ring/ec/curve25519/ed25519/
verification.rs

1// Copyright 2015-2016 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! EdDSA Signatures.
16
17use super::{super::ops::*, eddsa_digest};
18use crate::{cpu, error, sealed, signature};
19
20/// Parameters for EdDSA signing and verification.
21pub struct EdDSAParameters;
22
23impl core::fmt::Debug for EdDSAParameters {
24    fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
25        write!(f, "ring::signature::ED25519")
26    }
27}
28
29/// Verification of [Ed25519] signatures.
30///
31/// Ed25519 uses SHA-512 as the digest algorithm.
32///
33/// [Ed25519]: https://ed25519.cr.yp.to/
34pub static ED25519: EdDSAParameters = EdDSAParameters {};
35
36impl signature::VerificationAlgorithm for EdDSAParameters {
37    fn verify(
38        &self,
39        public_key: untrusted::Input,
40        msg: untrusted::Input,
41        signature: untrusted::Input,
42    ) -> Result<(), error::Unspecified> {
43        let cpu_features = cpu::features();
44
45        let public_key: &[u8; ELEM_LEN] = public_key.as_slice_less_safe().try_into()?;
46        let (signature_r, signature_s) = signature.read_all(error::Unspecified, |input| {
47            let signature_r: &[u8; ELEM_LEN] = input
48                .read_bytes(ELEM_LEN)?
49                .as_slice_less_safe()
50                .try_into()?;
51            let signature_s: &[u8; SCALAR_LEN] = input
52                .read_bytes(SCALAR_LEN)?
53                .as_slice_less_safe()
54                .try_into()?;
55            Ok((signature_r, signature_s))
56        })?;
57
58        let signature_s = Scalar::from_bytes_checked(*signature_s)?;
59
60        let mut a = ExtPoint::from_encoded_point_vartime(public_key)?;
61        a.invert_vartime();
62
63        let h_digest = eddsa_digest(signature_r, public_key, msg.as_slice_less_safe());
64        let h = Scalar::from_sha512_digest_reduced(h_digest);
65
66        let mut r = Point::new_at_infinity();
67        unsafe { x25519_ge_double_scalarmult_vartime(&mut r, &h, &a, &signature_s) };
68        let r_check = r.into_encoded_point(cpu_features);
69        if *signature_r != r_check {
70            return Err(error::Unspecified);
71        }
72        Ok(())
73    }
74}
75
76impl sealed::Sealed for EdDSAParameters {}
77
78prefixed_extern! {
79    fn x25519_ge_double_scalarmult_vartime(
80        r: &mut Point,
81        a_coeff: &Scalar,
82        a: &ExtPoint,
83        b_coeff: &Scalar,
84    );
85}