1 files changed, 530 insertions, 0 deletions
diff --git a/src/util/tweetnacl-gnunet.c b/src/util/tweetnacl-gnunet.c
new file mode 100644
index 000000000..b0d87c2fe
--- /dev/null
+++ b/src/util/tweetnacl-gnunet.c
@@ -0,0 +1,530 @@
+/*
+      This file has been placed in the public domain.
+      Based on TweetNaCl version 20140427
+      Originally obtained from:
+      https://tweetnacl.cr.yp.to/20140427/tweetnacl.h
+*/
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+#include "tweetnacl-gnunet.h"
+#define FOR(i,n) for (i = 0; i < n; ++i)
+#define sv static void
+typedef uint8_t u8;
+typedef uint32_t u32;
+typedef uint64_t u64;
+typedef int64_t i64;
+typedef i64 gf[16];
+static void randombytes (u8 *data,u64 len)
+{
+  GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, data, len);
+}
+static const u8 _9[32] = {9};
+static const gf
+  gf0,
+  gf1 = {1},
+  _121665 = {0xDB41,1},
+  D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898,
+       0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
+  D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130,
+        0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
+  X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c,
+       0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
+  Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666,
+       0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
+  I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7,
+       0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
+static int vn (const u8 *x,const u8 *y,int n)
+{
+  u32 i,d = 0;
+  FOR (i,n) d |= x[i] ^ y[i];
+  return (1 & ((d - 1) >> 8)) - 1;
+}
+int crypto_verify_16 (const u8 *x,const u8 *y)
+{
+  return vn (x,y,16);
+}
+int crypto_verify_32 (const u8 *x,const u8 *y)
+{
+  return vn (x,y,32);
+}
+sv set25519 (gf r, const gf a)
+{
+  int i;
+  FOR (i,16) r[i] = a[i];
+}
+sv car25519 (gf o)
+{
+  int i;
+  i64 c;
+  FOR (i,16) {
+    o[i] += (1LL << 16);
+    c = o[i] >> 16;
+    o[(i + 1) * (i<15)] += c - 1 + 37 * (c - 1) * (i==15);
+    o[i] -= c << 16;
+  }
+}
+sv sel25519 (gf p,gf q,int b)
+{
+  i64 t,i,c = ~(b - 1);
+  FOR (i,16) {
+    t = c & (p[i] ^ q[i]);
+    p[i] ^= t;
+    q[i] ^= t;
+  }
+}
+sv pack25519 (u8 *o,const gf n)
+{
+  int i,j,b;
+  gf m,t;
+  FOR (i,16) t[i] = n[i];
+  car25519 (t);
+  car25519 (t);
+  car25519 (t);
+  FOR (j,2) {
+    m[0] = t[0] - 0xffed;
+    for (i = 1; i<15; i++) {
+      m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1);
+      m[i - 1] &= 0xffff;
+    }
+    m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1);
+    b = (m[15] >> 16) & 1;
+    m[14] &= 0xffff;
+    sel25519 (t,m,1 - b);
+  }
+  FOR (i,16) {
+    o[2 * i] = t[i] & 0xff;
+    o[2 * i + 1] = t[i] >> 8;
+  }
+}
+static int neq25519 (const gf a, const gf b)
+{
+  u8 c[32],d[32];
+  pack25519 (c,a);
+  pack25519 (d,b);
+  return crypto_verify_32 (c,d);
+}
+static u8 par25519 (const gf a)
+{
+  u8 d[32];
+  pack25519 (d,a);
+  return d[0] & 1;
+}
+sv unpack25519 (gf o, const u8 *n)
+{
+  int i;
+  FOR (i,16) o[i] = n[2 * i] + ((i64) n[2 * i + 1] << 8);
+  o[15] &= 0x7fff;
+}
+sv A (gf o,const gf a,const gf b)
+{
+  int i;
+  FOR (i,16) o[i] = a[i] + b[i];
+}
+sv Z (gf o,const gf a,const gf b)
+{
+  int i;
+  FOR (i,16) o[i] = a[i] - b[i];
+}
+sv M (gf o,const gf a,const gf b)
+{
+  i64 i,j,t[31];
+  FOR (i,31) t[i] = 0;
+  FOR (i,16) FOR (j,16) t[i + j] += a[i] * b[j];
+  FOR (i,15) t[i] += 38 * t[i + 16];
+  FOR (i,16) o[i] = t[i];
+  car25519 (o);
+  car25519 (o);
+}
+sv S (gf o,const gf a)
+{
+  M (o,a,a);
+}
+sv inv25519 (gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR (a,16) c[a] = i[a];
+  for (a = 253; a>=0; a--) {
+    S (c,c);
+    if ((a!=2)&&(a!=4))
+      M (c,c,i);
+  }
+  FOR (a,16) o[a] = c[a];
+}
+sv pow2523 (gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR (a,16) c[a] = i[a];
+  for (a = 250; a>=0; a--) {
+    S (c,c);
+    if (a!=1)
+      M (c,c,i);
+  }
+  FOR (a,16) o[a] = c[a];
+}
+int crypto_scalarmult (u8 *q,const u8 *n,const u8 *p)
+{
+  u8 z[32];
+  i64 x[80],r,i;
+  gf a,b,c,d,e,f;
+  FOR (i,31) z[i] = n[i];
+  z[31] = (n[31] & 127) | 64;
+  z[0] &= 248;
+  unpack25519 (x,p);
+  FOR (i,16) {
+    b[i] = x[i];
+    d[i] = a[i] = c[i] = 0;
+  }
+  a[0] = d[0] = 1;
+  for (i = 254; i>=0; --i) {
+    r = (z[i >> 3] >> (i & 7)) & 1;
+    sel25519 (a,b,r);
+    sel25519 (c,d,r);
+    A (e,a,c);
+    Z (a,a,c);
+    A (c,b,d);
+    Z (b,b,d);
+    S (d,e);
+    S (f,a);
+    M (a,c,a);
+    M (c,b,e);
+    A (e,a,c);
+    Z (a,a,c);
+    S (b,a);
+    Z (c,d,f);
+    M (a,c,_121665);
+    A (a,a,d);
+    M (c,c,a);
+    M (a,d,f);
+    M (d,b,x);
+    S (b,e);
+    sel25519 (a,b,r);
+    sel25519 (c,d,r);
+  }
+  FOR (i,16) {
+    x[i + 16] = a[i];
+    x[i + 32] = c[i];
+    x[i + 48] = b[i];
+    x[i + 64] = d[i];
+  }
+  inv25519 (x + 32,x + 32);
+  M (x + 16,x + 16,x + 32);
+  pack25519 (q,x + 16);
+  return 0;
+}
+int crypto_scalarmult_base (u8 *q,const u8 *n)
+{
+  return crypto_scalarmult (q,n,_9);
+}
+int crypto_box_keypair (u8 *y,u8 *x)
+{
+  randombytes (x,32);
+  return crypto_scalarmult_base (y,x);
+}
+int crypto_hash (u8 *out,const u8 *m,u64 n)
+{
+  struct GNUNET_HashCode *hc = (void *) out;
+  GNUNET_CRYPTO_hash (m, n, hc);
+  return 0;
+}
+sv add (gf p[4],gf q[4])
+{
+  gf a,b,c,d,t,e,f,g,h;
+  Z (a, p[1], p[0]);
+  Z (t, q[1], q[0]);
+  M (a, a, t);
+  A (b, p[0], p[1]);
+  A (t, q[0], q[1]);
+  M (b, b, t);
+  M (c, p[3], q[3]);
+  M (c, c, D2);
+  M (d, p[2], q[2]);
+  A (d, d, d);
+  Z (e, b, a);
+  Z (f, d, c);
+  A (g, d, c);
+  A (h, b, a);
+  M (p[0], e, f);
+  M (p[1], h, g);
+  M (p[2], g, f);
+  M (p[3], e, h);
+}
+sv cswap (gf p[4],gf q[4],u8 b)
+{
+  int i;
+  FOR (i,4)
+  sel25519 (p[i],q[i],b);
+}
+sv pack (u8 *r,gf p[4])
+{
+  gf tx, ty, zi;
+  inv25519 (zi, p[2]);
+  M (tx, p[0], zi);
+  M (ty, p[1], zi);
+  pack25519 (r, ty);
+  r[31] ^= par25519 (tx) << 7;
+}
+sv scalarmult (gf p[4],gf q[4],const u8 *s)
+{
+  int i;
+  set25519 (p[0],gf0);
+  set25519 (p[1],gf1);
+  set25519 (p[2],gf1);
+  set25519 (p[3],gf0);
+  for (i = 255; i >= 0; --i) {
+    u8 b = (s[i / 8] >> (i & 7)) & 1;
+    cswap (p,q,b);
+    add (q,p);
+    add (p,p);
+    cswap (p,q,b);
+  }
+}
+sv scalarbase (gf p[4],const u8 *s)
+{
+  gf q[4];
+  set25519 (q[0],X);
+  set25519 (q[1],Y);
+  set25519 (q[2],gf1);
+  M (q[3],X,Y);
+  scalarmult (p,q,s);
+}
+static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6,
+                          0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0,
+                          0, 0, 0, 0, 0, 0, 0, 0,
+                          0, 0, 0, 0x10};
+sv modL (u8 *r,i64 x[64])
+{
+  i64 carry,i,j;
+  for (i = 63; i >= 32; --i) {
+    carry = 0;
+    for (j = i - 32; j < i - 12; ++j) {
+      x[j] += carry - 16 * x[i] * L[j - (i - 32)];
+      carry = (x[j] + 128) >> 8;
+      x[j] -= carry << 8;
+    }
+    x[j] += carry;
+    x[i] = 0;
+  }
+  carry = 0;
+  FOR (j,32) {
+    x[j] += carry - (x[31] >> 4) * L[j];
+    carry = x[j] >> 8;
+    x[j] &= 255;
+  }
+  FOR (j,32) x[j] -= carry * L[j];
+  FOR (i,32) {
+    x[i + 1] += x[i] >> 8;
+    r[i] = x[i] & 255;
+  }
+}
+sv reduce (u8 *r)
+{
+  i64 x[64],i;
+  FOR (i,64) x[i] = (u64) r[i];
+  FOR (i,64) r[i] = 0;
+  modL (r,x);
+}
+static int unpackneg (gf r[4],const u8 p[32])
+{
+  gf t, chk, num, den, den2, den4, den6;
+  set25519 (r[2],gf1);
+  unpack25519 (r[1],p);
+  S (num,r[1]);
+  M (den,num,D);
+  Z (num,num,r[2]);
+  A (den,r[2],den);
+  S (den2,den);
+  S (den4,den2);
+  M (den6,den4,den2);
+  M (t,den6,num);
+  M (t,t,den);
+  pow2523 (t,t);
+  M (t,t,num);
+  M (t,t,den);
+  M (t,t,den);
+  M (r[0],t,den);
+  S (chk,r[0]);
+  M (chk,chk,den);
+  if (neq25519 (chk, num))
+    M (r[0],r[0],I);
+  S (chk,r[0]);
+  M (chk,chk,den);
+  if (neq25519 (chk, num))
+    return -1;
+  if (par25519 (r[0]) == (p[31] >> 7))
+    Z (r[0],gf0,r[0]);
+  M (r[3],r[0],r[1]);
+  return 0;
+}
+/* The following functions have been added for GNUnet */
+void
+crypto_sign_pk_from_seed (u8 *pk, const u8 *seed)
+{
+  u8 d[64];
+  gf p[4];
+  crypto_hash (d, seed, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+  scalarbase (p,d);
+  pack (pk,p);
+}
+void
+crypto_sign_sk_from_seed (u8 *sk, const u8 *seed)
+{
+  u8 d[64];
+  gf p[4];
+  u8 pk[32];
+  int i;
+  crypto_hash (d, seed, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+  scalarbase (p,d);
+  pack (pk,p);
+  FOR (i,32) sk[i] = seed[i];
+  FOR (i,32) sk[32 + i] = pk[i];
+}
+int
+crypto_sign_ed25519_pk_to_curve25519 (u8 *x25519_pk, const u8 *ed25519_pk)
+{
+  gf ge_a[4];
+  gf x;
+  gf one_minus_y;
+  if (0 != unpackneg (ge_a, ed25519_pk))
+    return -1;
+  set25519 (one_minus_y, gf1);
+  Z (one_minus_y, one_minus_y, ge_a[1]);
+  set25519 (x, gf1);
+  A (x, x, ge_a[1]);
+  inv25519 (one_minus_y, one_minus_y);
+  M (x, x, one_minus_y);
+  pack25519 (x25519_pk, x);
+  return 0;
+}
+int crypto_sign_detached_verify (const u8 *sig,const u8 *m,u64 n,const u8 *pk)
+{
+  struct GNUNET_HashContext *hc;
+  u8 t[32],h[64];
+  gf p[4],q[4];
+  if (unpackneg (q,pk))
+    return -1;
+  hc = GNUNET_CRYPTO_hash_context_start ();
+  GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
+  GNUNET_CRYPTO_hash_context_read (hc, pk, 32);
+  GNUNET_CRYPTO_hash_context_read (hc, m, n);
+  GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
+  reduce (h);
+  scalarmult (p,q,h);
+  scalarbase (q,sig+32);
+  add (p,q);
+  pack (t,p);
+  if (crypto_verify_32 (sig, t))
+    return -1;
+  return 0;
+}
+int
+crypto_sign_detached (u8 *sig,const u8 *m,u64 n,const u8 *sk)
+{
+  struct GNUNET_HashContext *hc;
+  u8 d[64],h[64],r[64];
+  i64 i,j,x[64];
+  gf p[4];
+  crypto_hash (d, sk, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+  hc = GNUNET_CRYPTO_hash_context_start ();
+  GNUNET_CRYPTO_hash_context_read (hc, d + 32, 32);
+  GNUNET_CRYPTO_hash_context_read (hc, m, n);
+  GNUNET_CRYPTO_hash_context_finish (hc, (void *) r);
+  reduce (r);
+  scalarbase (p,r);
+  pack (sig,p);
+  hc = GNUNET_CRYPTO_hash_context_start ();
+  GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
+  GNUNET_CRYPTO_hash_context_read (hc, sk + 32, 32);
+  GNUNET_CRYPTO_hash_context_read (hc, m, n);
+  GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
+  reduce (h);
+  FOR (i,64) x[i] = 0;
+  FOR (i,32) x[i] = (u64) r[i];
+  FOR (i,32) FOR (j,32) x[i + j] += h[i] * (u64) d[j];
+  modL (sig + 32,x);
+  return 0;
+}

diff --git a/src/util/tweetnacl-gnunet.c b/src/util/tweetnacl-gnunet.c new file mode 100644 index 000000000..b0d87c2fe --- /dev/null +++ b/src/util/tweetnacl-gnunet.c
@@ -0,0 +1,530 @@
	1	/*
	2	This file has been placed in the public domain.
	3
	4	Based on TweetNaCl version 20140427
	5
	6	Originally obtained from:
	7	https://tweetnacl.cr.yp.to/20140427/tweetnacl.h
	8	*/
	9
	10	#include "platform.h"
	11	#include "gnunet_crypto_lib.h"
	12	#include "tweetnacl-gnunet.h"
	13	#define FOR(i,n) for (i = 0; i < n; ++i)
	14	#define sv static void
	15
	16	typedef uint8_t u8;
	17	typedef uint32_t u32;
	18	typedef uint64_t u64;
	19	typedef int64_t i64;
	20	typedef i64 gf[16];
	21
	22	static void randombytes (u8 *data,u64 len)
	23	{
	24	GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE, data, len);
	25	}
	26
	27	static const u8 _9[32] = {9};
	28	static const gf
	29	gf0,
	30	gf1 = {1},
	31	_121665 = {0xDB41,1},
	32	D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898,
	33	0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
	34	D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130,
	35	0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
	36	X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c,
	37	0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
	38	Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666,
	39	0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
	40	I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7,
	41	0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
	42
	43	static int vn (const u8 x,const u8 y,int n)
	44	{
	45	u32 i,d = 0;
	46	FOR (i,n) d \|= x[i] ^ y[i];
	47	return (1 & ((d - 1) >> 8)) - 1;
	48	}
	49
	50	int crypto_verify_16 (const u8 x,const u8 y)
	51	{
	52	return vn (x,y,16);
	53	}
	54
	55	int crypto_verify_32 (const u8 x,const u8 y)
	56	{
	57	return vn (x,y,32);
	58	}
	59
	60	sv set25519 (gf r, const gf a)
	61	{
	62	int i;
	63	FOR (i,16) r[i] = a[i];
	64	}
	65
	66	sv car25519 (gf o)
	67	{
	68	int i;
	69	i64 c;
	70	FOR (i,16) {
	71	o[i] += (1LL << 16);
	72	c = o[i] >> 16;
	73	o[(i + 1) * (i<15)] += c - 1 + 37 * (c - 1) * (i==15);
	74	o[i] -= c << 16;
	75	}
	76	}
	77
	78	sv sel25519 (gf p,gf q,int b)
	79	{
	80	i64 t,i,c = ~(b - 1);
	81	FOR (i,16) {
	82	t = c & (p[i] ^ q[i]);
	83	p[i] ^= t;
	84	q[i] ^= t;
	85	}
	86	}
	87
	88	sv pack25519 (u8 *o,const gf n)
	89	{
	90	int i,j,b;
	91	gf m,t;
	92	FOR (i,16) t[i] = n[i];
	93	car25519 (t);
	94	car25519 (t);
	95	car25519 (t);
	96	FOR (j,2) {
	97	m[0] = t[0] - 0xffed;
	98	for (i = 1; i<15; i++) {
	99	m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1);
	100	m[i - 1] &= 0xffff;
	101	}
	102	m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1);
	103	b = (m[15] >> 16) & 1;
	104	m[14] &= 0xffff;
	105	sel25519 (t,m,1 - b);
	106	}
	107	FOR (i,16) {
	108	o[2 * i] = t[i] & 0xff;
	109	o[2 * i + 1] = t[i] >> 8;
	110	}
	111	}
	112
	113	static int neq25519 (const gf a, const gf b)
	114	{
	115	u8 c[32],d[32];
	116	pack25519 (c,a);
	117	pack25519 (d,b);
	118	return crypto_verify_32 (c,d);
	119	}
	120
	121	static u8 par25519 (const gf a)
	122	{
	123	u8 d[32];
	124	pack25519 (d,a);
	125	return d[0] & 1;
	126	}
	127
	128	sv unpack25519 (gf o, const u8 *n)
	129	{
	130	int i;
	131	FOR (i,16) o[i] = n[2 * i] + ((i64) n[2 * i + 1] << 8);
	132	o[15] &= 0x7fff;
	133	}
	134
	135	sv A (gf o,const gf a,const gf b)
	136	{
	137	int i;
	138	FOR (i,16) o[i] = a[i] + b[i];
	139	}
	140
	141	sv Z (gf o,const gf a,const gf b)
	142	{
	143	int i;
	144	FOR (i,16) o[i] = a[i] - b[i];
	145	}
	146
	147	sv M (gf o,const gf a,const gf b)
	148	{
	149	i64 i,j,t[31];
	150	FOR (i,31) t[i] = 0;
	151	FOR (i,16) FOR (j,16) t[i + j] += a[i] * b[j];
	152	FOR (i,15) t[i] += 38 * t[i + 16];
	153	FOR (i,16) o[i] = t[i];
	154	car25519 (o);
	155	car25519 (o);
	156	}
	157
	158	sv S (gf o,const gf a)
	159	{
	160	M (o,a,a);
	161	}
	162
	163	sv inv25519 (gf o,const gf i)
	164	{
	165	gf c;
	166	int a;
	167	FOR (a,16) c[a] = i[a];
	168	for (a = 253; a>=0; a--) {
	169	S (c,c);
	170	if ((a!=2)&&(a!=4))
	171	M (c,c,i);
	172	}
	173	FOR (a,16) o[a] = c[a];
	174	}
	175
	176	sv pow2523 (gf o,const gf i)
	177	{
	178	gf c;
	179	int a;
	180	FOR (a,16) c[a] = i[a];
	181	for (a = 250; a>=0; a--) {
	182	S (c,c);
	183	if (a!=1)
	184	M (c,c,i);
	185	}
	186	FOR (a,16) o[a] = c[a];
	187	}
	188
	189	int crypto_scalarmult (u8 q,const u8 n,const u8 *p)
	190	{
	191	u8 z[32];
	192	i64 x[80],r,i;
	193	gf a,b,c,d,e,f;
	194	FOR (i,31) z[i] = n[i];
	195	z[31] = (n[31] & 127) \| 64;
	196	z[0] &= 248;
	197	unpack25519 (x,p);
	198	FOR (i,16) {
	199	b[i] = x[i];
	200	d[i] = a[i] = c[i] = 0;
	201	}
	202	a[0] = d[0] = 1;
	203	for (i = 254; i>=0; --i) {
	204	r = (z[i >> 3] >> (i & 7)) & 1;
	205	sel25519 (a,b,r);
	206	sel25519 (c,d,r);
	207	A (e,a,c);
	208	Z (a,a,c);
	209	A (c,b,d);
	210	Z (b,b,d);
	211	S (d,e);
	212	S (f,a);
	213	M (a,c,a);
	214	M (c,b,e);
	215	A (e,a,c);
	216	Z (a,a,c);
	217	S (b,a);
	218	Z (c,d,f);
	219	M (a,c,_121665);
	220	A (a,a,d);
	221	M (c,c,a);
	222	M (a,d,f);
	223	M (d,b,x);
	224	S (b,e);
	225	sel25519 (a,b,r);
	226	sel25519 (c,d,r);
	227	}
	228	FOR (i,16) {
	229	x[i + 16] = a[i];
	230	x[i + 32] = c[i];
	231	x[i + 48] = b[i];
	232	x[i + 64] = d[i];
	233	}
	234	inv25519 (x + 32,x + 32);
	235	M (x + 16,x + 16,x + 32);
	236	pack25519 (q,x + 16);
	237	return 0;
	238	}
	239
	240	int crypto_scalarmult_base (u8 q,const u8 n)
	241	{
	242	return crypto_scalarmult (q,n,_9);
	243	}
	244
	245	int crypto_box_keypair (u8 y,u8 x)
	246	{
	247	randombytes (x,32);
	248	return crypto_scalarmult_base (y,x);
	249	}
	250
	251	int crypto_hash (u8 out,const u8 m,u64 n)
	252	{
	253	struct GNUNET_HashCode hc = (void ) out;
	254	GNUNET_CRYPTO_hash (m, n, hc);
	255	return 0;
	256	}
	257
	258	sv add (gf p[4],gf q[4])
	259	{
	260	gf a,b,c,d,t,e,f,g,h;
	261
	262	Z (a, p[1], p[0]);
	263	Z (t, q[1], q[0]);
	264	M (a, a, t);
	265	A (b, p[0], p[1]);
	266	A (t, q[0], q[1]);
	267	M (b, b, t);
	268	M (c, p[3], q[3]);
	269	M (c, c, D2);
	270	M (d, p[2], q[2]);
	271	A (d, d, d);
	272	Z (e, b, a);
	273	Z (f, d, c);
	274	A (g, d, c);
	275	A (h, b, a);
	276
	277	M (p[0], e, f);
	278	M (p[1], h, g);
	279	M (p[2], g, f);
	280	M (p[3], e, h);
	281	}
	282
	283	sv cswap (gf p[4],gf q[4],u8 b)
	284	{
	285	int i;
	286	FOR (i,4)
	287	sel25519 (p[i],q[i],b);
	288	}
	289
	290	sv pack (u8 *r,gf p[4])
	291	{
	292	gf tx, ty, zi;
	293	inv25519 (zi, p[2]);
	294	M (tx, p[0], zi);
	295	M (ty, p[1], zi);
	296	pack25519 (r, ty);
	297	r[31] ^= par25519 (tx) << 7;
	298	}
	299
	300	sv scalarmult (gf p[4],gf q[4],const u8 *s)
	301	{
	302	int i;
	303	set25519 (p[0],gf0);
	304	set25519 (p[1],gf1);
	305	set25519 (p[2],gf1);
	306	set25519 (p[3],gf0);
	307	for (i = 255; i >= 0; --i) {
	308	u8 b = (s[i / 8] >> (i & 7)) & 1;
	309	cswap (p,q,b);
	310	add (q,p);
	311	add (p,p);
	312	cswap (p,q,b);
	313	}
	314	}
	315
	316	sv scalarbase (gf p[4],const u8 *s)
	317	{
	318	gf q[4];
	319	set25519 (q[0],X);
	320	set25519 (q[1],Y);
	321	set25519 (q[2],gf1);
	322	M (q[3],X,Y);
	323	scalarmult (p,q,s);
	324	}
	325
	326	static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6,
	327	0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0,
	328	0, 0, 0, 0, 0, 0, 0, 0,
	329	0, 0, 0, 0x10};
	330
	331	sv modL (u8 *r,i64 x[64])
	332	{
	333	i64 carry,i,j;
	334	for (i = 63; i >= 32; --i) {
	335	carry = 0;
	336	for (j = i - 32; j < i - 12; ++j) {
	337	x[j] += carry - 16 * x[i] * L[j - (i - 32)];
	338	carry = (x[j] + 128) >> 8;
	339	x[j] -= carry << 8;
	340	}
	341	x[j] += carry;
	342	x[i] = 0;
	343	}
	344	carry = 0;
	345	FOR (j,32) {
	346	x[j] += carry - (x[31] >> 4) * L[j];
	347	carry = x[j] >> 8;
	348	x[j] &= 255;
	349	}
	350	FOR (j,32) x[j] -= carry * L[j];
	351	FOR (i,32) {
	352	x[i + 1] += x[i] >> 8;
	353	r[i] = x[i] & 255;
	354	}
	355	}
	356
	357	sv reduce (u8 *r)
	358	{
	359	i64 x[64],i;
	360	FOR (i,64) x[i] = (u64) r[i];
	361	FOR (i,64) r[i] = 0;
	362	modL (r,x);
	363	}
	364
	365	static int unpackneg (gf r[4],const u8 p[32])
	366	{
	367	gf t, chk, num, den, den2, den4, den6;
	368	set25519 (r[2],gf1);
	369	unpack25519 (r[1],p);
	370	S (num,r[1]);
	371	M (den,num,D);
	372	Z (num,num,r[2]);
	373	A (den,r[2],den);
	374
	375	S (den2,den);
	376	S (den4,den2);
	377	M (den6,den4,den2);
	378	M (t,den6,num);
	379	M (t,t,den);
	380
	381	pow2523 (t,t);
	382	M (t,t,num);
	383	M (t,t,den);
	384	M (t,t,den);
	385	M (r[0],t,den);
	386
	387	S (chk,r[0]);
	388	M (chk,chk,den);
	389	if (neq25519 (chk, num))
	390	M (r[0],r[0],I);
	391
	392	S (chk,r[0]);
	393	M (chk,chk,den);
	394	if (neq25519 (chk, num))
	395	return -1;
	396
	397	if (par25519 (r[0]) == (p[31] >> 7))
	398	Z (r[0],gf0,r[0]);
	399
	400	M (r[3],r[0],r[1]);
	401	return 0;
	402	}
	403
	404	/* The following functions have been added for GNUnet */
	405
	406	void
	407	crypto_sign_pk_from_seed (u8 pk, const u8 seed)
	408	{
	409	u8 d[64];
	410	gf p[4];
	411
	412	crypto_hash (d, seed, 32);
	413	d[0] &= 248;
	414	d[31] &= 127;
	415	d[31] \|= 64;
	416
	417	scalarbase (p,d);
	418	pack (pk,p);
	419	}
	420
	421	void
	422	crypto_sign_sk_from_seed (u8 sk, const u8 seed)
	423	{
	424	u8 d[64];
	425	gf p[4];
	426	u8 pk[32];
	427	int i;
	428
	429	crypto_hash (d, seed, 32);
	430	d[0] &= 248;
	431	d[31] &= 127;
	432	d[31] \|= 64;
	433
	434	scalarbase (p,d);
	435	pack (pk,p);
	436
	437	FOR (i,32) sk[i] = seed[i];
	438	FOR (i,32) sk[32 + i] = pk[i];
	439	}
	440
	441
	442	int
	443	crypto_sign_ed25519_pk_to_curve25519 (u8 x25519_pk, const u8 ed25519_pk)
	444	{
	445	gf ge_a[4];
	446	gf x;
	447	gf one_minus_y;
	448
	449	if (0 != unpackneg (ge_a, ed25519_pk))
	450	return -1;
	451
	452	set25519 (one_minus_y, gf1);
	453	Z (one_minus_y, one_minus_y, ge_a[1]);
	454
	455	set25519 (x, gf1);
	456	A (x, x, ge_a[1]);
	457
	458	inv25519 (one_minus_y, one_minus_y);
	459	M (x, x, one_minus_y);
	460	pack25519 (x25519_pk, x);
	461
	462	return 0;
	463	}
	464
	465
	466	int crypto_sign_detached_verify (const u8 sig,const u8 m,u64 n,const u8 *pk)
	467	{
	468	struct GNUNET_HashContext *hc;
	469	u8 t[32],h[64];
	470	gf p[4],q[4];
	471
	472	if (unpackneg (q,pk))
	473	return -1;
	474
	475	hc = GNUNET_CRYPTO_hash_context_start ();
	476	GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
	477	GNUNET_CRYPTO_hash_context_read (hc, pk, 32);
	478	GNUNET_CRYPTO_hash_context_read (hc, m, n);
	479	GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
	480
	481	reduce (h);
	482	scalarmult (p,q,h);
	483
	484	scalarbase (q,sig+32);
	485	add (p,q);
	486	pack (t,p);
	487
	488	if (crypto_verify_32 (sig, t))
	489	return -1;
	490	return 0;
	491	}
	492
	493
	494	int
	495	crypto_sign_detached (u8 sig,const u8 m,u64 n,const u8 *sk)
	496	{
	497	struct GNUNET_HashContext *hc;
	498	u8 d[64],h[64],r[64];
	499	i64 i,j,x[64];
	500	gf p[4];
	501
	502	crypto_hash (d, sk, 32);
	503	d[0] &= 248;
	504	d[31] &= 127;
	505	d[31] \|= 64;
	506
	507	hc = GNUNET_CRYPTO_hash_context_start ();
	508	GNUNET_CRYPTO_hash_context_read (hc, d + 32, 32);
	509	GNUNET_CRYPTO_hash_context_read (hc, m, n);
	510	GNUNET_CRYPTO_hash_context_finish (hc, (void *) r);
	511
	512	reduce (r);
	513	scalarbase (p,r);
	514	pack (sig,p);
	515
	516	hc = GNUNET_CRYPTO_hash_context_start ();
	517	GNUNET_CRYPTO_hash_context_read (hc, sig, 32);
	518	GNUNET_CRYPTO_hash_context_read (hc, sk + 32, 32);
	519	GNUNET_CRYPTO_hash_context_read (hc, m, n);
	520	GNUNET_CRYPTO_hash_context_finish (hc, (void *) h);
	521
	522	reduce (h);
	523
	524	FOR (i,64) x[i] = 0;
	525	FOR (i,32) x[i] = (u64) r[i];
	526	FOR (i,32) FOR (j,32) x[i + j] += h[i] * (u64) d[j];
	527	modL (sig + 32,x);
	528
	529	return 0;
	530	}