* https://ed25519.cr.yp.to/eddsa-20150704.pdf. HashEdEDSA can be
* implemented easily by presenting a hash of a message to the functions
* here, as the message to be signed or verified.
+ *
+ * It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
+ * though in the latter case it assumes that you've already done the hashing
+ * and have provided the hash as the `message' input.
*/
/*----- Header files ------------------------------------------------------*/
#define ED25519_PUBSZ 32u
#define ED25519_SIGSZ 64u
+#define ED25519_MAXPERSOSZ 255u
+
/*----- Key fetching ------------------------------------------------------*/
typedef struct ed25519_priv { key_bin priv, pub; } ed25519_priv;
extern void ed25519_pubkey(octet /*K*/[ED25519_PUBSZ],
const void */*k*/, size_t /*ksz*/);
-/* --- @ed25519_sign@ --- *
+/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
*
* Arguments: @octet sig[ED25519_SIGSZ]@ = where to put the signature
* @const void *k@ = private key
* @size_t ksz@ = length of private key
* @const octet K[ED25519_PUBSZ]@ = public key
+ * @int phflag@ = whether the `message' has been hashed already
+ * @const void *p@ = personalization string
+ * @size_t psz@ = length of personalization string
* @const void *m@ = message to sign
* @size_t msz@ = length of message
*
* Returns: ---
*
* Use: Signs a message.
+ *
+ * In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
+ * old Ed25519: the personalization string pointer @p@ will be
+ * ignored. If @phflag > 0@ then the `message' @m@ should be a
+ * SHA512 hash of the actual message.
*/
+extern void ed25519ctx_sign(octet /*sig*/[ED25519_SIGSZ],
+ const void */*k*/, size_t /*ksz*/,
+ const octet /*K*/[ED25519_PUBSZ],
+ int /*phflag*/,
+ const void */*p*/, size_t /*psz*/,
+ const void */*m*/, size_t /*msz*/);
+
extern void ed25519_sign(octet /*sig*/[ED25519_SIGSZ],
const void */*k*/, size_t /*ksz*/,
const octet /*K*/[ED25519_PUBSZ],
const void */*m*/, size_t /*msz*/);
-/* --- @ed25519_verify@ --- *
+/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
*
* Arguments: @const octet K[ED25519_PUBSZ]@ = public key
+ * @int phflag@ = whether the `message' has been hashed already
+ * @const void *p@ = personalization string
+ * @size_t psz@ = length of personalization string
* @const void *m@ = message to sign
* @size_t msz@ = length of message
* @const octet sig[ED25519_SIGSZ]@ = signature
* Returns: Zero if OK, negative on failure.
*
* Use: Verify a signature.
+ *
+ * In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
+ * plain old Ed25519: the personalization string pointer @p@
+ * will be ignored. If @phflag > 0@ then the `message' @m@
+ * should be a SHA512 hash of the actual message.
*/
+extern int ed25519ctx_verify(const octet /*K*/[ED25519_PUBSZ],
+ int /*phflag*/,
+ const void */*p*/, size_t /*psz*/,
+ const void */*m*/, size_t /*msz*/,
+ const octet /*sig*/[ED25519_SIGSZ]);
+
extern int ed25519_verify(const octet /*K*/[ED25519_PUBSZ],
const void */*m*/, size_t /*msz*/,
const octet /*sig*/[ED25519_SIGSZ]);