- bufend = M_buf + M_start;
- bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, labelset, labelset_len);
- bufptr = buffer_add(bufptr, bufend, R_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, labelset, labelset_len);
- bufptr = buffer_add(bufptr, bufend, K_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, extra, extra_len);
-
- if (bufptr == NULL)
- goto err;
- if (bufptr != bufend || bufptr != M_buf + M_start || bufptr - bufstart != prefix_len)
- goto err;
- }
-
- crypto_hash_sha512(hash, M_buf + M_start - prefix_len, prefix_len + M_len);
- sc_reduce(hash);
- memcpy(h_scalar, hash, SCALARLEN);
- return 0;
-
-err:
- return -1;
-}
-
-/* return r + kh (mod q) */
-int generalized_prove(unsigned char* out_scalar,
- const unsigned char* r_scalar, const unsigned char* k_scalar, const unsigned char* h_scalar)
-{
- sc_muladd(out_scalar, h_scalar, k_scalar, r_scalar);
- zeroize_stack();
- return 0;
-}
-
-/* R = s*B - h*K */
-int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out,
- const ge_p3* B_point, const unsigned char* s_scalar,
- const unsigned char* K_bytes, const unsigned char* h_scalar)
-{
-
- ge_p3 Kneg_point;
- ge_p2 R_calc_point_p2;
-
- ge_p3 sB;
- ge_p3 hK;
- ge_p3 R_calc_point_p3;
-
- if (ge_frombytes_negate_vartime(&Kneg_point, K_bytes) != 0)
- return -1;
-
- if (B_point == NULL) {
- ge_double_scalarmult_vartime(&R_calc_point_p2, h_scalar, &Kneg_point, s_scalar);
- ge_tobytes(R_bytes_out, &R_calc_point_p2);
- }
- else {
- // s * Bv
- ge_scalarmult(&sB, s_scalar, B_point);
-
- // h * -K
- ge_scalarmult(&hK, h_scalar, &Kneg_point);
-
- // R = sB - hK
- ge_p3_add(&R_calc_point_p3, &sB, &hK);
- ge_p3_tobytes(R_bytes_out, &R_calc_point_p3);
- }
-
- if (K_point_out) {
- ge_neg(K_point_out, &Kneg_point);
- }
-
- return 0;
-}
-
-
-int generalized_eddsa_25519_sign(
- unsigned char* signature_out,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* eddsa_25519_privkey_scalar,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char labelset[LABELSETMAXLEN];
- unsigned long labelset_len = 0;
- unsigned char R_bytes[POINTLEN];
- unsigned char r_scalar[SCALARLEN];
- unsigned char h_scalar[SCALARLEN];
- unsigned char s_scalar[SCALARLEN];
- unsigned char* M_buf = NULL;
-
- if (signature_out == NULL)
- goto err;
- memset(signature_out, 0, SIGNATURELEN);
-
- if (eddsa_25519_pubkey_bytes == NULL)
- goto err;
- if (eddsa_25519_privkey_scalar == NULL)
- goto err;
- if (msg == NULL)
- goto err;
- if (customization_label == NULL && customization_label_len != 0)
- goto err;
- if (customization_label_len > LABELMAXLEN)
- goto err;
- if (msg_len > MSGMAXLEN)
- goto err;
-
- if ((M_buf = malloc(msg_len + MSTART)) == 0)
- goto err;
- memcpy(M_buf + MSTART, msg, msg_len);
-
- if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0,
- customization_label, customization_label_len) != 0)
- goto err;
-
- if (generalized_commit(R_bytes, r_scalar, labelset, labelset_len, NULL, 0,
- eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar,
- random, M_buf, MSTART, msg_len) != 0)
- goto err;
-
- if (generalized_challenge(h_scalar, labelset, labelset_len, NULL, 0,
- R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0)
- goto err;
-
- if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0)
- goto err;
-
- memcpy(signature_out, R_bytes, POINTLEN);
- memcpy(signature_out + POINTLEN, s_scalar, SCALARLEN);
-
- zeroize(r_scalar, SCALARLEN);
- zeroize_stack();
- free(M_buf);
- return 0;
-
-err:
- zeroize(r_scalar, SCALARLEN);
- zeroize_stack();
- free(M_buf);
- return -1;
-}
-
-int generalized_eddsa_25519_verify(
- const unsigned char* signature,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char labelset[LABELSETMAXLEN];
- unsigned long labelset_len = 0;
- const unsigned char* R_bytes = NULL;
- const unsigned char* s_scalar = NULL;
- unsigned char h_scalar[SCALARLEN];
- unsigned char* M_buf = NULL;
- unsigned char R_calc_bytes[POINTLEN];
-
- if (signature == NULL)
- goto err;
- if (eddsa_25519_pubkey_bytes == NULL)
- goto err;
- if (msg == NULL)
- goto err;
- if (customization_label == NULL && customization_label_len != 0)
- goto err;
- if (customization_label_len > LABELMAXLEN)
- goto err;
- if (msg_len > MSGMAXLEN)
- goto err;
-
- if ((M_buf = malloc(msg_len + MSTART)) == 0)
- goto err;
- memcpy(M_buf + MSTART, msg, msg_len);
-
- if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN, NULL, 0,
- customization_label, customization_label_len) != 0)
- goto err;
-
- R_bytes = signature;
- s_scalar = signature + POINTLEN;
-
- if (!point_isreduced(eddsa_25519_pubkey_bytes))
- goto err;
- if (!point_isreduced(R_bytes))
- goto err;
- if (!sc_isreduced(s_scalar))
- goto err;
-
- if (generalized_challenge(h_scalar, labelset, labelset_len,
- NULL, 0, R_bytes, eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0)
- goto err;
-
- if (generalized_solve_commitment(R_calc_bytes, NULL, NULL,
- s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0)
- goto err;
-
- if (crypto_verify_32(R_bytes, R_calc_bytes) != 0)
- goto err;
-
- free(M_buf);
- return 0;
-
-err:
- free(M_buf);
- return -1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h
deleted file mode 100644
index 0c281bcac9..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_eddsa.h
+++ /dev/null
@@ -1,65 +0,0 @@
-#ifndef __GEN_EDDSA_H__
-#define __GEN_EDDSA_H__
-
-#include "ge.h"
-
-/* B: base point
- R: commitment (point),
- r: private nonce (scalar)
- K: encoded public key
- k: private key (scalar)
- Z: 32-bytes random
- M: buffer containing message, message starts at M_start, continues for M_len
-
- r = hash(B || labelset || Z || pad1 || k || pad2 || labelset || K || extra || M) (mod q)
-*/
-int generalized_commit(unsigned char* R_bytes, unsigned char* r_scalar,
- const unsigned char* labelset, const unsigned long labelset_len,
- const unsigned char* extra, const unsigned long extra_len,
- const unsigned char* K_bytes, const unsigned char* k_scalar,
- const unsigned char* Z,
- unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len);
-
-/* if is_labelset_empty(labelset):
- return hash(R || K || M) (mod q)
- else:
- return hash(B || labelset || R || labelset || K || extra || M) (mod q)
-*/
-int generalized_challenge(unsigned char* h_scalar,
- const unsigned char* labelset, const unsigned long labelset_len,
- const unsigned char* extra, const unsigned long extra_len,
- const unsigned char* R_bytes,
- const unsigned char* K_bytes,
- unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len);
-
-/* return r + kh (mod q) */
-int generalized_prove(unsigned char* out_scalar,
- const unsigned char* r_scalar,
- const unsigned char* k_scalar,
- const unsigned char* h_scalar);
-
-/* R = B^s / K^h */
-int generalized_solve_commitment(unsigned char* R_bytes_out, ge_p3* K_point_out,
- const ge_p3* B_point, const unsigned char* s_scalar,
- const unsigned char* K_bytes, const unsigned char* h_scalar);
-
-
-int generalized_eddsa_25519_sign(
- unsigned char* signature_out,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* eddsa_25519_privkey_scalar,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-int generalized_eddsa_25519_verify(
- const unsigned char* signature,
- const unsigned char* eddsa_25519_pubkey,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c
deleted file mode 100644
index b181cad5dc..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.c
+++ /dev/null
@@ -1,157 +0,0 @@
-#include <stdlib.h>
-#include <string.h>
-#include "gen_labelset.h"
-#include "gen_constants.h"
-
-const unsigned char B_bytes[] = {
- 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
- 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
-};
-
-unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend,
- const unsigned char* in, const unsigned long in_len)
-{
- unsigned long count = 0;
-
- if (bufptr == NULL || bufend == NULL || bufptr > bufend)
- return NULL;
- if (in == NULL && in_len != 0)
- return NULL;
- if (bufend - bufptr < in_len)
- return NULL;
-
- for (count=0; count < in_len; count++) {
- if (bufptr >= bufend)
- return NULL;
- *bufptr++ = *in++;
- }
- return bufptr;
-}
-
-unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend)
-{
- unsigned long count = 0;
- unsigned long pad_len = 0;
-
- if (buf == NULL || bufptr == NULL || bufend == NULL || bufptr >= bufend || bufptr < buf)
- return NULL;
-
- pad_len = (BLOCKLEN - ((bufptr-buf) % BLOCKLEN)) % BLOCKLEN;
- if (bufend - bufptr < pad_len)
- return NULL;
-
- for (count=0; count < pad_len; count++) {
- if (bufptr >= bufend)
- return NULL;
- *bufptr++ = 0;
- }
- return bufptr;
-}
-
-int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen,
- const unsigned char* protocol_name, const unsigned char protocol_name_len,
- const unsigned char* customization_label, const unsigned char customization_label_len)
-{
- unsigned char* bufptr;
-
- *labelset_len = 0;
- if (labelset == NULL)
- return -1;
- if (labelset_len == NULL)
- return -1;
- if (labelset_maxlen > LABELSETMAXLEN)
- return -1;
- if (labelset_maxlen < 3 + protocol_name_len + customization_label_len)
- return -1;
- if (protocol_name == NULL && protocol_name_len != 0)
- return -1;
- if (customization_label == NULL && customization_label_len != 0)
- return -1;
- if (protocol_name_len > LABELMAXLEN)
- return -1;
- if (customization_label_len > LABELMAXLEN)
- return -1;
-
- bufptr = labelset;
- *bufptr++ = 2;
- *bufptr++ = protocol_name_len;
- bufptr = buffer_add(bufptr, labelset + labelset_maxlen, protocol_name, protocol_name_len);
- if (bufptr != NULL && bufptr < labelset + labelset_maxlen)
- *bufptr++ = customization_label_len;
- bufptr = buffer_add(bufptr, labelset + labelset_maxlen,
- customization_label, customization_label_len);
-
- if (bufptr != NULL && bufptr - labelset == 3 + protocol_name_len + customization_label_len) {
- *labelset_len = bufptr - labelset;
- return 0;
- }
- return -1;
-}
-
-
-int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen,
- const unsigned char* label, const unsigned char label_len)
-{
- unsigned char* bufptr;
- if (labelset_len == NULL)
- return -1;
- if (*labelset_len > LABELSETMAXLEN || labelset_maxlen > LABELSETMAXLEN)
- return -1;
- if (*labelset_len >= labelset_maxlen || *labelset_len + label_len + 1 > labelset_maxlen)
- return -1;
- if (*labelset_len < 3 || labelset_maxlen < 4)
- return -1;
- if (label_len > LABELMAXLEN)
- return -1;
-
- labelset[0]++;
- labelset[*labelset_len] = label_len;
- bufptr = labelset + *labelset_len + 1;
- bufptr = buffer_add(bufptr, labelset + labelset_maxlen, label, label_len);
- if (bufptr == NULL)
- return -1;
- if (bufptr - labelset >= labelset_maxlen)
- return -1;
- if (bufptr - labelset != *labelset_len + 1 + label_len)
- return -1;
-
- *labelset_len += (1 + label_len);
- return 0;
-}
-
-int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len)
-{
- unsigned char num_labels = 0;
- unsigned char count = 0;
- unsigned long offset = 0;
- unsigned char label_len = 0;
-
- if (labelset == NULL)
- return -1;
- if (labelset_len < 3 || labelset_len > LABELSETMAXLEN)
- return -1;
-
- num_labels = labelset[0];
- offset = 1;
- for (count = 0; count < num_labels; count++) {
- label_len = labelset[offset];
- if (label_len > LABELMAXLEN)
- return -1;
- offset += 1 + label_len;
- if (offset > labelset_len)
- return -1;
- }
- if (offset != labelset_len)
- return -1;
- return 0;
-}
-
-int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len)
-{
- if (labelset_len != 3)
- return 0;
- return 1;
-}
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h
deleted file mode 100644
index 6ac40da99d..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_labelset.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef __GEN_LABELSET_H__
-#define __GEN_LABELSET_H__
-
-extern const unsigned char B_bytes[];
-
-unsigned char* buffer_add(unsigned char* bufptr, const unsigned char* bufend,
- const unsigned char* in, const unsigned long in_len);
-
-unsigned char* buffer_pad(const unsigned char* buf, unsigned char* bufptr, const unsigned char* bufend);
-
-
-int labelset_new(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen,
- const unsigned char* protocol_name, const unsigned char protocol_name_len,
- const unsigned char* customization_label, const unsigned char customization_label_len);
-
-int labelset_add(unsigned char* labelset, unsigned long* labelset_len, const unsigned long labelset_maxlen,
- const unsigned char* label, const unsigned char label_len);
-
-int labelset_validate(const unsigned char* labelset, const unsigned long labelset_len);
-
-int labelset_is_empty(const unsigned char* labelset, const unsigned long labelset_len);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c
deleted file mode 100644
index 4e79b4859d..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.c
+++ /dev/null
@@ -1,312 +0,0 @@
-#include <string.h>
-#include "gen_eddsa.h"
-#include "gen_veddsa.h"
-#include "gen_constants.h"
-#include "gen_labelset.h"
-#include "gen_crypto_additions.h"
-#include "crypto_hash_sha512.h"
-#include "crypto_verify_32.h"
-#include "crypto_additions.h"
-#include "zeroize.h"
-#include "ge.h"
-#include "sc.h"
-#include "utility.h"
-
-static int generalized_calculate_Bv(ge_p3* Bv_point,
- const unsigned char* labelset, const unsigned long labelset_len,
- const unsigned char* K_bytes,
- unsigned char* M_buf, const unsigned long M_start, const unsigned long M_len)
-{
- unsigned char* bufptr;
- unsigned long prefix_len = 0;
-
- if (labelset_validate(labelset, labelset_len) != 0)
- return -1;
- if (Bv_point == NULL || K_bytes == NULL || M_buf == NULL)
- return -1;
-
- prefix_len = 2*POINTLEN + labelset_len;
- if (prefix_len > M_start)
- return -1;
-
- bufptr = M_buf + M_start - prefix_len;
- bufptr = buffer_add(bufptr, M_buf + M_start, B_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, M_buf + M_start, labelset, labelset_len);
- bufptr = buffer_add(bufptr, M_buf + M_start, K_bytes, POINTLEN);
- if (bufptr == NULL || bufptr != M_buf + M_start)
- return -1;
-
- hash_to_point(Bv_point, M_buf + M_start - prefix_len, prefix_len + M_len);
- if (ge_isneutral(Bv_point))
- return -1;
- return 0;
-}
-
-static int generalized_calculate_vrf_output(unsigned char* vrf_output,
- const unsigned char* labelset, const unsigned long labelset_len,
- const ge_p3* cKv_point)
-{
- unsigned char buf[BUFLEN];
- unsigned char* bufptr = buf;
- unsigned char* bufend = buf + BUFLEN;
- unsigned char cKv_bytes[POINTLEN];
- unsigned char hash[HASHLEN];
-
- if (vrf_output == NULL)
- return -1;
- memset(vrf_output, 0, VRFOUTPUTLEN);
-
- if (labelset_len + 2*POINTLEN > BUFLEN)
- return -1;
- if (labelset_validate(labelset, labelset_len) != 0)
- return -1;
- if (cKv_point == NULL)
- return -1;
- if (VRFOUTPUTLEN > HASHLEN)
- return -1;
-
- ge_p3_tobytes(cKv_bytes, cKv_point);
-
- bufptr = buffer_add(bufptr, bufend, B_bytes, POINTLEN);
- bufptr = buffer_add(bufptr, bufend, labelset, labelset_len);
- bufptr = buffer_add(bufptr, bufend, cKv_bytes, POINTLEN);
- if (bufptr == NULL)
- return -1;
- if (bufptr - buf > BUFLEN)
- return -1;
- crypto_hash_sha512(hash, buf, bufptr - buf);
- memcpy(vrf_output, hash, VRFOUTPUTLEN);
- return 0;
-}
-
-int generalized_veddsa_25519_sign(
- unsigned char* signature_out,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* eddsa_25519_privkey_scalar,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char labelset[LABELSETMAXLEN];
- unsigned long labelset_len = 0;
- ge_p3 Bv_point;
- ge_p3 Kv_point;
- ge_p3 Rv_point;
- unsigned char Bv_bytes[POINTLEN];
- unsigned char Kv_bytes[POINTLEN];
- unsigned char Rv_bytes[POINTLEN];
- unsigned char R_bytes[POINTLEN];
- unsigned char r_scalar[SCALARLEN];
- unsigned char h_scalar[SCALARLEN];
- unsigned char s_scalar[SCALARLEN];
- unsigned char extra[3*POINTLEN];
- unsigned char* M_buf = NULL;
- char* protocol_name = "VEdDSA_25519_SHA512_Elligator2";
-
- if (signature_out == NULL)
- goto err;
- memset(signature_out, 0, VRFSIGNATURELEN);
-
- if (eddsa_25519_pubkey_bytes == NULL)
- goto err;
- if (eddsa_25519_privkey_scalar == NULL)
- goto err;
- if (msg == NULL)
- goto err;
- if (customization_label == NULL && customization_label_len != 0)
- goto err;
- if (customization_label_len > LABELMAXLEN)
- goto err;
- if (msg_len > MSGMAXLEN)
- goto err;
-
- if ((M_buf = malloc(msg_len + MSTART)) == 0) {
- goto err;
- }
- memcpy(M_buf + MSTART, msg, msg_len);
-
- // labelset = new_labelset(protocol_name, customization_label)
- if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN,
- (unsigned char*)protocol_name, strlen(protocol_name),
- customization_label, customization_label_len) != 0)
- goto err;
-
- // labelset1 = add_label(labels, "1")
- // Bv = hash(hash(labelset1 || K) || M)
- // Kv = k * Bv
- labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1);
- if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len,
- eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0)
- goto err;
- ge_scalarmult(&Kv_point, eddsa_25519_privkey_scalar, &Bv_point);
- ge_p3_tobytes(Bv_bytes, &Bv_point);
- ge_p3_tobytes(Kv_bytes, &Kv_point);
-
- // labelset2 = add_label(labels, "2")
- // R, r = commit(labelset2, (Bv || Kv), (K,k), Z, M)
- labelset[labelset_len-1] = (unsigned char)'2';
- memcpy(extra, Bv_bytes, POINTLEN);
- memcpy(extra + POINTLEN, Kv_bytes, POINTLEN);
- if (generalized_commit(R_bytes, r_scalar,
- labelset, labelset_len,
- extra, 2*POINTLEN,
- eddsa_25519_pubkey_bytes, eddsa_25519_privkey_scalar,
- random, M_buf, MSTART, msg_len) != 0)
- goto err;
-
- // Rv = r * Bv
- ge_scalarmult(&Rv_point, r_scalar, &Bv_point);
- ge_p3_tobytes(Rv_bytes, &Rv_point);
-
- // labelset3 = add_label(labels, "3")
- // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M)
- labelset[labelset_len-1] = (unsigned char)'3';
- memcpy(extra + 2*POINTLEN, Rv_bytes, POINTLEN);
- if (generalized_challenge(h_scalar,
- labelset, labelset_len,
- extra, 3*POINTLEN,
- R_bytes, eddsa_25519_pubkey_bytes,
- M_buf, MSTART, msg_len) != 0)
- goto err;
-
- // s = prove(r, k, h)
- if (generalized_prove(s_scalar, r_scalar, eddsa_25519_privkey_scalar, h_scalar) != 0)
- goto err;
-
- // return (Kv || h || s)
- memcpy(signature_out, Kv_bytes, POINTLEN);
- memcpy(signature_out + POINTLEN, h_scalar, SCALARLEN);
- memcpy(signature_out + POINTLEN + SCALARLEN, s_scalar, SCALARLEN);
-
- zeroize(r_scalar, SCALARLEN);
- zeroize_stack();
- free(M_buf);
- return 0;
-
-err:
- zeroize(r_scalar, SCALARLEN);
- zeroize_stack();
- free(M_buf);
- return -1;
-}
-
-int generalized_veddsa_25519_verify(
- unsigned char* vrf_out,
- const unsigned char* signature,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char labelset[LABELSETMAXLEN];
- unsigned long labelset_len = 0;
- const unsigned char* Kv_bytes;
- const unsigned char* h_scalar;
- const unsigned char* s_scalar;
- ge_p3 Bv_point, K_point, Kv_point, cK_point, cKv_point;
- unsigned char Bv_bytes[POINTLEN];
- unsigned char R_calc_bytes[POINTLEN];
- unsigned char Rv_calc_bytes[POINTLEN];
- unsigned char h_calc_scalar[SCALARLEN];
- unsigned char extra[3*POINTLEN];
- unsigned char* M_buf = NULL;
- char* protocol_name = "VEdDSA_25519_SHA512_Elligator2";
-
- if (vrf_out == NULL)
- goto err;
- memset(vrf_out, 0, VRFOUTPUTLEN);
-
- if (signature == NULL)
- goto err;
- if (eddsa_25519_pubkey_bytes == NULL)
- goto err;
- if (msg == NULL)
- goto err;
- if (customization_label == NULL && customization_label_len != 0)
- goto err;
- if (customization_label_len > LABELMAXLEN)
- goto err;
- if (msg_len > MSGMAXLEN)
- goto err;
-
- if ((M_buf = malloc(msg_len + MSTART)) == 0) {
- goto err;
- }
- memcpy(M_buf + MSTART, msg, msg_len);
-
- Kv_bytes = signature;
- h_scalar = signature + POINTLEN;
- s_scalar = signature + POINTLEN + SCALARLEN;
-
- if (!point_isreduced(eddsa_25519_pubkey_bytes))
- goto err;
- if (!point_isreduced(Kv_bytes))
- goto err;
- if (!sc_isreduced(h_scalar))
- goto err;
- if (!sc_isreduced(s_scalar))
- goto err;
-
- // labelset = new_labelset(protocol_name, customization_label)
- if (labelset_new(labelset, &labelset_len, LABELSETMAXLEN,
- (unsigned char*)protocol_name, strlen(protocol_name),
- customization_label, customization_label_len) != 0)
- goto err;
-
- // labelset1 = add_label(labels, "1")
- // Bv = hash(hash(labelset1 || K) || M)
- labelset_add(labelset, &labelset_len, LABELSETMAXLEN, (unsigned char*)"1", 1);
- if (generalized_calculate_Bv(&Bv_point, labelset, labelset_len,
- eddsa_25519_pubkey_bytes, M_buf, MSTART, msg_len) != 0)
- goto err;
- ge_p3_tobytes(Bv_bytes, &Bv_point);
-
- // R = solve_commitment(B, s, K, h)
- if (generalized_solve_commitment(R_calc_bytes, &K_point, NULL,
- s_scalar, eddsa_25519_pubkey_bytes, h_scalar) != 0)
- goto err;
-
- // Rv = solve_commitment(Bv, s, Kv, h)
- if (generalized_solve_commitment(Rv_calc_bytes, &Kv_point, &Bv_point,
- s_scalar, Kv_bytes, h_scalar) != 0)
- goto err;
-
- ge_scalarmult_cofactor(&cK_point, &K_point);
- ge_scalarmult_cofactor(&cKv_point, &Kv_point);
- if (ge_isneutral(&cK_point) || ge_isneutral(&cKv_point) || ge_isneutral(&Bv_point))
- goto err;
-
- // labelset3 = add_label(labels, "3")
- // h = challenge(labelset3, (Bv || Kv || Rv), R, K, M)
- labelset[labelset_len-1] = (unsigned char)'3';
- memcpy(extra, Bv_bytes, POINTLEN);
- memcpy(extra + POINTLEN, Kv_bytes, POINTLEN);
- memcpy(extra + 2*POINTLEN, Rv_calc_bytes, POINTLEN);
- if (generalized_challenge(h_calc_scalar,
- labelset, labelset_len,
- extra, 3*POINTLEN,
- R_calc_bytes, eddsa_25519_pubkey_bytes,
- M_buf, MSTART, msg_len) != 0)
- goto err;
-
- // if bytes_equal(h, h')
- if (crypto_verify_32(h_scalar, h_calc_scalar) != 0)
- goto err;
-
- // labelset4 = add_label(labels, "4")
- // v = hash(labelset4 || c*Kv)
- labelset[labelset_len-1] = (unsigned char)'4';
- if (generalized_calculate_vrf_output(vrf_out, labelset, labelset_len, &cKv_point) != 0)
- goto err;
-
- free(M_buf);
- return 0;
-
-err:
- free(M_buf);
- return -1;
-}
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h
deleted file mode 100644
index 1bc27a6e2b..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_veddsa.h
+++ /dev/null
@@ -1,23 +0,0 @@
-#ifndef __GEN_VEDDSA_H__
-#define __GEN_VEDDSA_H__
-
-int generalized_veddsa_25519_sign(
- unsigned char* signature_out,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* eddsa_25519_privkey_scalar,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-int generalized_veddsa_25519_verify(
- unsigned char* vrf_out,
- const unsigned char* signature,
- const unsigned char* eddsa_25519_pubkey_bytes,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c
deleted file mode 100644
index d4df5c1f1f..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.c
+++ /dev/null
@@ -1,131 +0,0 @@
-#include <string.h>
-#include "crypto_additions.h"
-#include "gen_x.h"
-#include "gen_constants.h"
-#include "gen_eddsa.h"
-#include "gen_veddsa.h"
-#include "gen_crypto_additions.h"
-#include "zeroize.h"
-
-static int convert_25519_pubkey(unsigned char* ed_pubkey_bytes, const unsigned char* x25519_pubkey_bytes) {
- fe u;
- fe y;
-
- /* Convert the X25519 public key into an Ed25519 public key.
-
- y = (u - 1) / (u + 1)
-
- NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
- */
- if (!fe_isreduced(x25519_pubkey_bytes))
- return -1;
- fe_frombytes(u, x25519_pubkey_bytes);
- fe_montx_to_edy(y, u);
- fe_tobytes(ed_pubkey_bytes, y);
- return 0;
-}
-
-static int calculate_25519_keypair(unsigned char* K_bytes, unsigned char* k_scalar,
- const unsigned char* x25519_privkey_scalar)
-{
- unsigned char kneg[SCALARLEN];
- ge_p3 ed_pubkey_point;
- unsigned char sign_bit = 0;
-
- if (SCALARLEN != 32)
- return -1;
-
- /* Convert the Curve25519 privkey to an Ed25519 public key */
- ge_scalarmult_base(&ed_pubkey_point, x25519_privkey_scalar);
- ge_p3_tobytes(K_bytes, &ed_pubkey_point);
-
- /* Force Edwards sign bit to zero */
- sign_bit = (K_bytes[31] & 0x80) >> 7;
- memcpy(k_scalar, x25519_privkey_scalar, 32);
- sc_neg(kneg, k_scalar);
- sc_cmov(k_scalar, kneg, sign_bit);
- K_bytes[31] &= 0x7F;
-
- zeroize(kneg, SCALARLEN);
- return 0;
-}
-
-int generalized_xeddsa_25519_sign(unsigned char* signature_out,
- const unsigned char* x25519_privkey_scalar,
- const unsigned char* msg, const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char K_bytes[POINTLEN];
- unsigned char k_scalar[SCALARLEN];
- int retval = -1;
-
- if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0)
- return -1;
-
- retval = generalized_eddsa_25519_sign(signature_out,
- K_bytes, k_scalar,
- msg, msg_len, random,
- customization_label, customization_label_len);
- zeroize(k_scalar, SCALARLEN);
- return retval;
-}
-
-int generalized_xveddsa_25519_sign(
- unsigned char* signature_out,
- const unsigned char* x25519_privkey_scalar,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char K_bytes[POINTLEN];
- unsigned char k_scalar[SCALARLEN];
- int retval = -1;
-
- if (calculate_25519_keypair(K_bytes, k_scalar, x25519_privkey_scalar) != 0)
- return -1;
-
- retval = generalized_veddsa_25519_sign(signature_out, K_bytes, k_scalar,
- msg, msg_len, random,
- customization_label, customization_label_len);
- zeroize(k_scalar, SCALARLEN);
- return retval;
-}
-
-int generalized_xeddsa_25519_verify(
- const unsigned char* signature,
- const unsigned char* x25519_pubkey_bytes,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char K_bytes[POINTLEN];
-
- if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0)
- return -1;
-
- return generalized_eddsa_25519_verify(signature, K_bytes, msg, msg_len,
- customization_label, customization_label_len);
-}
-
-int generalized_xveddsa_25519_verify(
- unsigned char* vrf_out,
- const unsigned char* signature,
- const unsigned char* x25519_pubkey_bytes,
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len)
-{
- unsigned char K_bytes[POINTLEN];
-
- if (convert_25519_pubkey(K_bytes, x25519_pubkey_bytes) != 0)
- return -1;
-
- return generalized_veddsa_25519_verify(vrf_out, signature, K_bytes, msg, msg_len,
- customization_label, customization_label_len);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h
deleted file mode 100644
index 3c4c04cb6c..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/gen_x.h
+++ /dev/null
@@ -1,37 +0,0 @@
-#ifndef __GEN_X_H
-#define __GEN_X_H
-
-int generalized_xeddsa_25519_sign(unsigned char* signature_out, /* 64 bytes */
- const unsigned char* x25519_privkey_scalar, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len,
- const unsigned char* random, /* 32 bytes */
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-int generalized_xeddsa_25519_verify(
- const unsigned char* signature, /* 64 bytes */
- const unsigned char* x25519_pubkey_bytes, /* 32 bytes */
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-int generalized_xveddsa_25519_sign(
- unsigned char* signature_out, /* 96 bytes */
- const unsigned char* x25519_privkey_scalar, /* 32 bytes */
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* random, /* 32 bytes */
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-int generalized_xveddsa_25519_verify(
- unsigned char* vrf_out, /* 32 bytes */
- const unsigned char* signature, /* 96 bytes */
- const unsigned char* x25519_pubkey_bytes, /* 32 bytes */
- const unsigned char* msg,
- const unsigned long msg_len,
- const unsigned char* customization_label,
- const unsigned long customization_label_len);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c
deleted file mode 100644
index 5541ffebbb..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/point_isreduced.c
+++ /dev/null
@@ -1,12 +0,0 @@
-#include<string.h>
-#include "fe.h"
-#include "crypto_additions.h"
-
-int point_isreduced(const unsigned char* p)
-{
- unsigned char strict[32];
-
- memmove(strict, p, 32);
- strict[31] &= 0x7F; /* mask off sign bit */
- return fe_isreduced(strict);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c b/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c
deleted file mode 100644
index 24193808ad..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/generalized/sc_isreduced.c
+++ /dev/null
@@ -1,17 +0,0 @@
-#include <string.h>
-#include "fe.h"
-#include "sc.h"
-#include "crypto_additions.h"
-#include "crypto_verify_32.h"
-
-int sc_isreduced(const unsigned char* s)
-{
- unsigned char strict[64];
-
- memset(strict, 0, 64);
- memmove(strict, s, 32);
- sc_reduce(strict);
- if (crypto_verify_32(strict, s) != 0)
- return 0;
- return 1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c
deleted file mode 100644
index de7cdcd598..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.c
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "ge.h"
-#include "keygen.h"
-#include "crypto_additions.h"
-
-void curve25519_keygen(unsigned char* curve25519_pubkey_out,
- const unsigned char* curve25519_privkey_in)
-{
- /* Perform a fixed-base multiplication of the Edwards base point,
- (which is efficient due to precalculated tables), then convert
- to the Curve25519 montgomery-format public key.
-
- NOTE: y=1 is converted to u=0 since fe_invert is mod-exp
- */
-
- ge_p3 ed; /* Ed25519 pubkey point */
- fe u;
-
- ge_scalarmult_base(&ed, curve25519_privkey_in);
- ge_p3_to_montx(u, &ed);
- fe_tobytes(curve25519_pubkey_out, u);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h b/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h
deleted file mode 100644
index e86e7c5582..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/keygen.h
+++ /dev/null
@@ -1,12 +0,0 @@
-
-#ifndef __KEYGEN_H__
-#define __KEYGEN_H__
-
-/* Sets and clears bits to make a random 32 bytes into a private key */
-void sc_clamp(unsigned char* a);
-
-/* The private key should be 32 random bytes "clamped" by sc_clamp() */
-void curve25519_keygen(unsigned char* curve25519_pubkey_out, /* 32 bytes */
- const unsigned char* curve25519_privkey_in); /* 32 bytes */
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c
deleted file mode 100644
index a156098191..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/open_modified.c
+++ /dev/null
@@ -1,45 +0,0 @@
-#include <string.h>
-#include "crypto_sign.h"
-#include "crypto_hash_sha512.h"
-#include "crypto_verify_32.h"
-#include "ge.h"
-#include "sc.h"
-#include "crypto_additions.h"
-
-int crypto_sign_open_modified(
- unsigned char *m,
- const unsigned char *sm,unsigned long long smlen,
- const unsigned char *pk
-)
-{
- unsigned char pkcopy[32];
- unsigned char rcopy[32];
- unsigned char scopy[32];
- unsigned char h[64];
- unsigned char rcheck[32];
- ge_p3 A;
- ge_p2 R;
-
- if (smlen < 64) goto badsig;
- if (sm[63] & 224) goto badsig; /* strict parsing of s */
- if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
-
- memmove(pkcopy,pk,32);
- memmove(rcopy,sm,32);
- memmove(scopy,sm + 32,32);
-
- memmove(m,sm,smlen);
- memmove(m + 32,pkcopy,32);
- crypto_hash_sha512(h,m,smlen);
- sc_reduce(h);
-
- ge_double_scalarmult_vartime(&R,h,&A,scopy);
- ge_tobytes(rcheck,&R);
-
- if (crypto_verify_32(rcheck,rcopy) == 0) {
- return 0;
- }
-
-badsig:
- return -1;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c
deleted file mode 100644
index 7788be9071..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_clamp.c
+++ /dev/null
@@ -1,8 +0,0 @@
-#include "crypto_additions.h"
-
-void sc_clamp(unsigned char* a)
-{
- a[0] &= 248;
- a[31] &= 127;
- a[31] |= 64;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c
deleted file mode 100644
index 443a5bb71e..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_cmov.c
+++ /dev/null
@@ -1,21 +0,0 @@
-#include "crypto_additions.h"
-
-/*
-Replace (f,g) with (g,g) if b == 1;
-replace (f,g) with (f,g) if b == 0.
-
-Preconditions: b in {0,1}.
-*/
-
-void sc_cmov(unsigned char* f, const unsigned char* g, unsigned char b)
-{
- int count=32;
- unsigned char x[32];
- for (count=0; count < 32; count++)
- x[count] = f[count] ^ g[count];
- b = -b;
- for (count=0; count < 32; count++)
- x[count] &= b;
- for (count=0; count < 32; count++)
- f[count] = f[count] ^ x[count];
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c
deleted file mode 100644
index ef407d405e..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/sc_neg.c
+++ /dev/null
@@ -1,25 +0,0 @@
-#include <string.h>
-#include "crypto_additions.h"
-#include "sc.h"
-
-/* l = order of base point = 2^252 + 27742317777372353535851937790883648493 */
-
-/*
-static unsigned char l[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
- 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0, 0x10};
-*/
-
-static unsigned char lminus1[32] = {0xec, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
- 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10};
-
-/* b = -a (mod l) */
-void sc_neg(unsigned char *b, const unsigned char *a)
-{
- unsigned char zero[32];
- memset(zero, 0, 32);
- sc_muladd(b, lminus1, a, zero); /* b = (-1)a + 0 (mod l) */
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c b/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c
deleted file mode 100644
index b2fb8c20d3..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/sign_modified.c
+++ /dev/null
@@ -1,53 +0,0 @@
-#include <string.h>
-#include "crypto_sign.h"
-#include "crypto_hash_sha512.h"
-#include "ge.h"
-#include "sc.h"
-#include "zeroize.h"
-#include "crypto_additions.h"
-
-/* NEW: Compare to pristine crypto_sign()
- Uses explicit private key for nonce derivation and as scalar,
- instead of deriving both from a master key.
-*/
-int crypto_sign_modified(
- unsigned char *sm,
- const unsigned char *m,unsigned long long mlen,
- const unsigned char *sk, const unsigned char* pk,
- const unsigned char* random
-)
-{
- unsigned char nonce[64];
- unsigned char hram[64];
- ge_p3 R;
- int count=0;
-
- memmove(sm + 64,m,mlen);
- memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */
-
- /* NEW : add prefix to separate hash uses - see .h */
- sm[0] = 0xFE;
- for (count = 1; count < 32; count++)
- sm[count] = 0xFF;
-
- /* NEW: add suffix of random data */
- memmove(sm + mlen + 64, random, 64);
-
- crypto_hash_sha512(nonce,sm,mlen + 128);
- memmove(sm + 32,pk,32);
-
- sc_reduce(nonce);
-
- ge_scalarmult_base(&R,nonce);
- ge_p3_tobytes(sm,&R);
-
- crypto_hash_sha512(hram,sm,mlen + 64);
- sc_reduce(hram);
- sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */
-
- /* Erase any traces of private scalar or
- nonce left in the stack from sc_muladd */
- zeroize_stack();
- zeroize(nonce, 64);
- return 0;
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c
deleted file mode 100644
index c59099a9e3..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.c
+++ /dev/null
@@ -1,29 +0,0 @@
-#include <stdlib.h>
-#include <stdio.h>
-#include "utility.h"
-
-void print_vector(const char* name, const unsigned char* v)
-{
- int count;
- printf("%s = \n", name);
- for (count = 0; count < 32; count++)
- printf("%02x ", v[count]);
- printf("\n");
-}
-
-void print_bytes(const char* name, const unsigned char* v, int numbytes)
-{
- int count;
- printf("%s = \n", name);
- for (count = 0; count < numbytes; count++)
- printf("%02x ", v[count]);
- printf("\n");
-}
-
-void print_fe(const char* name, const fe in)
-{
- unsigned char bytes[32];
- fe_tobytes(bytes, in);
- print_vector(name, bytes);
-}
-
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h b/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h
deleted file mode 100644
index 35348782df..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/utility.h
+++ /dev/null
@@ -1,11 +0,0 @@
-
-#ifndef __UTILITY_H__
-#define __UTILITY_H__
-
-#include "fe.h"
-
-void print_vector(const char* name, const unsigned char* v);
-void print_bytes(const char* name, const unsigned char* v, int numbytes);
-void print_fe(const char* name, const fe in);
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
deleted file mode 100644
index 63b73bf2ed..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.c
+++ /dev/null
@@ -1,80 +0,0 @@
-#include <string.h>
-#include "ge.h"
-#include "crypto_additions.h"
-#include "zeroize.h"
-#include "xeddsa.h"
-#include "crypto_verify_32.h"
-
-int xed25519_sign(unsigned char* signature_out,
- const unsigned char* curve25519_privkey,
- const unsigned char* msg, const unsigned long msg_len,
- const unsigned char* random)
-{
- unsigned char a[32], aneg[32];
- unsigned char A[32];
- ge_p3 ed_pubkey_point;
- unsigned char *sigbuf; /* working buffer */
- unsigned char sign_bit = 0;
-
- if ((sigbuf = malloc(msg_len + 128)) == 0) {
- memset(signature_out, 0, 64);
- return -1;
- }
-
- /* Convert the Curve25519 privkey to an Ed25519 public key */
- ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
- ge_p3_tobytes(A, &ed_pubkey_point);
-
- /* Force Edwards sign bit to zero */
- sign_bit = (A[31] & 0x80) >> 7;
- memcpy(a, curve25519_privkey, 32);
- sc_neg(aneg, a);
- sc_cmov(a, aneg, sign_bit);
- A[31] &= 0x7F;
-
- /* Perform an Ed25519 signature with explicit private key */
- crypto_sign_modified(sigbuf, msg, msg_len, a, A, random);
- memmove(signature_out, sigbuf, 64);
-
- zeroize(a, 32);
- zeroize(aneg, 32);
- free(sigbuf);
- return 0;
-}
-
-int xed25519_verify(const unsigned char* signature,
- const unsigned char* curve25519_pubkey,
- const unsigned char* msg, const unsigned long msg_len)
-{
- fe u;
- fe y;
- unsigned char ed_pubkey[32];
- unsigned char verifybuf[MAX_MSG_LEN + 64]; /* working buffer */
- unsigned char verifybuf2[MAX_MSG_LEN + 64]; /* working buffer #2 */
-
- if (msg_len > MAX_MSG_LEN) {
- return -1;
- }
-
- /* Convert the Curve25519 public key into an Ed25519 public key.
-
- y = (u - 1) / (u + 1)
-
- NOTE: u=-1 is converted to y=0 since fe_invert is mod-exp
- */
- if (!fe_isreduced(curve25519_pubkey))
- return -1;
- fe_frombytes(u, curve25519_pubkey);
- fe_montx_to_edy(y, u);
- fe_tobytes(ed_pubkey, y);
-
- memmove(verifybuf, signature, 64);
- memmove(verifybuf+64, msg, msg_len);
-
- /* Then perform a normal Ed25519 verification, return 0 on success */
- /* The below call has a strange API: */
- /* verifybuf = R || S || message */
- /* verifybuf2 = internal to next call gets a copy of verifybuf, S gets
- replaced with pubkey for hashing */
- return crypto_sign_open_modified(verifybuf2, verifybuf, 64 + msg_len, ed_pubkey);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h b/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h
deleted file mode 100644
index b86d7f0d9d..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/xeddsa.h
+++ /dev/null
@@ -1,16 +0,0 @@
-
-#ifndef __XEDDSA_H__
-#define __XEDDSA_H__
-
-/* returns 0 on success */
-int xed25519_sign(unsigned char* signature_out, /* 64 bytes */
- const unsigned char* curve25519_privkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len, /* <= 256 bytes */
- const unsigned char* random); /* 64 bytes */
-
-/* returns 0 on success */
-int xed25519_verify(const unsigned char* signature, /* 64 bytes */
- const unsigned char* curve25519_pubkey, /* 32 bytes */
- const unsigned char* msg, const unsigned long msg_len); /* <= 256 bytes */
-
-#endif
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c
deleted file mode 100644
index 187e725eb5..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.c
+++ /dev/null
@@ -1,16 +0,0 @@
-#include "zeroize.h"
-
-void zeroize(unsigned char* b, size_t len)
-{
- size_t count = 0;
- volatile unsigned char *p = b;
-
- for (count = 0; count < len; count++)
- p[count] = 0;
-}
-
-void zeroize_stack()
-{
- unsigned char m[ZEROIZE_STACK_SIZE];
- zeroize(m, ZEROIZE_STACK_SIZE);
-}
diff --git a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h b/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h
deleted file mode 100644
index 0db68bb4c6..0000000000
--- a/libs/libaxolotl/src/curve25519/ed25519/additions/zeroize.h
+++ /dev/null
@@ -1,12 +0,0 @@
-#ifndef __ZEROIZE_H__
-#define __ZEROIZE_H__
-
-#include <stdlib.h>
-
-#define ZEROIZE_STACK_SIZE 1024
-
-void zeroize(unsigned char* b, size_t len);
-
-void zeroize_stack();
-
-#endif