File Coverage

tweetnacl.c

Criterion	Covered	Total	%
statement	455	474	95.9
branch	227	238	95.3
condition			n/a
subroutine			n/a
pod			n/a
total	682	712	95.7

line	stmt	bran	code
1			#include "tweetnacl.h"
2			#define FOR(i,n) for (i = 0;i < n;++i)
3			#define sv static void
4
5			typedef unsigned char u8;
6			typedef unsigned long u32;
7			typedef unsigned long long u64;
8			typedef long long i64;
9			typedef i64 gf[16];
10			extern void randombytes(u8 *,u64);
11
12			static const u8
13			_0[16],
14			_9[32] = {9};
15			static const gf
16			gf0,
17			gf1 = {1},
18			_121665 = {0xDB41,1},
19			D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
20			D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
21			X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
22			Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
23			I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
24
25	13440		static u32 L32(u32 x,int c) { return (x << c) \| ((x&0xffffffff) >> (32 - c)); }
26
27	840		static u32 ld32(const u8 *x)
28			{
29	840		u32 u = x[3];
30	840		u = (u<<8)\|x[2];
31	840		u = (u<<8)\|x[1];
32	840		return (u<<8)\|x[0];
33			}
34
35	288		static u64 dl64(const u8 *x)
36			{
37	288		u64 i,u=0;
38	2592	100	FOR(i,8) u=(u<<8)\|x[i];
39	288		return u;
40			}
41
42	504		sv st32(u8 *x,u32 u)
43			{
44			int i;
45	2520	100	FOR(i,4) { x[i] = u; u >>= 8; }
46	504		}
47
48	153		sv ts64(u8 *x,u64 u)
49			{
50			int i;
51	1377	100	for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; }
52	153		}
53
54	20		static int vn(const u8 x,const u8 y,int n)
55			{
56	20		u32 i,d = 0;
57	500	100	FOR(i,n) d \|= x[i]^y[i];
58	20		return (1 & ((d - 1) >> 8)) - 1;
59			}
60
61	10		int crypto_verify_16(const u8 x,const u8 y)
62			{
63	10		return vn(x,y,16);
64			}
65
66	10		int crypto_verify_32(const u8 x,const u8 y)
67			{
68	10		return vn(x,y,32);
69			}
70
71	42		sv core(u8 out,const u8 in,const u8 k,const u8 c,int h)
72			{
73			u32 w[16],x[16],y[16],t[4];
74			int i,j,m;
75
76	210	100	FOR(i,4) {
77	168		x[5i] = ld32(c+4i);
78	168		x[1+i] = ld32(k+4*i);
79	168		x[6+i] = ld32(in+4*i);
80	168		x[11+i] = ld32(k+16+4*i);
81			}
82
83	714	100	FOR(i,16) y[i] = x[i];
84
85	882	100	FOR(i,20) {
86	4200	100	FOR(j,4) {
87	16800	100	FOR(m,4) t[m] = x[(5j+4m)%16];
88	3360		t[1] ^= L32(t[0]+t[3], 7);
89	3360		t[2] ^= L32(t[1]+t[0], 9);
90	3360		t[3] ^= L32(t[2]+t[1],13);
91	3360		t[0] ^= L32(t[3]+t[2],18);
92	16800	100	FOR(m,4) w[4*j+(j+m)%4] = t[m];
93			}
94	14280	100	FOR(m,16) x[m] = w[m];
95			}
96
97	42	100	if (h) {
98	357	100	FOR(i,16) x[i] += y[i];
99	105	100	FOR(i,4) {
100	84		x[5i] -= ld32(c+4i);
101	84		x[6+i] -= ld32(in+4*i);
102			}
103	105	100	FOR(i,4) {
104	84		st32(out+4i,x[5i]);
105	84		st32(out+16+4*i,x[6+i]);
106			}
107			} else
108	357	100	FOR(i,16) st32(out + 4 * i,x[i] + y[i]);
109	42		}
110
111	21		int crypto_core_salsa20(u8 out,const u8 in,const u8 k,const u8 c)
112			{
113	21		core(out,in,k,c,0);
114	21		return 0;
115			}
116
117	21		int crypto_core_hsalsa20(u8 out,const u8 in,const u8 k,const u8 c)
118			{
119	21		core(out,in,k,c,1);
120	21		return 0;
121			}
122
123			static const u8 sigma[16] = "expand 32-byte k";
124
125	17		int crypto_stream_salsa20_xor(u8 c,const u8 m,u64 b,const u8 n,const u8 k)
126			{
127			u8 z[16],x[64];
128			u32 u,i;
129	17	50	if (!b) return 0;
130	289	100	FOR(i,16) z[i] = 0;
131	153	100	FOR(i,8) z[i] = n[i];
132	21	100	while (b >= 64) {
133	4		crypto_core_salsa20(x,z,k,sigma);
134	260	50	FOR(i,64) c[i] = (m?m[i]:0) ^ x[i];
		100
135	4		u = 1;
136	36	100	for (i = 8;i < 16;++i) {
137	32		u += (u32) z[i];
138	32		z[i] = u;
139	32		u >>= 8;
140			}
141	4		b -= 64;
142	4		c += 64;
143	4	50	if (m) m += 64;
144			}
145	17	50	if (b) {
146	17		crypto_core_salsa20(x,z,k,sigma);
147	551	100	FOR(i,b) c[i] = (m?m[i]:0) ^ x[i];
		100
148			}
149	17		return 0;
150			}
151
152	7		int crypto_stream_salsa20(u8 c,u64 d,const u8 n,const u8 *k)
153			{
154	7		return crypto_stream_salsa20_xor(c,0,d,n,k);
155			}
156
157	7		int crypto_stream(u8 c,u64 d,const u8 n,const u8 *k)
158			{
159			u8 s[32];
160	7		crypto_core_hsalsa20(s,n,k,sigma);
161	7		return crypto_stream_salsa20(c,d,n+16,s);
162			}
163
164	10		int crypto_stream_xor(u8 c,const u8 m,u64 d,const u8 n,const u8 k)
165			{
166			u8 s[32];
167	10		crypto_core_hsalsa20(s,n,k,sigma);
168	10		return crypto_stream_salsa20_xor(c,m,d,n+16,s);
169			}
170
171	42		sv add1305(u32 h,const u32 c)
172			{
173	42		u32 j,u = 0;
174	756	100	FOR(j,17) {
175	714		u += h[j] + c[j];
176	714		h[j] = u & 255;
177	714		u >>= 8;
178			}
179	42		}
180
181			static const u32 minusp[17] = {
182			5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252
183			} ;
184
185	13		int crypto_onetimeauth(u8 out,const u8 m,u64 n,const u8 *k)
186			{
187			u32 s,i,j,u,x[17],r[17],h[17],c[17],g[17];
188
189	234	100	FOR(j,17) r[j]=h[j]=0;
190	221	100	FOR(j,16) r[j]=k[j];
191	13		r[3]&=15;
192	13		r[4]&=252;
193	13		r[7]&=15;
194	13		r[8]&=252;
195	13		r[11]&=15;
196	13		r[12]&=252;
197	13		r[15]&=15;
198
199	29	100	while (n > 0) {
200	288	100	FOR(j,17) c[j] = 0;
201	211	100	for (j = 0;(j < 16) && (j < n);++j) c[j] = m[j];
		100
202	16		c[j] = 1;
203	16		m += j; n -= j;
204	16		add1305(h,c);
205	288	100	FOR(i,17) {
206	272		x[i] = 0;
207	4896	100	FOR(j,17) x[i] += h[j] * ((j <= i) ? r[i - j] : 320 * r[i + 17 - j]);
		100
208			}
209	288	100	FOR(i,17) h[i] = x[i];
210	16		u = 0;
211	272	100	FOR(j,16) {
212	256		u += h[j];
213	256		h[j] = u & 255;
214	256		u >>= 8;
215			}
216	16		u += h[16]; h[16] = u & 3;
217	16		u = 5 * (u >> 2);
218	272	100	FOR(j,16) {
219	256		u += h[j];
220	256		h[j] = u & 255;
221	256		u >>= 8;
222			}
223	16		u += h[16]; h[16] = u;
224			}
225
226	234	100	FOR(j,17) g[j] = h[j];
227	13		add1305(h,minusp);
228	13		s = -(h[16] >> 7);
229	234	100	FOR(j,17) h[j] ^= s & (g[j] ^ h[j]);
230
231	221	100	FOR(j,16) c[j] = k[j + 16];
232	13		c[16] = 0;
233	13		add1305(h,c);
234	221	100	FOR(j,16) out[j] = h[j];
235	13		return 0;
236			}
237
238	8		int crypto_onetimeauth_verify(const u8 h,const u8 m,u64 n,const u8 *k)
239			{
240			u8 x[16];
241	8		crypto_onetimeauth(x,m,n,k);
242	8		return crypto_verify_16(h,x);
243			}
244
245	4		int crypto_secretbox(u8 c,const u8 m,u64 d,const u8 n,const u8 k)
246			{
247			int i;
248	4	50	if (d < 32) return -1;
249	4		crypto_stream_xor(c,m,d,n,k);
250	4		crypto_onetimeauth(c + 16,c + 32,d - 32,c);
251	68	100	FOR(i,16) c[i] = 0;
252	4		return 0;
253			}
254
255	6		int crypto_secretbox_open(u8 m,const u8 c,u64 d,const u8 n,const u8 k)
256			{
257			int i;
258			u8 x[32];
259	6	50	if (d < 32) return -1;
260	6		crypto_stream(x,32,n,k);
261	6	100	if (crypto_onetimeauth_verify(c + 16,c + 32,d - 32,x) != 0) return -1;
262	2		crypto_stream_xor(m,c,d,n,k);
263	66	100	FOR(i,32) m[i] = 0;
264	2		return 0;
265			}
266
267	39		sv set25519(gf r, const gf a)
268			{
269			int i;
270	663	100	FOR(i,16) r[i]=a[i];
271	39		}
272
273	135976		sv car25519(gf o)
274			{
275			int i;
276			i64 c;
277	2311592	100	FOR(i,16) {
278	2175616		o[i]+=(1LL<<16);
279	2175616		c=o[i]>>16;
280	2175616		o[(i+1)(i<15)]+=c-1+37(c-1)*(i==15);
281	2175616		o[i]-=c<<16;
282			}
283	135976		}
284
285	24596		sv sel25519(gf p,gf q,int b)
286			{
287	24596		i64 t,i,c=~(b-1);
288	418132	100	FOR(i,16) {
289	393536		t= c&(p[i]^q[i]);
290	393536		p[i]^=t;
291	393536		q[i]^=t;
292			}
293	24596		}
294
295	34		sv pack25519(u8 *o,const gf n)
296			{
297			int i,j,b;
298			gf m,t;
299	578	100	FOR(i,16) t[i]=n[i];
300	34		car25519(t);
301	34		car25519(t);
302	34		car25519(t);
303	102	100	FOR(j,2) {
304	68		m[0]=t[0]-0xffed;
305	1020	100	for(i=1;i<15;i++) {
306	952		m[i]=t[i]-0xffff-((m[i-1]>>16)&1);
307	952		m[i-1]&=0xffff;
308			}
309	68		m[15]=t[15]-0x7fff-((m[14]>>16)&1);
310	68		b=(m[15]>>16)&1;
311	68		m[14]&=0xffff;
312	68		sel25519(t,m,1-b);
313			}
314	578	100	FOR(i,16) {
315	544		o[2*i]=t[i]&0xff;
316	544		o[2*i+1]=t[i]>>8;
317			}
318	34		}
319
320	6		static int neq25519(const gf a, const gf b)
321			{
322			u8 c[32],d[32];
323	6		pack25519(c,a);
324	6		pack25519(d,b);
325	6		return crypto_verify_32(c,d);
326			}
327
328	6		static u8 par25519(const gf a)
329			{
330			u8 d[32];
331	6		pack25519(d,a);
332	6		return d[0]&1;
333			}
334
335	15		sv unpack25519(gf o, const u8 *n)
336			{
337			int i;
338	255	100	FOR(i,16) o[i]=n[2i]+((i64)n[2i+1]<<8);
339	15		o[15]&=0x7fff;
340	15		}
341
342	27613		sv A(gf o,const gf a,const gf b)
343			{
344			int i;
345	469421	100	FOR(i,16) o[i]=a[i]+b[i];
346	27613		}
347
348	24541		sv Z(gf o,const gf a,const gf b)
349			{
350			int i;
351	417197	100	FOR(i,16) o[i]=a[i]-b[i];
352	24541		}
353
354	67937		sv M(gf o,const gf a,const gf b)
355			{
356			i64 i,j,t[31];
357	2173984	100	FOR(i,31) t[i]=0;
358	18546801	100	FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j];
		100
359	1086992	100	FOR(i,15) t[i]+=38*t[i+16];
360	1154929	100	FOR(i,16) o[i]=t[i];
361	67937		car25519(o);
362	67937		car25519(o);
363	67937		}
364
365	17072		sv S(gf o,const gf a)
366			{
367	17072		M(o,a,a);
368	17072		}
369
370	16		sv inv25519(gf o,const gf i)
371			{
372			gf c;
373			int a;
374	272	100	FOR(a,16) c[a]=i[a];
375	4080	100	for(a=253;a>=0;a--) {
376	4064		S(c,c);
377	4064	100	if(a!=2&&a!=4) M(c,c,i);
		100
378			}
379	272	100	FOR(a,16) o[a]=c[a];
380	16		}
381
382	3		sv pow2523(gf o,const gf i)
383			{
384			gf c;
385			int a;
386	51	100	FOR(a,16) c[a]=i[a];
387	756	100	for(a=250;a>=0;a--) {
388	753		S(c,c);
389	753	100	if(a!=1) M(c,c,i);
390			}
391	51	100	FOR(a,16) o[a]=c[a];
392	3		}
393
394	12		int crypto_scalarmult(u8 q,const u8 n,const u8 *p)
395			{
396			u8 z[32];
397			i64 x[80],r,i;
398			gf a,b,c,d,e,f;
399	384	100	FOR(i,31) z[i]=n[i];
400	12		z[31]=(n[31]&127)\|64;
401	12		z[0]&=248;
402	12		unpack25519(x,p);
403	204	100	FOR(i,16) {
404	192		b[i]=x[i];
405	192		d[i]=a[i]=c[i]=0;
406			}
407	12		a[0]=d[0]=1;
408	3072	100	for(i=254;i>=0;--i) {
409	3060		r=(z[i>>3]>>(i&7))&1;
410	3060		sel25519(a,b,r);
411	3060		sel25519(c,d,r);
412	3060		A(e,a,c);
413	3060		Z(a,a,c);
414	3060		A(c,b,d);
415	3060		Z(b,b,d);
416	3060		S(d,e);
417	3060		S(f,a);
418	3060		M(a,c,a);
419	3060		M(c,b,e);
420	3060		A(e,a,c);
421	3060		Z(a,a,c);
422	3060		S(b,a);
423	3060		Z(c,d,f);
424	3060		M(a,c,_121665);
425	3060		A(a,a,d);
426	3060		M(c,c,a);
427	3060		M(a,d,f);
428	3060		M(d,b,x);
429	3060		S(b,e);
430	3060		sel25519(a,b,r);
431	3060		sel25519(c,d,r);
432			}
433	204	100	FOR(i,16) {
434	192		x[i+16]=a[i];
435	192		x[i+32]=c[i];
436	192		x[i+48]=b[i];
437	192		x[i+64]=d[i];
438			}
439	12		inv25519(x+32,x+32);
440	12		M(x+16,x+16,x+32);
441	12		pack25519(q,x+16);
442	12		return 0;
443			}
444
445	2		int crypto_scalarmult_base(u8 q,const u8 n)
446			{
447	2		return crypto_scalarmult(q,n,_9);
448			}
449
450	0		int crypto_box_keypair(u8 y,u8 x)
451			{
452	0		randombytes(x,32);
453	0		return crypto_scalarmult_base(y,x);
454			}
455
456	4		int crypto_box_beforenm(u8 k,const u8 y,const u8 *x)
457			{
458			u8 s[32];
459	4		crypto_scalarmult(s,x,y);
460	4		return crypto_core_hsalsa20(k,_0,s,sigma);
461			}
462
463	1		int crypto_box_afternm(u8 c,const u8 m,u64 d,const u8 n,const u8 k)
464			{
465	1		return crypto_secretbox(c,m,d,n,k);
466			}
467
468	2		int crypto_box_open_afternm(u8 m,const u8 c,u64 d,const u8 n,const u8 k)
469			{
470	2		return crypto_secretbox_open(m,c,d,n,k);
471			}
472
473	0		int crypto_box(u8 c,const u8 m,u64 d,const u8 n,const u8 y,const u8 *x)
474			{
475			u8 k[32];
476	0		crypto_box_beforenm(k,y,x);
477	0		return crypto_box_afternm(c,m,d,n,k);
478			}
479
480	0		int crypto_box_open(u8 m,const u8 c,u64 d,const u8 n,const u8 y,const u8 *x)
481			{
482			u8 k[32];
483	0		crypto_box_beforenm(k,y,x);
484	0		return crypto_box_open_afternm(m,c,d,n,k);
485			}
486
487	7200		static u64 R(u64 x,int c) { return (x >> c) \| (x << (64 - c)); }
488	720		static u64 Ch(u64 x,u64 y,u64 z) { return (x & y) ^ (~x & z); }
489	720		static u64 Maj(u64 x,u64 y,u64 z) { return (x & y) ^ (x & z) ^ (y & z); }
490	720		static u64 Sigma0(u64 x) { return R(x,28) ^ R(x,34) ^ R(x,39); }
491	720		static u64 Sigma1(u64 x) { return R(x,14) ^ R(x,18) ^ R(x,41); }
492	720		static u64 sigma0(u64 x) { return R(x, 1) ^ R(x, 8) ^ (x >> 7); }
493	720		static u64 sigma1(u64 x) { return R(x,19) ^ R(x,61) ^ (x >> 6); }
494
495			static const u64 K[80] =
496			{
497			0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
498			0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
499			0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
500			0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
501			0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
502			0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
503			0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
504			0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
505			0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
506			0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
507			0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
508			0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
509			0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
510			0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
511			0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
512			0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
513			0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
514			0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
515			0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
516			0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
517			};
518
519	18		int crypto_hashblocks(u8 x,const u8 m,u64 n)
520			{
521			u64 z[8],b[8],a[8],w[16],t;
522			int i,j;
523
524	162	100	FOR(i,8) z[i] = a[i] = dl64(x + 8 * i);
525
526	27	100	while (n >= 128) {
527	153	100	FOR(i,16) w[i] = dl64(m + 8 * i);
528
529	729	100	FOR(i,80) {
530	6480	100	FOR(j,8) b[j] = a[j];
531	720		t = a[7] + Sigma1(a[4]) + Ch(a[4],a[5],a[6]) + K[i] + w[i%16];
532	720		b[7] = t + Sigma0(a[0]) + Maj(a[0],a[1],a[2]);
533	720		b[3] += t;
534	6480	100	FOR(j,8) a[(j+1)%8] = b[j];
535	720	100	if (i%16 == 15)
536	765	100	FOR(j,16)
537	720		w[j] += w[(j+9)%16] + sigma0(w[(j+1)%16]) + sigma1(w[(j+14)%16]);
538			}
539
540	81	100	FOR(i,8) { a[i] += z[i]; z[i] = a[i]; }
541
542	9		m += 128;
543	9		n -= 128;
544			}
545
546	162	100	FOR(i,8) ts64(x+8*i,z[i]);
547
548	18		return n;
549			}
550
551			static const u8 iv[64] = {
552			0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08,
553			0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b,
554			0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b,
555			0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1,
556			0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1,
557			0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f,
558			0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b,
559			0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79
560			} ;
561
562	9		int crypto_hash(u8 out,const u8 m,u64 n)
563			{
564			u8 h[64],x[256];
565	9		u64 i,b = n;
566
567	585	100	FOR(i,64) h[i] = iv[i];
568
569	9		crypto_hashblocks(h,m,n);
570	9		m += n;
571	9		n &= 127;
572	9		m -= n;
573
574	2313	100	FOR(i,256) x[i] = 0;
575	542	100	FOR(i,n) x[i] = m[i];
576	9		x[n] = 128;
577
578	9	50	n = 256-128*(n<112);
579	9		x[n-9] = b >> 61;
580	9		ts64(x+n-8,b<<3);
581	9		crypto_hashblocks(h,x,n);
582
583	585	100	FOR(i,64) out[i] = h[i];
584
585	9		return 0;
586			}
587
588	3074		sv add(gf p[4],gf q[4])
589			{
590			gf a,b,c,d,t,e,f,g,h;
591
592	3074		Z(a, p[1], p[0]);
593	3074		Z(t, q[1], q[0]);
594	3074		M(a, a, t);
595	3074		A(b, p[0], p[1]);
596	3074		A(t, q[0], q[1]);
597	3074		M(b, b, t);
598	3074		M(c, p[3], q[3]);
599	3074		M(c, c, D2);
600	3074		M(d, p[2], q[2]);
601	3074		A(d, d, d);
602	3074		Z(e, b, a);
603	3074		Z(f, d, c);
604	3074		A(g, d, c);
605	3074		A(h, b, a);
606
607	3074		M(p[0], e, f);
608	3074		M(p[1], h, g);
609	3074		M(p[2], g, f);
610	3074		M(p[3], e, h);
611	3074		}
612
613	3072		sv cswap(gf p[4],gf q[4],u8 b)
614			{
615			int i;
616	15360	100	FOR(i,4)
617	12288		sel25519(p[i],q[i],b);
618	3072		}
619
620	4		void pack(u8 *r,gf p[4])
621			{
622			gf tx, ty, zi;
623	4		inv25519(zi, p[2]);
624	4		M(tx, p[0], zi);
625	4		M(ty, p[1], zi);
626	4		pack25519(r, ty);
627	4		r[31] ^= par25519(tx) << 7;
628	4		}
629
630	6		sv scalarmult(gf p[4],gf q[4],const u8 *s)
631			{
632			int i;
633	6		set25519(p[0],gf0);
634	6		set25519(p[1],gf1);
635	6		set25519(p[2],gf1);
636	6		set25519(p[3],gf0);
637	1542	100	for (i = 255;i >= 0;--i) {
638	1536		u8 b = (s[i/8]>>(i&7))&1;
639	1536		cswap(p,q,b);
640	1536		add(q,p);
641	1536		add(p,p);
642	1536		cswap(p,q,b);
643			}
644	6		}
645
646	4		void scalarbase(gf p[4],const u8 *s)
647			{
648			gf q[4];
649	4		set25519(q[0],X);
650	4		set25519(q[1],Y);
651	4		set25519(q[2],gf1);
652	4		M(q[3],X,Y);
653	4		scalarmult(p,q,s);
654	4		}
655
656	0		int crypto_sign_keypair(u8 pk, u8 sk)
657			{
658			u8 d[64];
659			gf p[4];
660			int i;
661
662	0		randombytes(sk, 32);
663	0		crypto_hash(d, sk, 32);
664	0		d[0] &= 248;
665	0		d[31] &= 127;
666	0		d[31] \|= 64;
667
668	0		scalarbase(p,d);
669	0		pack(pk,p);
670
671	0	0	FOR(i,32) sk[32 + i] = pk[i];
672	0		return 0;
673			}
674
675			static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10};
676
677	8		sv modL(u8 *r,i64 x[64])
678			{
679			i64 carry,i,j;
680	264	100	for (i = 63;i >= 32;--i) {
681	256		carry = 0;
682	5376	100	for (j = i - 32;j < i - 12;++j) {
683	5120		x[j] += carry - 16 * x[i] * L[j - (i - 32)];
684	5120		carry = (x[j] + 128) >> 8;
685	5120		x[j] -= carry << 8;
686			}
687	256		x[j] += carry;
688	256		x[i] = 0;
689			}
690	8		carry = 0;
691	264	100	FOR(j,32) {
692	256		x[j] += carry - (x[31] >> 4) * L[j];
693	256		carry = x[j] >> 8;
694	256		x[j] &= 255;
695			}
696	264	100	FOR(j,32) x[j] -= carry * L[j];
697	264	100	FOR(i,32) {
698	256		x[i+1] += x[i] >> 8;
699	256		r[i] = x[i] & 255;
700			}
701	8		}
702
703	6		sv reduce(u8 *r)
704			{
705			i64 x[64],i;
706	390	100	FOR(i,64) x[i] = (u64) r[i];
707	390	100	FOR(i,64) r[i] = 0;
708	6		modL(r,x);
709	6		}
710
711	2		int crypto_sign(u8 sm,u64 smlen,const u8 m,u64 n,const u8 sk)
712			{
713			u8 d[64],h[64],r[64];
714			i64 i,j,x[64];
715			gf p[4];
716
717	2		crypto_hash(d, sk, 32);
718	2		d[0] &= 248;
719	2		d[31] &= 127;
720	2		d[31] \|= 64;
721
722	2		*smlen = n+64;
723	50	100	FOR(i,n) sm[64 + i] = m[i];
724	66	100	FOR(i,32) sm[32 + i] = d[32 + i];
725
726	2		crypto_hash(r, sm+32, n+32);
727	2		reduce(r);
728	2		scalarbase(p,r);
729	2		pack(sm,p);
730
731	66	100	FOR(i,32) sm[i+32] = sk[i+32];
732	2		crypto_hash(h,sm,n + 64);
733	2		reduce(h);
734
735	130	100	FOR(i,64) x[i] = 0;
736	66	100	FOR(i,32) x[i] = (u64) r[i];
737	2114	100	FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j];
		100
738	2		modL(sm + 32,x);
739
740	2		return 0;
741			}
742
743	3		static int unpackneg(gf r[4],const u8 p[32])
744			{
745			gf t, chk, num, den, den2, den4, den6;
746	3		set25519(r[2],gf1);
747	3		unpack25519(r[1],p);
748	3		S(num,r[1]);
749	3		M(den,num,D);
750	3		Z(num,num,r[2]);
751	3		A(den,r[2],den);
752
753	3		S(den2,den);
754	3		S(den4,den2);
755	3		M(den6,den4,den2);
756	3		M(t,den6,num);
757	3		M(t,t,den);
758
759	3		pow2523(t,t);
760	3		M(t,t,num);
761	3		M(t,t,den);
762	3		M(t,t,den);
763	3		M(r[0],t,den);
764
765	3		S(chk,r[0]);
766	3		M(chk,chk,den);
767	3	100	if (neq25519(chk, num)) M(r[0],r[0],I);
768
769	3		S(chk,r[0]);
770	3		M(chk,chk,den);
771	3	100	if (neq25519(chk, num)) return -1;
772
773	2	50	if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]);
774
775	2		M(r[3],r[0],r[1]);
776	2		return 0;
777			}
778
779	3		int crypto_sign_open(u8 m,u64 mlen,const u8 sm,u64 n,const u8 pk)
780			{
781			int i;
782			u8 t[32],h[64];
783			gf p[4],q[4];
784
785	3		*mlen = -1;
786	3	50	if (n < 64) return -1;
787
788	3	100	if (unpackneg(q,pk)) return -1;
789
790	178	100	FOR(i,n) m[i] = sm[i];
791	66	100	FOR(i,32) m[i+32] = pk[i];
792	2		crypto_hash(h,m,n);
793	2		reduce(h);
794	2		scalarmult(p,q,h);
795
796	2		scalarbase(q,sm + 32);
797	2		add(p,q);
798	2		pack(t,p);
799
800	2		n -= 64;
801	2	100	if (crypto_verify_32(sm, t)) {
802	25	100	FOR(i,n) m[i] = 0;
803	1		return -1;
804			}
805
806	25	100	FOR(i,n) m[i] = sm[i + 64];
807	1		*mlen = n;
808	1		return 0;
809			}