File Coverage

line	stmt	bran	code
1			#include "ed25519.h"
2			#include "sha512.h"
3			#include "ge.h"
4			#include "sc.h"
5
6	1		static int consttime_equal(const unsigned char x, const unsigned char y) {
7	1		unsigned char r = 0;
8
9	1		r = x[0] ^ y[0];
10			#define F(i) r \|= x[i] ^ y[i]
11	1		F(1);
12	1		F(2);
13	1		F(3);
14	1		F(4);
15	1		F(5);
16	1		F(6);
17	1		F(7);
18	1		F(8);
19	1		F(9);
20	1		F(10);
21	1		F(11);
22	1		F(12);
23	1		F(13);
24	1		F(14);
25	1		F(15);
26	1		F(16);
27	1		F(17);
28	1		F(18);
29	1		F(19);
30	1		F(20);
31	1		F(21);
32	1		F(22);
33	1		F(23);
34	1		F(24);
35	1		F(25);
36	1		F(26);
37	1		F(27);
38	1		F(28);
39	1		F(29);
40	1		F(30);
41	1		F(31);
42			#undef F
43
44	1		return !r;
45			}
46
47	1		int ed25519_verify(const unsigned char signature, const unsigned char message, size_t message_len, const unsigned char *public_key) {
48			unsigned char h[64];
49			unsigned char checker[32];
50			sha512_context hash;
51			ge_p3 A;
52			ge_p2 R;
53
54	1	50	if (signature[63] & 224) {
55	0		return 0;
56			}
57
58	1	50	if (ge_frombytes_negate_vartime(&A, public_key) != 0) {
59	0		return 0;
60			}
61
62	1		sha512_init(&hash);
63	1		sha512_update(&hash, signature, 32);
64	1		sha512_update(&hash, public_key, 32);
65	1		sha512_update(&hash, message, message_len);
66	1		sha512_final(&hash, h);
67
68	1		sc_reduce(h);
69	1		ge_double_scalarmult_vartime(&R, h, &A, signature + 32);
70	1		ge_tobytes(checker, &R);
71
72	1	50	if (!consttime_equal(checker, signature)) {
73	0		return 0;
74			}
75
76	1		return 1;
77			}