Lines Matching refs:ret
63 int ret; in dom() local
65 MUST_HAVE((h != NULL) && (h_ctx != NULL), ret, err); in dom()
67 MUST_HAVE((x <= 255) && (olen_y <= 255), ret, err); in dom()
70 ret = h->hfunc_update(h_ctx, (const u8*)"SigEd25519 no Ed25519 collisions", 32); EG(ret, err); in dom()
73 ret = h->hfunc_update(h_ctx, (const u8*)"SigEd448", 8); EG(ret, err); in dom()
76 ret = -1; in dom()
81 ret = h->hfunc_update(h_ctx, tmp, 2); EG(ret, err); in dom()
83 ret = h->hfunc_update(h_ctx, y, olen_y); EG(ret, err); in dom()
87 return ret; in dom()
162 int ret; in eddsa_key_type_check_curve() local
170 ret = (curve_type == WEI25519) ? 0 : -1; in eddsa_key_type_check_curve()
178 ret = (curve_type == WEI448) ? 0 : -1; in eddsa_key_type_check_curve()
183 ret = -1; in eddsa_key_type_check_curve()
188 return ret; in eddsa_key_type_check_curve()
193 int ret; in eddsa_priv_key_sanity_check() local
195 ret = priv_key_check_initialized(in_priv); EG(ret, err); in eddsa_priv_key_sanity_check()
196 ret = eddsa_key_type_check_curve(in_priv->key_type, in eddsa_priv_key_sanity_check()
200 return ret; in eddsa_priv_key_sanity_check()
205 int ret; in eddsa_pub_key_sanity_check() local
208 ret = pub_key_check_initialized(in_pub); EG(ret, err); in eddsa_pub_key_sanity_check()
209 ret = eddsa_key_type_check_curve(in_pub->key_type, in eddsa_pub_key_sanity_check()
213 return ret; in eddsa_pub_key_sanity_check()
218 int ret; in eddsa_key_pair_sanity_check() local
220 MUST_HAVE((key_pair != NULL), ret, err); in eddsa_key_pair_sanity_check()
221 ret = eddsa_priv_key_sanity_check(&(key_pair->priv_key)); EG(ret, err); in eddsa_key_pair_sanity_check()
222 ret = eddsa_pub_key_sanity_check(&(key_pair->pub_key)); EG(ret, err); in eddsa_key_pair_sanity_check()
223 MUST_HAVE((key_pair->priv_key.key_type == key_pair->pub_key.key_type), ret, err); in eddsa_key_pair_sanity_check()
226 return ret; in eddsa_key_pair_sanity_check()
236 int ret; in eddsa_decode_integer() local
238 MUST_HAVE((buf != NULL), ret, err); in eddsa_decode_integer()
239 MUST_HAVE((sizeof(buf_little_endian) >= buf_size), ret, err); in eddsa_decode_integer()
241 ret = nn_init(nn_out, 0); EG(ret, err); in eddsa_decode_integer()
243 ret = local_memset(buf_little_endian, 0, sizeof(buf_little_endian)); EG(ret, err); in eddsa_decode_integer()
252 ret = nn_init_from_buf(nn_out, buf_little_endian, buf_size); in eddsa_decode_integer()
255 return ret; in eddsa_decode_integer()
265 int ret; in eddsa_encode_integer() local
268 MUST_HAVE((buf != NULL), ret, err); in eddsa_encode_integer()
269 ret = nn_check_initialized(nn_in); EG(ret, err); in eddsa_encode_integer()
272 ret = nn_bitlen(nn_in, &blen); EG(ret, err); in eddsa_encode_integer()
273 MUST_HAVE((((u32)blen) <= (8 * (u32)buf_size)), ret, err); in eddsa_encode_integer()
276 ret = nn_export_to_buf(buf, buf_size, nn_in); EG(ret, err); in eddsa_encode_integer()
288 return ret; in eddsa_encode_integer()
296 int ret; in eddsa_compute_s() local
298 MUST_HAVE((digest != NULL), ret, err); in eddsa_compute_s()
299 MUST_HAVE(((digest_size % 2) == 0), ret, err); in eddsa_compute_s()
302 ret = eddsa_decode_integer(s, digest, (digest_size / 2)); EG(ret, err); in eddsa_compute_s()
305 return ret; in eddsa_compute_s()
311 int ret; in eddsa_get_digest_from_priv_key() local
315 MUST_HAVE(((digest != NULL) && (digest_size != NULL)), ret, err); in eddsa_get_digest_from_priv_key()
316 ret = eddsa_priv_key_sanity_check(in_priv); EG(ret, err); in eddsa_get_digest_from_priv_key()
318 MUST_HAVE(((hash_type = get_eddsa_hash_type(in_priv->key_type)) != UNKNOWN_HASH_ALG), ret, err); in eddsa_get_digest_from_priv_key()
319 ret = get_hash_by_type(hash_type, &hash); EG(ret, err); in eddsa_get_digest_from_priv_key()
320 MUST_HAVE((hash != NULL), ret, err); in eddsa_get_digest_from_priv_key()
323 MUST_HAVE(((*digest_size) >= hash->digest_size), ret, err); in eddsa_get_digest_from_priv_key()
326 ret = nn_export_to_buf(digest, *digest_size, &(in_priv->x)); in eddsa_get_digest_from_priv_key()
329 return ret; in eddsa_get_digest_from_priv_key()
340 int ret; in eddsa_encode_point() local
344 MUST_HAVE((buf != NULL), ret, err); in eddsa_encode_point()
345 ret = aff_pt_edwards_check_initialized(in); EG(ret, err); in eddsa_encode_point()
346 ret = fp_check_initialized(alpha_edwards); EG(ret, err); in eddsa_encode_point()
349 ret = local_memset(buf, 0, buflen); EG(ret, err); in eddsa_encode_point()
350 ret = nn_init(&out_reduced, 0); EG(ret, err); in eddsa_encode_point()
372 ret = fp_init(&y1, in->y.ctx); EG(ret, err1); in eddsa_encode_point()
373 ret = fp_copy(&tmp_x, &(in->x)); EG(ret, err1); in eddsa_encode_point()
374 ret = fp_sqr(&tmp_x, &tmp_x); EG(ret, err1); in eddsa_encode_point()
375 ret = fp_copy(&tmp_y, &(in->y)); EG(ret, err1); in eddsa_encode_point()
376 ret = fp_sqr(&tmp_y, &tmp_y); EG(ret, err1); in eddsa_encode_point()
377 ret = fp_sub(&tmp_y, &tmp_y, &tmp_x); EG(ret, err1); in eddsa_encode_point()
379 ret = fp_inv(&tmp_y, &tmp_y); EG(ret, err1); in eddsa_encode_point()
380 ret = fp_set_word_value(&tmp_x, WORD(4)); EG(ret, err1); in eddsa_encode_point()
381 ret = fp_mul(&tmp_x, &tmp_x, &(in->x)); EG(ret, err1); in eddsa_encode_point()
382 ret = fp_mul(&tmp_x, &tmp_x, &(in->y)); EG(ret, err1); in eddsa_encode_point()
383 ret = fp_mul(&tmp_x, &tmp_x, &tmp_y); EG(ret, err1); in eddsa_encode_point()
384 ret = fp_inv(&tmp_y, alpha_edwards); EG(ret, err1); in eddsa_encode_point()
385 ret = fp_mul(&tmp_x, &tmp_x, &tmp_y); EG(ret, err1); in eddsa_encode_point()
386 ret = nn_getbit(&(tmp_x.fp_val), 0, &lsb); EG(ret, err1); in eddsa_encode_point()
388 ret = fp_copy(&tmp_x, &(in->x)); EG(ret, err1); in eddsa_encode_point()
389 ret = fp_sqr(&tmp_x, &tmp_x); EG(ret, err1); in eddsa_encode_point()
390 ret = fp_copy(&tmp_y, &(in->y)); EG(ret, err1); in eddsa_encode_point()
391 ret = fp_sqr(&tmp_y, &tmp_y); EG(ret, err1); in eddsa_encode_point()
392 ret = fp_set_word_value(&y1, WORD(2)); EG(ret, err1); in eddsa_encode_point()
393 ret = fp_sub(&y1, &y1, &tmp_x); EG(ret, err1); in eddsa_encode_point()
394 ret = fp_sub(&y1, &y1, &tmp_y); EG(ret, err1); in eddsa_encode_point()
395 ret = fp_add(&tmp_x, &tmp_x, &tmp_y); EG(ret, err1); in eddsa_encode_point()
397 ret = fp_inv(&tmp_x, &tmp_x); EG(ret, err1); in eddsa_encode_point()
398 ret = fp_mul(&y1, &y1, &tmp_x); EG(ret, err1); in eddsa_encode_point()
399 ret = eddsa_encode_integer(&(y1.fp_val), buf, buflen); in eddsa_encode_point()
404 EG(ret, err); in eddsa_encode_point()
410 ret = nn_getbit(&(in->x.fp_val), 0, &lsb); EG(ret, err); in eddsa_encode_point()
411 ret = eddsa_encode_integer(&(in->y.fp_val), buf, buflen); EG(ret, err); in eddsa_encode_point()
417 MUST_HAVE((buflen > 1), ret, err); in eddsa_encode_point()
423 return ret; in eddsa_encode_point()
436 int ret, iszero; in eddsa_decode_point() local
444 MUST_HAVE((buf != NULL), ret, err); in eddsa_decode_point()
446 ret = ec_edwards_crv_check_initialized(edwards_curve); EG(ret, err); in eddsa_decode_point()
448 ret = fp_check_initialized(alpha_edwards); EG(ret, err); in eddsa_decode_point()
453 MUST_HAVE((sizeof(buf_little_endian) >= buflen), ret, err); in eddsa_decode_point()
456 MUST_HAVE((buflen > 1), ret, err); in eddsa_decode_point()
466 ret = fp_init_from_buf(&y, edwards_curve->a.ctx, buf_little_endian, buflen); EG(ret, err); in eddsa_decode_point()
472 ret = fp_init(&sqrt1, edwards_curve->a.ctx); EG(ret, err); in eddsa_decode_point()
473 ret = fp_init(&sqrt2, edwards_curve->a.ctx); EG(ret, err); in eddsa_decode_point()
474 ret = fp_init(&x, edwards_curve->a.ctx); EG(ret, err); in eddsa_decode_point()
488 ret = fp_init(&tmp, edwards_curve->a.ctx); EG(ret, err); in eddsa_decode_point()
493 ret = fp_init_from_buf(&tmp, edwards_curve->a.ctx, in eddsa_decode_point()
494 (const u8*)d_edwards448_buff, sizeof(d_edwards448_buff)); EG(ret, err); in eddsa_decode_point()
495 …ret = ec_edwards_crv_init(&edwards_curve_edwards448, &(edwards_curve->a), &tmp, &(edwards_curve->o… in eddsa_decode_point()
497 …ret = aff_pt_edwards_x_from_y(&sqrt1, &sqrt2, &y, &edwards_curve_edwards448); EG(ret, err); /* Err… in eddsa_decode_point()
504 …ret = aff_pt_edwards_x_from_y(&sqrt1, &sqrt2, &y, edwards_curve); EG(ret, err); /* Error or no squ… in eddsa_decode_point()
507 ret = nn_getbit(&(sqrt1.fp_val), 0, &lsb); EG(ret, err); in eddsa_decode_point()
509 ret = fp_copy(&x, &sqrt1); EG(ret, err); in eddsa_decode_point()
512 ret = fp_copy(&x, &sqrt2); EG(ret, err); in eddsa_decode_point()
515 ret = fp_iszero(&x, &iszero); EG(ret, err); in eddsa_decode_point()
516 MUST_HAVE(!(iszero && (x_0 == 1)), ret, err); in eddsa_decode_point()
530 ret = fp_copy(&sqrt1, &x); EG(ret, err); in eddsa_decode_point()
531 ret = fp_copy(&sqrt2, &y); EG(ret, err); in eddsa_decode_point()
533 ret = fp_set_word_value(&x, WORD(2)); EG(ret, err); in eddsa_decode_point()
534 ret = fp_sqr(&tmp, &sqrt1); EG(ret, err); in eddsa_decode_point()
535 ret = fp_sub(&x, &x, &tmp); EG(ret, err); in eddsa_decode_point()
536 ret = fp_sqr(&tmp, &sqrt2); EG(ret, err); in eddsa_decode_point()
537 ret = fp_sub(&x, &x, &tmp); EG(ret, err); in eddsa_decode_point()
539 ret = fp_inv(&x, &x); EG(ret, err); in eddsa_decode_point()
540 ret = fp_mul(&x, &x, &sqrt1); EG(ret, err); in eddsa_decode_point()
541 ret = fp_mul(&x, &x, &sqrt2); EG(ret, err); in eddsa_decode_point()
542 ret = fp_mul(&x, &x, alpha_edwards); EG(ret, err); in eddsa_decode_point()
544 ret = fp_sqr(&sqrt1, &sqrt1); EG(ret, err); in eddsa_decode_point()
545 ret = fp_sqr(&sqrt2, &sqrt2); EG(ret, err); in eddsa_decode_point()
546 ret = fp_sub(&y, &sqrt2, &sqrt1); EG(ret, err); in eddsa_decode_point()
548 ret = fp_inv(&y, &y); EG(ret, err); in eddsa_decode_point()
549 ret = fp_add(&sqrt1, &sqrt1, &sqrt2); EG(ret, err); in eddsa_decode_point()
550 ret = fp_mul(&y, &y, &sqrt1); EG(ret, err); in eddsa_decode_point()
555 ret = aff_pt_edwards_init_from_coords(out, edwards_curve, &x, &y); in eddsa_decode_point()
566 return ret; in eddsa_decode_point()
579 int ret; in eddsa_derive_priv_key_hash() local
583 MUST_HAVE((buf != NULL), ret, err); in eddsa_derive_priv_key_hash()
584 ret = eddsa_priv_key_sanity_check(in_priv); EG(ret, err); in eddsa_derive_priv_key_hash()
586 MUST_HAVE(((hash_type = get_eddsa_hash_type(in_priv->key_type)) != UNKNOWN_HASH_ALG), ret, err); in eddsa_derive_priv_key_hash()
587 ret = get_hash_by_type(hash_type, &hash); EG(ret, err); in eddsa_derive_priv_key_hash()
588 MUST_HAVE((hash != NULL), ret, err); in eddsa_derive_priv_key_hash()
591 ret = local_memset(x_buf, 0, sizeof(x_buf)); EG(ret, err); in eddsa_derive_priv_key_hash()
592 MUST_HAVE((sizeof(x_buf) >= (hash->digest_size / 2)), ret, err); in eddsa_derive_priv_key_hash()
594 ret = ec_priv_key_export_to_buf(in_priv, x_buf, (hash->digest_size / 2)); EG(ret, err); in eddsa_derive_priv_key_hash()
596 ret = hash_mapping_callbacks_sanity_check(hash); EG(ret, err); in eddsa_derive_priv_key_hash()
598 MUST_HAVE((buflen >= hash->digest_size), ret, err); in eddsa_derive_priv_key_hash()
602 ret = hash->hfunc_scattered(in, in_len, buf); in eddsa_derive_priv_key_hash()
607 return ret; in eddsa_derive_priv_key_hash()
616 int ret, cmp; in eddsa_derive_priv_key() local
623 ret = eddsa_priv_key_sanity_check(priv_key); EG(ret, err); in eddsa_derive_priv_key()
628 MUST_HAVE(((hash_type = get_eddsa_hash_type(priv_key->key_type)) != UNKNOWN_HASH_ALG), ret, err); in eddsa_derive_priv_key()
631 ret = get_hash_sizes(hash_type, &digest_size, NULL); EG(ret, err); in eddsa_derive_priv_key()
633 MUST_HAVE(((2 * priv_key->params->ec_fp.p_bitlen) < (8 * (bitcnt_t)digest_size)), ret, err); in eddsa_derive_priv_key()
634 MUST_HAVE(((digest_size % 2) == 0), ret, err); in eddsa_derive_priv_key()
635 MUST_HAVE((digest_size <= sizeof(digest)), ret, err); in eddsa_derive_priv_key()
642 ret = eddsa_derive_priv_key_hash(priv_key, digest, digest_size); EG(ret, err); in eddsa_derive_priv_key()
646 ret = nn_cmp_word(&(priv_key->params->ec_gen_cofactor), cofactor, &cmp); EG(ret, err); in eddsa_derive_priv_key()
647 MUST_HAVE((cmp == 0), ret, err); in eddsa_derive_priv_key()
649 MUST_HAVE((cofactor == (0x1 << 2)) || (cofactor == (0x1 << 3)), ret, err); in eddsa_derive_priv_key()
667 MUST_HAVE((digest_size / 2) >= 2, ret, err); in eddsa_derive_priv_key()
677 ret = -1; in eddsa_derive_priv_key()
685 ret = nn_init_from_buf(&(priv_key->x), digest, digest_size); in eddsa_derive_priv_key()
690 return ret; in eddsa_derive_priv_key()
699 int ret; in eddsa_gen_priv_key() local
704 ret = eddsa_priv_key_sanity_check(priv_key); EG(ret, err); in eddsa_gen_priv_key()
709 MUST_HAVE(((hash_type = get_eddsa_hash_type(priv_key->key_type)) != UNKNOWN_HASH_ALG), ret, err); in eddsa_gen_priv_key()
712 ret = get_hash_sizes(hash_type, &digest_size, NULL); EG(ret, err); in eddsa_gen_priv_key()
714 MUST_HAVE(((2 * priv_key->params->ec_fp.p_bitlen) < (8 * (bitcnt_t)digest_size)), ret, err); in eddsa_gen_priv_key()
715 MUST_HAVE(((digest_size % 2) == 0), ret, err); in eddsa_gen_priv_key()
720 ret = nn_get_random_len(&(priv_key->x), (digest_size / 2)); EG(ret, err); in eddsa_gen_priv_key()
723 ret = eddsa_derive_priv_key(priv_key); in eddsa_gen_priv_key()
728 return ret; in eddsa_gen_priv_key()
744 int ret; in eddsa_import_priv_key() local
750 MUST_HAVE((priv_key != NULL) && (buf != NULL) && (shortw_curve_params != NULL), ret, err); in eddsa_import_priv_key()
753 ret = nn_init_from_buf(&(priv_key->x), buf, buflen); EG(ret, err); in eddsa_import_priv_key()
756 MUST_HAVE((hash_type != UNKNOWN_HASH_ALG), ret, err); in eddsa_import_priv_key()
759 ret = get_hash_sizes(hash_type, &digest_size, NULL); EG(ret, err); in eddsa_import_priv_key()
761 ret = nn_bitlen(&(priv_key->x), &blen); EG(ret, err); in eddsa_import_priv_key()
762 MUST_HAVE((blen <= (8 * ((bitcnt_t)digest_size / 2))), ret, err); in eddsa_import_priv_key()
772 ret = eddsa_derive_priv_key(priv_key); in eddsa_import_priv_key()
775 if((priv_key != NULL) && ret){ in eddsa_import_priv_key()
781 return ret; in eddsa_import_priv_key()
798 int ret; in eddsa_init_pub_key() local
801 MUST_HAVE(out_pub != NULL, ret, err); in eddsa_init_pub_key()
802 ret = eddsa_priv_key_sanity_check(in_priv); EG(ret, err); in eddsa_init_pub_key()
804 ret = nn_init(&s, 0); EG(ret, err); in eddsa_init_pub_key()
807 ret = local_memset(out_pub, 0, sizeof(ec_pub_key)); EG(ret, err); in eddsa_init_pub_key()
813 MUST_HAVE(((hash_type = get_eddsa_hash_type(in_priv->key_type)) != UNKNOWN_HASH_ALG), ret, err); in eddsa_init_pub_key()
816 ret = get_hash_sizes(hash_type, &digest_size_, NULL); EG(ret, err); in eddsa_init_pub_key()
820 ret = eddsa_get_digest_from_priv_key(digest, &digest_size, in_priv); EG(ret, err); in eddsa_init_pub_key()
823 MUST_HAVE((digest_size == digest_size_), ret, err); in eddsa_init_pub_key()
826 ret = eddsa_compute_s(&s, digest, digest_size); EG(ret, err); in eddsa_init_pub_key()
843 ret = nn_rshift(&s, &s, 2); EG(ret, err); in eddsa_init_pub_key()
846 ret = prj_pt_mul_blind(&(out_pub->y), &s, G); EG(ret, err); in eddsa_init_pub_key()
857 return ret; in eddsa_init_pub_key()
871 int ret; local
889 ret = -1;
893 MUST_HAVE((pub_key != NULL) && (shortw_curve_params != NULL) && (buf != NULL), ret, err);
898 MUST_HAVE((buflen == EDDSA25519_PUB_KEY_ENCODED_LEN), ret, err);
903 MUST_HAVE((buflen == EDDSA448_PUB_KEY_ENCODED_LEN), ret, err);
915 ret = curve_shortw_to_edwards(shortw_curve, &edwards_curve, alpha_montgomery,
916 gamma_montgomery, alpha_edwards); EG(ret, err);
919 ret = eddsa_decode_point(&_Tmp, &edwards_curve, alpha_edwards, buf, buflen,
920 sig_type); EG(ret, err);
922 ret = aff_pt_edwards_to_prj_pt_shortw(&_Tmp, shortw_curve, pub_key_y,
923 alpha_edwards); EG(ret, err);
937 ret = nn_init(&tmp, 0); EG(ret, err1);
938 ret = nn_modinv_word(&tmp, WORD(4), gen_order); EG(ret, err1);
939 ret = prj_pt_mul(&(pub_key->y), &tmp, pub_key_y); EG(ret, err1);
943 EG(ret, err);
952 ret = eddsa_pub_key_sanity_check(pub_key);
955 if((pub_key != NULL) && ret){
966 return ret;
978 int ret; local
986 ret = pub_key_check_initialized(in_pub); EG(ret, err);
987 MUST_HAVE((buf != NULL), ret, err);
1000 MUST_HAVE((buflen == EDDSA25519_PUB_KEY_ENCODED_LEN), ret, err);
1005 MUST_HAVE((buflen == EDDSA448_PUB_KEY_ENCODED_LEN), ret, err);
1010 ret = curve_shortw_to_edwards(shortw_curve, &edwards_curve, alpha_montgomery,
1011 gamma_montgomery, alpha_edwards); EG(ret, err);
1012 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &edwards_curve, &_Tmp,
1013 alpha_edwards); EG(ret, err);
1015 ret = eddsa_encode_point(&_Tmp, alpha_edwards, buf,
1027 return ret;
1036 int ret; local
1038 MUST_HAVE((kp != NULL), ret, err);
1041 ret = eddsa_import_priv_key(&(kp->priv_key), buf, buflen,
1042 shortw_curve_params, sig_type); EG(ret, err);
1045 ret = eddsa_init_pub_key(&(kp->pub_key), &(kp->priv_key));
1048 return ret;
1059 int ret; local
1061 MUST_HAVE((message != NULL) && (digest != NULL) && (digest_size != NULL), ret, err);
1063 MUST_HAVE(((hash_type = get_eddsa_hash_type(sig_type)) != UNKNOWN_HASH_ALG), ret, err);
1065 ret = get_hash_by_type(hash_type, &hash); EG(ret, err);
1066 MUST_HAVE((hash != NULL), ret, err);
1069 MUST_HAVE(((*digest_size) >= hash->digest_size), ret, err);
1073 ret = hash_mapping_callbacks_sanity_check(hash); EG(ret, err);
1074 ret = hash->hfunc_init(&hash_ctx); EG(ret, err);
1075 ret = hash->hfunc_update(&hash_ctx, message, message_size); EG(ret, err);
1076 ret = hash->hfunc_finalize(&hash_ctx, digest); EG(ret, err);
1079 return ret;
1087 int ret; local
1089 MUST_HAVE((siglen != NULL), ret, err);
1092 (hsize <= MAX_DIGEST_SIZE) && (blocksize <= MAX_BLOCK_SIZE), ret, err);
1095 ret = 0;
1097 return ret;
1110 #define EDDSA_SIGN_CHECK_INITIALIZED(A, ret, err) \ argument
1111 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == EDDSA_SIGN_MAGIC), ret, err)
1115 int ret; local
1123 ret = sig_sign_check_initialized(ctx); EG(ret, err);
1141 MUST_HAVE((use_message_pre_hash == 1), ret, err);
1144 ret = eddsa_key_pair_sanity_check(key_pair); EG(ret, err);
1146 …(h != NULL) && (h->digest_size <= MAX_DIGEST_SIZE) && (h->block_size <= MAX_BLOCK_SIZE), ret, err);
1149 …((key_type == key_pair->pub_key.key_type) && (h->type == get_eddsa_hash_type(key_type)), ret, err);
1154 ret = nn_bitlen(&(key_pair->priv_key.x), &blen); EG(ret, err);
1155 MUST_HAVE(blen <= (8 * h->digest_size), ret, err);
1162 ret = hash_mapping_callbacks_sanity_check(h); EG(ret, err);
1163 ret = h->hfunc_init(&(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1173 return ret;
1179 int ret; local
1189 ret = sig_sign_check_initialized(ctx); EG(ret, err);
1190 EDDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eddsa), ret, err);
1191 MUST_HAVE((chunk != NULL), ret, err);
1206 MUST_HAVE(use_message_pre_hash == 1, ret, err);
1209 MUST_HAVE((ctx->h->type == get_eddsa_hash_type(key_type)), ret, err);
1213 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
1215 ret = ctx->h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), chunk, chunklen);
1220 return ret;
1236 int ret; local
1263 ret = sig_sign_check_initialized(ctx); EG(ret, err);
1264 EDDSA_SIGN_CHECK_INITIALIZED(&(ctx->sign_data.eddsa), ret, err);
1265 MUST_HAVE((sig != NULL), ret, err);
1268 ret = local_memset(&R, 0, sizeof(prj_pt)); EG(ret, err);
1269 ret = local_memset(&Tmp_edwards, 0, sizeof(aff_pt_edwards)); EG(ret, err);
1270 ret = local_memset(&crv_edwards, 0, sizeof(ec_edwards_crv)); EG(ret, err);
1271 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err);
1272 ret = local_memset(ph_hash, 0, sizeof(ph_hash)); EG(ret, err);
1277 … == ctx->key_pair->pub_key.key_type) && (ctx->h->type == get_eddsa_hash_type(key_type)), ret, err);
1302 MUST_HAVE((siglen == EDDSA_SIGLEN(hsize)) && (siglen == (r_len + s_len)), ret, err);
1321 MUST_HAVE((use_message_pre_hash == 1), ret, err);
1325 ret = hash_mapping_callbacks_sanity_check(h); EG(ret, err);
1327 ret = h->hfunc_finalize(&(ctx->sign_data.eddsa.h_ctx), ph_hash); EG(ret, err);
1332 ret = eddsa_get_digest_from_priv_key(hash, &hash_size, priv_key); EG(ret, err);
1335 MUST_HAVE((hash_size == hsize), ret, err);
1338 ret = h->hfunc_init(&(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1343 ret = dom2(1, ctx->adata, ctx->adata_len, h,
1344 &(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1349 ret = dom4(1, ctx->adata, ctx->adata_len, h,
1350 &(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1353 ret = h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), &hash[hsize / 2], hsize / 2); EG(ret, err);
1356 MUST_HAVE((use_message_pre_hash_hsize <= hsize), ret, err);
1358 ret = h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), ph_hash,
1359 use_message_pre_hash_hsize); EG(ret, err);
1362 ret = h->hfunc_finalize(&(ctx->sign_data.eddsa.h_ctx), hash); EG(ret, err);
1366 ret = eddsa_decode_integer(&r, hash, hsize); EG(ret, err);
1372 ret = nn_get_random_mod(&b, q); EG(ret, err);
1377 ret = nn_modinv_fermat(&binv, &b, q); EG(ret, err);
1380 ret = nn_mul(&r, &r, &b); EG(ret, err);
1386 ret = nn_mod_notrim(&r, &r, q); EG(ret, err);
1399 ret = nn_init(&r_tmp, 0); EG(ret, err1);
1400 ret = nn_modinv_word(&r_tmp, WORD(4), q); EG(ret, err1);
1401 ret = nn_mod_mul(&r_tmp, &r_tmp, &r, q); EG(ret, err1);
1405 ret = nn_mod_mul(&r_tmp, &r_tmp, &binv, q); EG(ret, err1);
1406 ret = prj_pt_mul_blind(&R, &r_tmp, G);
1408 ret = prj_pt_mul(&R, &r_tmp, G);
1412 EG(ret, err);
1421 ret = nn_init(&r_tmp, 0); EG(ret, err2);
1422 ret = nn_copy(&r_tmp, &r); EG(ret, err2);
1425 ret = nn_mod_mul(&r_tmp, &r_tmp, &binv, q); EG(ret, err2);
1426 ret = prj_pt_mul_blind(&R, &r_tmp, G); EG(ret, err2);
1429 EG(ret, err);
1431 ret = prj_pt_mul(&R, &r, G); EG(ret, err);
1436 ret = h->hfunc_init(&(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1438 ret = curve_shortw_to_edwards(shortw_curve, &crv_edwards, alpha_montgomery,
1439 gamma_montgomery, alpha_edwards); EG(ret, err);
1440 ret = prj_pt_shortw_to_aff_pt_edwards(&R, &crv_edwards, &Tmp_edwards,
1441 alpha_edwards); EG(ret, err);
1444 MUST_HAVE((r_len <= siglen), ret, err);
1446 ret = eddsa_encode_point(&Tmp_edwards, alpha_edwards, &sig[0],
1447 r_len, key_type); EG(ret, err);
1451 ret = dom2(1, ctx->adata, ctx->adata_len, h,
1452 &(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1457 ret = dom4(1, ctx->adata, ctx->adata_len, h,
1458 &(ctx->sign_data.eddsa.h_ctx)); EG(ret, err);
1462 ret = h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), &sig[0], r_len); EG(ret, err);
1465 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &crv_edwards,
1466 &Tmp_edwards, alpha_edwards); EG(ret, err);
1468 MUST_HAVE(r_len <= sizeof(hash), ret, err);
1471 ret = eddsa_encode_point(&Tmp_edwards, alpha_edwards, hash,
1472 r_len, key_type); EG(ret, err);
1475 ret = h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), hash, r_len); EG(ret, err);
1477 ret = h->hfunc_update(&(ctx->sign_data.eddsa.h_ctx), ph_hash,
1478 use_message_pre_hash_hsize); EG(ret, err);
1480 ret = h->hfunc_finalize(&(ctx->sign_data.eddsa.h_ctx), hash); EG(ret, err);
1483 ret = eddsa_decode_integer(&S, hash, hsize); EG(ret, err);
1484 ret = nn_mod(&S, &S, q); EG(ret, err);
1487 ret = eddsa_get_digest_from_priv_key(hash, &hsize, priv_key); EG(ret, err);
1489 ret = eddsa_compute_s(&s, hash, hsize); EG(ret, err);
1490 ret = nn_mod(&s, &s, q); EG(ret, err);
1494 ret = nn_mod_mul(&S, &S, &b, q); EG(ret, err);
1497 ret = nn_mod_mul(&S, &S, &s, q); EG(ret, err);
1501 ret = nn_mod_add(&S, &S, &r, q); EG(ret, err);
1504 ret = nn_mod_mul(&S, &S, &binv, q); EG(ret, err);
1507 MUST_HAVE((s_len <= (siglen - r_len)), ret, err);
1508 ret = eddsa_encode_integer(&S, &sig[r_len], s_len);
1550 return ret;
1562 int ret; local
1600 MUST_HAVE((rand == NULL), ret, err);
1603 ret = local_memset(&R, 0, sizeof(prj_pt)); EG(ret, err);
1604 ret = local_memset(&Tmp_edwards, 0, sizeof(aff_pt_edwards)); EG(ret, err);
1605 ret = local_memset(&crv_edwards, 0, sizeof(ec_edwards_crv)); EG(ret, err);
1606 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err);
1607 ret = local_memset(ph_hash, 0, sizeof(ph_hash)); EG(ret, err);
1610 ret = eddsa_key_pair_sanity_check(key_pair); EG(ret, err);
1613 ret = get_hash_by_type(hash_type, &h); EG(ret, err);
1617 MUST_HAVE((h != NULL), ret, err);
1618 MUST_HAVE((get_eddsa_hash_type(sig_type) == hash_type), ret, err);
1620 MUST_HAVE(key_type == sig_type, ret, err);
1621 …(h != NULL) && (h->digest_size <= MAX_DIGEST_SIZE) && (h->block_size <= MAX_BLOCK_SIZE), ret, err);
1625 ret = nn_bitlen(&(key_pair->priv_key.x), &blen); EG(ret, err);
1626 MUST_HAVE((blen <= (8 * h->digest_size)), ret, err);
1650 MUST_HAVE((siglen == EDDSA_SIGLEN(hsize)) && (siglen == (r_len + s_len)), ret, err);
1671 ret = eddsa_compute_pre_hash(m, mlen, ph_hash, &hash_size, sig_type); EG(ret, err);
1672 MUST_HAVE(use_message_pre_hash_hsize <= hash_size, ret, err);
1677 ret = eddsa_get_digest_from_priv_key(hash, &hash_size, &(key_pair->priv_key)); EG(ret, err);
1679 MUST_HAVE((hash_size == hsize), ret, err);
1681 ret = hash_mapping_callbacks_sanity_check(h); EG(ret, err);
1682 ret = h->hfunc_init(&h_ctx); EG(ret, err);
1686 MUST_HAVE(adata != NULL, ret, err);
1687 ret = dom2(0, adata, adata_len, h, &h_ctx); EG(ret, err);
1690 ret = dom2(1, adata, adata_len, h, &h_ctx); EG(ret, err);
1695 ret = dom4(0, adata, adata_len, h, &h_ctx); EG(ret, err);
1698 ret = dom4(1, adata, adata_len, h, &h_ctx); EG(ret, err);
1701 ret = h->hfunc_update(&h_ctx, &hash[hsize / 2], hsize / 2); EG(ret, err);
1705 ret = h->hfunc_update(&h_ctx, ph_hash, use_message_pre_hash_hsize); EG(ret, err);
1708 ret = h->hfunc_update(&h_ctx, m, mlen); EG(ret, err);
1710 ret = h->hfunc_finalize(&h_ctx, hash); EG(ret, err);
1714 ret = eddsa_decode_integer(&r, hash, hsize); EG(ret, err);
1720 ret = nn_get_random_mod(&b, q); EG(ret, err);
1725 ret = nn_modinv_fermat(&binv, &b, q); EG(ret, err);
1728 ret = nn_mul(&r, &r, &b); EG(ret, err);
1734 ret = nn_mod_notrim(&r, &r, q); EG(ret, err);
1747 ret = nn_init(&r_tmp, 0); EG(ret, err1);
1748 ret = nn_modinv_word(&r_tmp, WORD(4), q); EG(ret, err1);
1749 ret = nn_mod_mul(&r_tmp, &r_tmp, &r, q); EG(ret, err1);
1753 ret = nn_mod_mul(&r_tmp, &r_tmp, &binv, q); EG(ret, err1);
1754 ret = prj_pt_mul_blind(&R, &r_tmp, G);
1756 ret = prj_pt_mul(&R, &r_tmp, G);
1760 EG(ret, err);
1769 ret = nn_init(&r_tmp, 0); EG(ret, err2);
1770 ret = nn_copy(&r_tmp, &r); EG(ret, err2);
1773 ret = nn_mod_mul(&r_tmp, &r_tmp, &binv, q); EG(ret, err2);
1774 ret = prj_pt_mul_blind(&R, &r_tmp, G); EG(ret, err2);
1777 EG(ret, err);
1779 ret = prj_pt_mul(&R, &r, G); EG(ret, err);
1784 ret = hash_mapping_callbacks_sanity_check(h); EG(ret, err);
1785 ret = h->hfunc_init(&h_ctx); EG(ret, err);
1787 ret = curve_shortw_to_edwards(shortw_curve, &crv_edwards, alpha_montgomery,
1788 gamma_montgomery, alpha_edwards); EG(ret, err);
1789 ret = prj_pt_shortw_to_aff_pt_edwards(&R, &crv_edwards, &Tmp_edwards,
1790 alpha_edwards); EG(ret, err);
1792 MUST_HAVE((r_len <= siglen), ret, err);
1794 ret = eddsa_encode_point(&Tmp_edwards, alpha_edwards, &sig[0],
1795 r_len, key_type); EG(ret, err);
1802 MUST_HAVE((adata != NULL), ret, err);
1803 ret = dom2(0, adata, adata_len, h, &h_ctx); EG(ret, err);
1806 ret = dom2(1, adata, adata_len, h, &h_ctx); EG(ret, err);
1811 ret = dom4(0, adata, adata_len, h, &h_ctx); EG(ret, err);
1814 ret = dom4(1, adata, adata_len, h, &h_ctx); EG(ret, err);
1818 ret = h->hfunc_update(&h_ctx, &sig[0], r_len); EG(ret, err);
1820 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &crv_edwards, &Tmp_edwards,
1821 alpha_edwards); EG(ret, err);
1823 MUST_HAVE((r_len <= sizeof(hash)), ret, err);
1826 ret = eddsa_encode_point(&Tmp_edwards, alpha_edwards,
1827 hash, r_len, key_type); EG(ret, err);
1829 ret = h->hfunc_update(&h_ctx, hash, r_len); EG(ret, err);
1832 ret = h->hfunc_update(&h_ctx, ph_hash, use_message_pre_hash_hsize); EG(ret, err);
1835 ret = h->hfunc_update(&h_ctx, m, mlen); EG(ret, err);
1838 ret = h->hfunc_finalize(&h_ctx, hash); EG(ret, err);
1841 ret = eddsa_decode_integer(&S, hash, hsize); EG(ret, err);
1842 ret = nn_mod(&S, &S, q); EG(ret, err);
1845 ret = eddsa_get_digest_from_priv_key(hash, &hsize, priv_key); EG(ret, err);
1846 ret = eddsa_compute_s(&s, hash, hsize); EG(ret, err);
1847 ret = nn_mod(&s, &s, q); EG(ret, err);
1850 ret = nn_mod_mul(&S, &S, &b, q); EG(ret, err);
1853 ret = nn_mod_mul(&S, &S, &s, q); EG(ret, err);
1857 ret = nn_mod_add(&S, &S, &r, q); EG(ret, err);
1860 ret = nn_mod_mul(&S, &S, &binv, q); EG(ret, err);
1863 MUST_HAVE((s_len <= (siglen - r_len)), ret, err);
1865 ret = eddsa_encode_integer(&S, &sig[r_len], s_len);
1902 return ret;
1912 #define EDDSA_VERIFY_CHECK_INITIALIZED(A, ret, err) \ argument
1913 MUST_HAVE((((void *)(A)) != NULL) && ((A)->magic == EDDSA_VERIFY_MAGIC), ret, err)
1925 int ret, iszero, cmp; local
1941 ret = sig_verify_check_initialized(ctx); EG(ret, err);
1942 MUST_HAVE((sig != NULL), ret, err);
1945 ret = local_memset(&A, 0, sizeof(aff_pt_edwards)); EG(ret, err);
1946 ret = local_memset(&crv_edwards, 0, sizeof(ec_edwards_crv)); EG(ret, err);
1947 ret = local_memset(buff, 0, sizeof(buff)); EG(ret, err);
1948 ret = local_memset(&R, 0, sizeof(R)); EG(ret, err);
1949 ret = local_memset(&_Tmp, 0, sizeof(_Tmp)); EG(ret, err);
1952 ret = eddsa_pub_key_sanity_check(ctx->pub_key); EG(ret, err);
1953 …) && (ctx->h->digest_size <= MAX_DIGEST_SIZE) && (ctx->h->block_size <= MAX_BLOCK_SIZE), ret, err);
1973 MUST_HAVE((ctx->h->type == get_eddsa_hash_type(key_type)), ret, err);
1976 MUST_HAVE((siglen == EDDSA_SIGLEN(hsize)), ret, err);
1977 MUST_HAVE((siglen == (EDDSA_R_LEN(hsize) + EDDSA_S_LEN(hsize))), ret, err);
1981 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
1982 ret = ctx->h->hfunc_init(h_ctx); EG(ret, err);
1983 ret = ctx->h->hfunc_init(h_ctx_pre_hash); EG(ret, err);
1987 MUST_HAVE((ctx->adata != NULL), ret, err);
1988 ret = dom2(0, ctx->adata, ctx->adata_len, ctx->h, h_ctx); EG(ret, err);
1991 ret = dom2(1, ctx->adata, ctx->adata_len, ctx->h, h_ctx); EG(ret, err);
1996 ret = dom4(0, ctx->adata, ctx->adata_len, ctx->h, h_ctx); EG(ret, err);
1999 ret = dom4(1, ctx->adata, ctx->adata_len, ctx->h, h_ctx); EG(ret, err);
2005 ret = curve_shortw_to_edwards(shortw_curve, &crv_edwards, alpha_montgomery,
2006 gamma_montgomery, alpha_edwards); EG(ret, err);
2008 ret = eddsa_decode_point(&R, &crv_edwards, alpha_edwards, &sig[0],
2009 EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2012 ret = aff_pt_edwards_to_prj_pt_shortw(&R, shortw_curve, _R, alpha_edwards); EG(ret, err);
2014 ret = ctx->h->hfunc_update(h_ctx, &sig[0], EDDSA_R_LEN(hsize)); EG(ret, err);
2018 ret = eddsa_decode_integer(S, &sig[EDDSA_R_LEN(hsize)], EDDSA_S_LEN(hsize)); EG(ret, err);
2020 ret = nn_cmp(S, q, &cmp); EG(ret, err);
2021 MUST_HAVE((cmp < 0), ret, err);
2033 ret = _prj_pt_unprotected_mult(&_Tmp, gen_cofactor, pub_key_y); EG(ret, err);
2037 ret = prj_pt_iszero(&_Tmp, &iszero); EG(ret, err);
2038 MUST_HAVE((!iszero), ret, err);
2041 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &crv_edwards, &A, alpha_edwards); EG(ret, err);
2043 MUST_HAVE((EDDSA_R_LEN(hsize) <= sizeof(buff)), ret, err);
2045 ret = eddsa_encode_point(&A, alpha_edwards, buff, EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2048 ret = ctx->h->hfunc_update(h_ctx, buff, EDDSA_R_LEN(hsize)); EG(ret, err);
2070 return ret;
2076 int ret; local
2088 ret = sig_verify_check_initialized(ctx); EG(ret, err);
2089 EDDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eddsa), ret, err);
2096 MUST_HAVE(ctx->h->type == get_eddsa_hash_type(key_type), ret, err);
2111 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
2114 ret = ctx->h->hfunc_update(h_ctx_pre_hash,
2115 chunk, chunklen); EG(ret, err);
2119 ret = ctx->h->hfunc_update(h_ctx, chunk, chunklen); EG(ret, err);
2125 return ret;
2137 int ret, iszero, cmp; local
2151 ret = sig_verify_check_initialized(ctx); EG(ret, err);
2152 EDDSA_VERIFY_CHECK_INITIALIZED(&(ctx->verify_data.eddsa), ret, err);
2155 ret = local_memset(&_Tmp1, 0, sizeof(prj_pt)); EG(ret, err);
2156 ret = local_memset(&_Tmp2, 0, sizeof(prj_pt)); EG(ret, err);
2157 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err);
2172 MUST_HAVE((ctx->h->type == get_eddsa_hash_type(key_type)), ret, err);
2192 ret = nn_cmp(S, q, &cmp); EG(ret, err);
2193 MUST_HAVE((cmp < 0), ret, err);
2195 MUST_HAVE((hsize <= sizeof(hash)), ret, err);
2199 ret = hash_mapping_callbacks_sanity_check(ctx->h); EG(ret, err);
2202 ret = ctx->h->hfunc_finalize(h_ctx_pre_hash, hash); EG(ret, err);
2203 MUST_HAVE((use_message_pre_hash_hsize <= hsize), ret, err);
2204 ret = ctx->h->hfunc_update(h_ctx, hash, use_message_pre_hash_hsize); EG(ret, err);
2206 ret = ctx->h->hfunc_finalize(h_ctx, hash); EG(ret, err);
2210 ret = eddsa_decode_integer(&h, hash, hsize); EG(ret, err);
2211 ret = nn_mod(&h, &h, q); EG(ret, err);
2220 ret = nn_lshift(&h, &h, 2); EG(ret, err);
2221 ret = nn_mod(&h, &h, q); EG(ret, err);
2225 ret = prj_pt_mul(&_Tmp1, S, G); EG(ret, err);
2226 ret = prj_pt_neg(&_Tmp2, _R); EG(ret, err);
2227 ret = prj_pt_add(&_Tmp1, &_Tmp1, &_Tmp2); EG(ret, err);
2228 ret = prj_pt_mul(&_Tmp2, &h, A); EG(ret, err);
2229 ret = prj_pt_neg(&_Tmp2, &_Tmp2); EG(ret, err);
2230 ret = prj_pt_add(&_Tmp1, &_Tmp1, &_Tmp2); EG(ret, err);
2236 ret = _prj_pt_unprotected_mult(&_Tmp2, gen_cofactor, &_Tmp1); EG(ret, err);
2239 ret = prj_pt_iszero(&_Tmp2, &iszero); EG(ret, err);
2240 ret = iszero ? 0 : -1;
2266 return ret;
2292 int ret, iszero, cmp; local
2314 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL) && (adata != NULL), ret, err);
2316 MUST_HAVE((num > 0), ret, err);
2320 ret = local_memset(&crv_edwards, 0, sizeof(ec_edwards_crv)); EG(ret, err);
2321 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err);
2322 ret = local_memset(&A, 0, sizeof(aff_pt_edwards)); EG(ret, err);
2323 ret = local_memset(&R, 0, sizeof(aff_pt_edwards)); EG(ret, err);
2324 ret = local_memset(&_R_sum, 0, sizeof(prj_pt)); EG(ret, err);
2325 ret = local_memset(&_A_sum, 0, sizeof(prj_pt)); EG(ret, err);
2326 ret = local_memset(&_Tmp, 0, sizeof(prj_pt)); EG(ret, err);
2329 MUST_HAVE((pub_key0 != NULL), ret, err);
2332 ret = get_hash_by_type(hash_type, &hm); EG(ret, err);
2334 MUST_HAVE((hm != NULL), ret, err);
2357 ret = eddsa_pub_key_sanity_check(pub_keys[i]); EG(ret, err);
2363 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err);
2376 MUST_HAVE((key_type == sig_type), ret, err);
2380 ret = nn_init(&S_sum, 0); EG(ret, err);
2381 ret = prj_pt_init(&_R_sum, shortw_curve); EG(ret, err);
2382 ret = prj_pt_zero(&_R_sum); EG(ret, err);
2383 ret = prj_pt_init(&_A_sum, shortw_curve); EG(ret, err);
2384 ret = prj_pt_zero(&_A_sum); EG(ret, err);
2385 ret = nn_init(&z, 0); EG(ret, err);
2386 ret = nn_init(&h, 0); EG(ret, err);
2391 ret = nn_get_random_len(&z, (hsize / 4)); EG(ret, err);
2392 ret = nn_iszero(&z, &iszero); EG(ret, err);
2398 MUST_HAVE((hash_type == get_eddsa_hash_type(key_type)), ret, err);
2403 MUST_HAVE((siglen == EDDSA_SIGLEN(hsize)), ret, err);
2404 MUST_HAVE((siglen == (EDDSA_R_LEN(hsize) + EDDSA_S_LEN(hsize))), ret, err);
2408 ret = hash_mapping_callbacks_sanity_check(hm); EG(ret, err);
2409 ret = hm->hfunc_init(&h_ctx); EG(ret, err);
2410 ret = hm->hfunc_init(&h_ctx_pre_hash); EG(ret, err);
2414 MUST_HAVE((adata[i] != NULL), ret, err);
2415 ret = dom2(0, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2418 ret = dom2(1, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2423 ret = dom4(0, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2426 ret = dom4(1, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2432 ret = curve_shortw_to_edwards(shortw_curve, &crv_edwards, alpha_montgomery,
2433 gamma_montgomery, alpha_edwards); EG(ret, err);
2435 ret = eddsa_decode_point(&R, &crv_edwards, alpha_edwards, &sig[0],
2436 EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2439 ret = aff_pt_edwards_to_prj_pt_shortw(&R, shortw_curve, &_Tmp, alpha_edwards); EG(ret, err);
2441 ret = hm->hfunc_update(&h_ctx, &sig[0], EDDSA_R_LEN(hsize)); EG(ret, err);
2444 ret = _prj_pt_unprotected_mult(&_Tmp, &z, &_Tmp); EG(ret, err);
2446 ret = prj_pt_add(&_R_sum, &_R_sum, &_Tmp); EG(ret, err);
2450 ret = eddsa_decode_integer(&S, &sig[EDDSA_R_LEN(hsize)], EDDSA_S_LEN(hsize)); EG(ret, err);
2452 ret = nn_cmp(&S, q, &cmp); EG(ret, err);
2453 MUST_HAVE((cmp < 0), ret, err);
2457 ret = nn_mul(&S, &S, &z); EG(ret, err);
2458 ret = nn_mod(&S, &S, q); EG(ret, err);
2459 ret = nn_mod_add(&S_sum, &S_sum, &S, q); EG(ret, err);
2470 ret = _prj_pt_unprotected_mult(&_Tmp, gen_cofactor, pub_key_y); EG(ret, err);
2474 ret = prj_pt_iszero(&_Tmp, &iszero); EG(ret, err);
2475 MUST_HAVE((!iszero), ret, err);
2478 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &crv_edwards, &A, alpha_edwards); EG(ret, err);
2480 MUST_HAVE((EDDSA_R_LEN(hsize) <= sizeof(hash)), ret, err);
2482 ret = eddsa_encode_point(&A, alpha_edwards, hash, EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2485 ret = hm->hfunc_update(&h_ctx, hash, EDDSA_R_LEN(hsize)); EG(ret, err);
2489 ret = hm->hfunc_update(&h_ctx_pre_hash, m[i], m_len[i]); EG(ret, err);
2490 ret = hm->hfunc_finalize(&h_ctx_pre_hash, hash); EG(ret, err);
2491 MUST_HAVE((use_message_pre_hash_hsize <= hsize), ret, err);
2492 ret = hm->hfunc_update(&h_ctx, hash, use_message_pre_hash_hsize); EG(ret, err);
2495 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err);
2497 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err);
2501 ret = eddsa_decode_integer(&h, hash, hsize); EG(ret, err);
2502 ret = nn_mod(&h, &h, q); EG(ret, err);
2510 ret = nn_lshift(&h, &h, 2); EG(ret, err);
2511 ret = nn_mod(&h, &h, q); EG(ret, err);
2519 ret = nn_mul(&z, &z, &h); EG(ret, err);
2520 ret = nn_mod(&z, &z, q); EG(ret, err);
2521 ret = _prj_pt_unprotected_mult(&_Tmp, &z, &_Tmp); EG(ret, err);
2523 ret = prj_pt_add(&_A_sum, &_A_sum, &_Tmp); EG(ret, err);
2527 MUST_HAVE((gen_cofactor != NULL) && (q != NULL) && (G != NULL), ret, err);
2530 ret = nn_mul(&S_sum, &S_sum, gen_cofactor); EG(ret, err);
2531 ret = nn_mod(&S_sum, &S_sum, q); EG(ret, err);
2533 ret = nn_mod_neg(&S_sum, &S_sum, q); EG(ret, err);
2535 ret = _prj_pt_unprotected_mult(&_Tmp, &S_sum, G); EG(ret, err);
2538 ret = _prj_pt_unprotected_mult(&_R_sum, gen_cofactor, &_R_sum); EG(ret, err);
2541 ret = prj_pt_add(&_Tmp, &_Tmp, &_A_sum);
2542 ret = prj_pt_add(&_Tmp, &_Tmp, &_R_sum);
2545 ret = prj_pt_iszero(&_Tmp, &iszero); EG(ret, err);
2546 ret = iszero ? 0 : -1;
2571 return ret;
2594 int ret, iszero, cmp; local
2618 MUST_HAVE((s != NULL) && (pub_keys != NULL) && (m != NULL) && (adata != NULL), ret, err);
2619 MUST_HAVE((scratch_pad_area_len != NULL), ret, err);
2620 MUST_HAVE(((2 * num) >= num), ret, err);
2621 MUST_HAVE(((2 * num) + 1) >= num, ret, err);
2631 ret = 0;
2635 ret = _eddsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type,
2642 MUST_HAVE((expected_len < 0xffffffff), ret, err);
2649 ret = 0;
2653 MUST_HAVE((*scratch_pad_area_len) >= expected_len, ret, err);
2659 ret = local_memset(&crv_edwards, 0, sizeof(ec_edwards_crv)); EG(ret, err);
2660 ret = local_memset(hash, 0, sizeof(hash)); EG(ret, err);
2661 ret = local_memset(&A, 0, sizeof(aff_pt_edwards)); EG(ret, err);
2662 ret = local_memset(&R, 0, sizeof(aff_pt_edwards)); EG(ret, err);
2665 MUST_HAVE((pub_key0 != NULL), ret, err);
2668 ret = get_hash_by_type(hash_type, &hm); EG(ret, err);
2670 MUST_HAVE((hm != NULL), ret, err);
2690 MUST_HAVE((num >= 1), ret, err);
2695 ret = eddsa_pub_key_sanity_check(pub_keys[i]); EG(ret, err);
2701 MUST_HAVE((pub_key->params) == (pub_key0->params), ret, err);
2715 MUST_HAVE((key_type == sig_type), ret, err);
2719 ret = nn_init(&z, 0); EG(ret, err);
2720 ret = nn_init(&S, 0); EG(ret, err);
2721 ret = nn_init(&elements[(2 * num)].number, 0); EG(ret, err);
2722 ret = _prj_pt_unprotected_mult(&elements[(2 * num)].point, gen_cofactor, G); EG(ret, err);
2727 ret = nn_get_random_len(&z, (hsize / 4)); EG(ret, err);
2728 ret = nn_iszero(&z, &iszero); EG(ret, err);
2734 MUST_HAVE((hash_type == get_eddsa_hash_type(key_type)), ret, err);
2739 MUST_HAVE((siglen == EDDSA_SIGLEN(hsize)), ret, err);
2740 MUST_HAVE((siglen == (EDDSA_R_LEN(hsize) + EDDSA_S_LEN(hsize))), ret, err);
2744 ret = hash_mapping_callbacks_sanity_check(hm); EG(ret, err);
2745 ret = hm->hfunc_init(&h_ctx); EG(ret, err);
2746 ret = hm->hfunc_init(&h_ctx_pre_hash); EG(ret, err);
2750 MUST_HAVE((adata[i] != NULL), ret, err);
2751 ret = dom2(0, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2754 ret = dom2(1, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2759 ret = dom4(0, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2762 ret = dom4(1, adata[i], adata_len[i], hm, &h_ctx); EG(ret, err);
2768 ret = curve_shortw_to_edwards(shortw_curve, &crv_edwards, alpha_montgomery,
2769 gamma_montgomery, alpha_edwards); EG(ret, err);
2771 ret = eddsa_decode_point(&R, &crv_edwards, alpha_edwards, &sig[0],
2772 EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2775 …ret = aff_pt_edwards_to_prj_pt_shortw(&R, shortw_curve, &elements[i].point, alpha_edwards); EG(ret…
2777 ret = hm->hfunc_update(&h_ctx, &sig[0], EDDSA_R_LEN(hsize)); EG(ret, err);
2779 ret = nn_init(&elements[i].number, 0); EG(ret, err);
2780 ret = nn_mul(&elements[i].number, gen_cofactor, &z); EG(ret, err);
2781 ret = nn_mod(&elements[i].number, &elements[i].number, q); EG(ret, err);
2785 ret = eddsa_decode_integer(&S, &sig[EDDSA_R_LEN(hsize)], EDDSA_S_LEN(hsize)); EG(ret, err);
2787 ret = nn_cmp(&S, q, &cmp); EG(ret, err);
2788 MUST_HAVE((cmp < 0), ret, err);
2792 ret = nn_mul(&S, &S, &z); EG(ret, err);
2793 ret = nn_mod(&S, &S, q); EG(ret, err);
2794 ret = nn_mod_neg(&S, &S, q); EG(ret, err); /* Negate S */
2795 ret = nn_mod_add(&elements[(2 * num)].number, &elements[(2 * num)].number, &S, q); EG(ret, err);
2806 ret = _prj_pt_unprotected_mult(&elements[num + i].point, gen_cofactor, pub_key_y); EG(ret, err);
2810 ret = prj_pt_iszero(&elements[num + i].point, &iszero); EG(ret, err);
2811 MUST_HAVE((!iszero), ret, err);
2814 ret = prj_pt_shortw_to_aff_pt_edwards(pub_key_y, &crv_edwards, &A, alpha_edwards); EG(ret, err);
2816 MUST_HAVE((EDDSA_R_LEN(hsize) <= sizeof(hash)), ret, err);
2818 ret = eddsa_encode_point(&A, alpha_edwards, hash, EDDSA_R_LEN(hsize), key_type); EG(ret, err);
2821 ret = hm->hfunc_update(&h_ctx, hash, EDDSA_R_LEN(hsize)); EG(ret, err);
2825 ret = hm->hfunc_update(&h_ctx_pre_hash, m[i], m_len[i]); EG(ret, err);
2826 ret = hm->hfunc_finalize(&h_ctx_pre_hash, hash); EG(ret, err);
2827 MUST_HAVE((use_message_pre_hash_hsize <= hsize), ret, err);
2828 ret = hm->hfunc_update(&h_ctx, hash, use_message_pre_hash_hsize); EG(ret, err);
2831 ret = hm->hfunc_update(&h_ctx, m[i], m_len[i]); EG(ret, err);
2833 ret = hm->hfunc_finalize(&h_ctx, hash); EG(ret, err);
2837 ret = eddsa_decode_integer(&elements[num + i].number, hash, hsize); EG(ret, err);
2838 ret = nn_mod(&elements[num + i].number, &elements[num + i].number, q); EG(ret, err);
2846 ret = nn_lshift(&elements[num + i].number, &elements[num + i].number, 2); EG(ret, err);
2847 ret = nn_mod(&elements[num + i].number, &elements[num + i].number, q); EG(ret, err);
2852 ret = nn_mul(&elements[num + i].number, &elements[num + i].number, &z); EG(ret, err);
2853 ret = nn_mod(&elements[num + i].number, &elements[num + i].number, q); EG(ret, err);
2857 MUST_HAVE((gen_cofactor != NULL) && (q != NULL) && (G != NULL) && (q_bit_len != 0), ret, err);
2861 ret = ec_verify_bos_coster(elements, (2 * num) + 1, q_bit_len);
2862 if(ret){
2863 if(ret == -2){
2867 … ret = _eddsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type,
2868 … hash_type, adata, adata_len); EG(ret, err);
2877 ret = prj_pt_iszero(&elements[elements[0].index].point, &iszero); EG(ret, err);
2878 ret = iszero ? 0 : -1;
2904 return ret;
2912 int ret; local
2915 MUST_HAVE((scratch_pad_area_len != NULL), ret, err);
2916 ret = _eddsa_verify_batch(s, s_len, pub_keys, m, m_len, num, sig_type,
2918 scratch_pad_area, scratch_pad_area_len); EG(ret, err);
2921 ret = _eddsa_verify_batch_no_memory(s, s_len, pub_keys, m, m_len, num, sig_type,
2922 hash_type, adata, adata_len); EG(ret, err);
2926 return ret;