1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
// Copyright 2015-2016 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

//! EdDSA Signatures.

use super::{super::ops::*, eddsa_digest};
use crate::{error, sealed, signature};
use core::convert::TryInto;

/// Parameters for EdDSA signing and verification.
pub struct EdDSAParameters;

impl core::fmt::Debug for EdDSAParameters {
    fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
        write!(f, "ring::signature::ED25519")
    }
}

/// Verification of [Ed25519] signatures.
///
/// Ed25519 uses SHA-512 as the digest algorithm.
///
/// [Ed25519]: https://ed25519.cr.yp.to/
pub static ED25519: EdDSAParameters = EdDSAParameters {};

impl signature::VerificationAlgorithm for EdDSAParameters {
    fn verify(
        &self,
        public_key: untrusted::Input,
        msg: untrusted::Input,
        signature: untrusted::Input,
    ) -> Result<(), error::Unspecified> {
        let public_key: &[u8; ELEM_LEN] = public_key.as_slice_less_safe().try_into()?;
        let (signature_r, signature_s) = signature.read_all(error::Unspecified, |input| {
            let signature_r: &[u8; ELEM_LEN] = input
                .read_bytes(ELEM_LEN)?
                .as_slice_less_safe()
                .try_into()?;
            let signature_s: &[u8; SCALAR_LEN] = input
                .read_bytes(SCALAR_LEN)?
                .as_slice_less_safe()
                .try_into()?;
            Ok((signature_r, signature_s))
        })?;

        let signature_s = Scalar::from_bytes_checked(*signature_s)?;

        let mut a = ExtPoint::from_encoded_point_vartime(public_key)?;
        a.invert_vartime();

        let h_digest = eddsa_digest(signature_r, public_key, msg.as_slice_less_safe());
        let h = Scalar::from_sha512_digest_reduced(h_digest);

        let mut r = Point::new_at_infinity();
        unsafe { GFp_x25519_ge_double_scalarmult_vartime(&mut r, &h, &a, &signature_s) };
        let r_check = r.into_encoded_point();
        if *signature_r != r_check {
            return Err(error::Unspecified);
        }
        Ok(())
    }
}

impl sealed::Sealed for EdDSAParameters {}

extern "C" {
    fn GFp_x25519_ge_double_scalarmult_vartime(
        r: &mut Point,
        a_coeff: &Scalar,
        a: &ExtPoint,
        b_coeff: &Scalar,
    );
}