1 /* (Modified by Tor to verify signature separately from message) */
2
3 #include "crypto_sign.h"
4 #include <string.h>
5 #include "crypto_hash_sha512.h"
6 #include "crypto_verify_32.h"
7 #include "ge.h"
8 #include "sc.h"
9
10 /* 'signature' must be 64-bytes long. */
crypto_sign_open(const unsigned char * signature,const unsigned char * m,size_t mlen,const unsigned char * pk)11 int crypto_sign_open(
12 const unsigned char *signature,
13 const unsigned char *m, size_t mlen,
14 const unsigned char *pk
15 )
16 {
17 unsigned char pkcopy[32];
18 unsigned char rcopy[32];
19 unsigned char scopy[32];
20 unsigned char h[64];
21 unsigned char rcheck[32];
22 ge_p3 A;
23 ge_p2 R;
24
25 if (signature[63] & 224) goto badsig;
26 if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
27
28 memmove(pkcopy,pk,32);
29 memmove(rcopy,signature,32);
30 memmove(scopy,signature + 32,32);
31
32 crypto_hash_sha512_3(h, rcopy, 32, pkcopy, 32, m, mlen);
33 sc_reduce(h);
34
35 ge_double_scalarmult_vartime(&R,h,&A,scopy);
36 ge_tobytes(rcheck,&R);
37 if (crypto_verify_32(rcheck,rcopy) == 0) {
38 return 0;
39 }
40
41 badsig:
42 return -1;
43 }
44