X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/d56fd9d102115283485493dbe56b0d320ac99097..HEAD:/pub/ed25519.h

diff --git a/pub/ed25519.h b/pub/ed25519.h
index 2fc74447..ac54df7f 100644
--- a/pub/ed25519.h
+++ b/pub/ed25519.h
@@ -44,6 +44,10 @@
  * https://ed25519.cr.yp.to/eddsa-20150704.pdf.  HashEdEDSA can be
  * implemented easily by presenting a hash of a message to the functions
  * here, as the message to be signed or verified.
+ *
+ * It also implements `Ed25519ctx' and `Ed25519ph' as described in RFC8032,
+ * though in the latter case it assumes that you've already done the hashing
+ * and have provided the hash as the `message' input.
  */
 
 /*----- Header files ------------------------------------------------------*/
@@ -60,6 +64,8 @@
 #define ED25519_PUBSZ 32u
 #define ED25519_SIGSZ 64u
 
+#define ED25519_MAXPERSOSZ 255u
+
 /*----- Key fetching ------------------------------------------------------*/
 
 typedef struct ed25519_priv { key_bin priv, pub; } ed25519_priv;
@@ -85,28 +91,46 @@ extern const key_fetchdef ed25519_pubfetch[], ed25519_privfetch[];
 extern void ed25519_pubkey(octet /*K*/[ED25519_PUBSZ],
 			   const void */*k*/, size_t /*ksz*/);
 
-/* --- @ed25519_sign@ --- *
+/* --- @ed25519_sign@, @ed25519ctx_sign@ --- *
  *
  * Arguments:	@octet sig[ED25519_SIGSZ]@ = where to put the signature
  *		@const void *k@ = private key
  *		@size_t ksz@ = length of private key
  *		@const octet K[ED25519_PUBSZ]@ = public key
+ *		@int phflag@ = whether the `message' has been hashed already
+ *		@const void *p@ = personalization string
+ *		@size_t psz@ = length of personalization string
  *		@const void *m@ = message to sign
  *		@size_t msz@ = length of message
  *
  * Returns:	---
  *
  * Use:		Signs a message.
+ *
+ *		In @ed25519ctx_sign@, if @phflag@ is @-1@ then you get plain
+ *		old Ed25519: the personalization string pointer @p@ will be
+ *		ignored.  If @phflag > 0@ then the `message' @m@ should be a
+ *		SHA512 hash of the actual message.
  */
 
+extern void ed25519ctx_sign(octet /*sig*/[ED25519_SIGSZ],
+			    const void */*k*/, size_t /*ksz*/,
+			    const octet /*K*/[ED25519_PUBSZ],
+			    int /*phflag*/,
+			    const void */*p*/, size_t /*psz*/,
+			    const void */*m*/, size_t /*msz*/);
+
 extern void ed25519_sign(octet /*sig*/[ED25519_SIGSZ],
 			 const void */*k*/, size_t /*ksz*/,
 			 const octet /*K*/[ED25519_PUBSZ],
 			 const void */*m*/, size_t /*msz*/);
 
-/* --- @ed25519_verify@ --- *
+/* --- @ed25519_verify@, @ed25519ctx_verify@ --- *
  *
  * Arguments:	@const octet K[ED25519_PUBSZ]@ = public key
+ *		@int phflag@ = whether the `message' has been hashed already
+ *		@const void *p@ = personalization string
+ *		@size_t psz@ = length of personalization string
  *		@const void *m@ = message to sign
  *		@size_t msz@ = length of message
  *		@const octet sig[ED25519_SIGSZ]@ = signature
@@ -114,8 +138,19 @@ extern void ed25519_sign(octet /*sig*/[ED25519_SIGSZ],
  * Returns:	Zero if OK, negative on failure.
  *
  * Use:		Verify a signature.
+ *
+ *		In @ed25519ctx_verify@, if @phflag@ is @-1@ then you get
+ *		plain old Ed25519: the personalization string pointer @p@
+ *		will be ignored.  If @phflag > 0@ then the `message' @m@
+ *		should be a SHA512 hash of the actual message.
  */
 
+extern int ed25519ctx_verify(const octet /*K*/[ED25519_PUBSZ],
+			     int /*phflag*/,
+			     const void */*p*/, size_t /*psz*/,
+			     const void */*m*/, size_t /*msz*/,
+			     const octet /*sig*/[ED25519_SIGSZ]);
+
 extern int ed25519_verify(const octet /*K*/[ED25519_PUBSZ],
 			  const void */*m*/, size_t /*msz*/,
 			  const octet /*sig*/[ED25519_SIGSZ]);