1 #include <string.h>
2 #include "crypto_sign.h"
3 #include "crypto_verify_32.h"
4 #include "crypto_hash_sha512.h"
5 #include "ge25519.h"
6
crypto_sign_open(unsigned char * m,unsigned long long * mlen,const unsigned char * sm,unsigned long long smlen,const unsigned char * pk)7 int crypto_sign_open(
8 unsigned char *m,unsigned long long *mlen,
9 const unsigned char *sm,unsigned long long smlen,
10 const unsigned char *pk
11 )
12 {
13 unsigned char pkcopy[32];
14 unsigned char rcopy[32];
15 unsigned char hram[64];
16 unsigned char rcheck[32];
17 ge25519 get1, get2;
18 sc25519 schram, scs;
19
20 if (smlen < 64) goto badsig;
21 if (sm[63] & 224) goto badsig;
22 if (ge25519_unpackneg_vartime(&get1,pk)) goto badsig;
23
24 memmove(pkcopy,pk,32);
25 memmove(rcopy,sm,32);
26
27 sc25519_from32bytes(&scs, sm+32);
28
29 memmove(m,sm,smlen);
30 memmove(m + 32,pkcopy,32);
31 crypto_hash_sha512(hram,m,smlen);
32
33 sc25519_from64bytes(&schram, hram);
34
35 ge25519_double_scalarmult_vartime(&get2, &get1, &schram, &scs);
36 ge25519_pack(rcheck, &get2);
37
38 if (crypto_verify_32(rcopy,rcheck) == 0) {
39 memmove(m,m + 64,smlen - 64);
40 memset(m + smlen - 64,0,64);
41 *mlen = smlen - 64;
42 return 0;
43 }
44
45 badsig:
46 *mlen = (unsigned long long) -1;
47 memset(m,0,smlen);
48 return -1;
49 }
50