File Coverage

line	stmt	bran	code
1			#include "ed25519.h"
2			#include "sha512.h"
3			#include "ge.h"
4			#include "sc.h"
5
6	1564		static int consttime_equal(const unsigned char x, const unsigned char y) {
7	1564		unsigned char r = 0;
8
9	1564		r = x[0] ^ y[0];
10			#define F(i) r \|= x[i] ^ y[i]
11	1564		F(1);
12	1564		F(2);
13	1564		F(3);
14	1564		F(4);
15	1564		F(5);
16	1564		F(6);
17	1564		F(7);
18	1564		F(8);
19	1564		F(9);
20	1564		F(10);
21	1564		F(11);
22	1564		F(12);
23	1564		F(13);
24	1564		F(14);
25	1564		F(15);
26	1564		F(16);
27	1564		F(17);
28	1564		F(18);
29	1564		F(19);
30	1564		F(20);
31	1564		F(21);
32	1564		F(22);
33	1564		F(23);
34	1564		F(24);
35	1564		F(25);
36	1564		F(26);
37	1564		F(27);
38	1564		F(28);
39	1564		F(29);
40	1564		F(30);
41	1564		F(31);
42			#undef F
43
44	1564		return !r;
45			}
46
47	1564		int ed25519_verify(const unsigned char signature, const unsigned char message, size_t message_len, const unsigned char *public_key) {
48			unsigned char h[64];
49			unsigned char checker[32];
50			sha512_context hash;
51			ge_p3 A;
52			ge_p2 R;
53
54	1564	50	if (signature[63] & 224) {
55	0		return 0;
56			}
57
58	1564	50	if (ge_frombytes_negate_vartime(&A, public_key) != 0) {
59	0		return 0;
60			}
61
62	1564		sha512_init(&hash);
63	1564		sha512_update(&hash, signature, 32);
64	1564		sha512_update(&hash, public_key, 32);
65	1564		sha512_update(&hash, message, message_len);
66	1564		sha512_final(&hash, h);
67
68	1564		sc_reduce(h);
69	1564		ge_double_scalarmult_vartime(&R, h, &A, signature + 32);
70	1564		ge_tobytes(checker, &R);
71
72	1564	100	if (!consttime_equal(checker, signature)) {
73	782		return 0;
74			}
75
76	1564		return 1;
77			}