Add crypto_core_ed25519_from_string() and crypto_core_ed25519_from_string_ro()

dist-build/emscripten-symbols.def

@@ -156,7 +156,9 @@ _crypto_box_seedbytes 1 1
 _crypto_box_zerobytes 0 1
 _crypto_core_ed25519_add 0 1
 _crypto_core_ed25519_bytes 0 1
-_crypto_core_ed25519_from_hash 0 1
+_crypto_core_ed25519_from_hash 0 0
+_crypto_core_ed25519_from_string 0 1
+_crypto_core_ed25519_from_string_ro 0 1
 _crypto_core_ed25519_from_uniform 0 1
 _crypto_core_ed25519_hashbytes 0 1
 _crypto_core_ed25519_is_valid_point 0 1

src/libsodium/crypto_core/ed25519/core_ed25519.c

@@ -1,7 +1,9 @@
 
 #include <stdint.h>
+#include <string.h>
 
 #include "crypto_core_ed25519.h"
+#include "crypto_hash_sha512.h"
 #include "private/common.h"
 #include "private/ed25519_ref10.h"
 #include "randombytes.h"
@@ -78,13 +80,88 @@ crypto_core_ed25519_from_hash(unsigned char *p, const unsigned char *h)
     return 0;
 }
 
+#define HASH_BYTES      crypto_hash_sha512_BYTES
+#define HASH_BLOCKBYTES 128U
+#define HASH_L          48U
+
+static int
+_string_to_points(unsigned char * const px, size_t n, const char *suite,
+                  size_t suite_len, const char *ctx, const unsigned char *msg,
+                  size_t msg_len)
+{
+    crypto_hash_sha512_state st;
+    unsigned char            empty_block[128] = { 0 };
+    unsigned char            u0[HASH_BYTES], u[2 * HASH_BYTES];
+    unsigned char            t[4]    = { 0U, n * HASH_L, 0U, 0 };
+    size_t                   ctx_len = ctx != NULL ? strlen(ctx) : 0U;
+    size_t                   i, j;
+
+    if (n > 2U || suite_len > 0xff || ctx_len > 0xff - suite_len) {
+        return -1;
+    }
+    crypto_hash_sha512_init(&st);
+    crypto_hash_sha512_update(&st, empty_block, sizeof empty_block);
+    crypto_hash_sha512_update(&st, msg, msg_len);
+    t[3] = (unsigned char) suite_len + ctx_len;
+    crypto_hash_sha512_update(&st, t, 4U);
+    crypto_hash_sha512_update(&st, (const unsigned char *) suite, suite_len);
+    crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+    crypto_hash_sha512_final(&st, u0);
+
+    for (i = 0U; i < n * HASH_BYTES; i += HASH_BYTES) {
+        memcpy(&u[i], u0, HASH_BYTES);
+        for (j = 0U; i > 0U && j < HASH_BYTES; j++) {
+            u[i + j] ^= u[i + j - HASH_BYTES];
+        }
+        crypto_hash_sha512_init(&st);
+        crypto_hash_sha512_update(&st, &u[i], HASH_BYTES);
+        t[2]++;
+        crypto_hash_sha512_update(&st, t + 2U, 2U);
+        crypto_hash_sha512_update(&st, (const unsigned char *) suite,
+                                  suite_len);
+        crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len);
+        crypto_hash_sha512_final(&st, &u[i]);
+    }
+    for (i = 0U; i < n; i++) {
+        memset(u0, 0U, HASH_BYTES - HASH_L);
+        memcpy(u0 + HASH_BYTES - HASH_L, &u[i * HASH_L], HASH_L);
+        ge25519_from_hash(&px[i * crypto_core_ed25519_BYTES], u0);
+    }
+    return 0;
+}
+
+int
+crypto_core_ed25519_from_string(unsigned char p[crypto_core_ed25519_BYTES],
+                                const char *ctx, const unsigned char *msg,
+                                size_t msg_len)
+{
+    return _string_to_points(p, 1,  "edwards25519_XMD:SHA-512_ELL2_NU_",
+                             sizeof "edwards25519_XMD:SHA-512_ELL2_NU_" - 1U, ctx,
+                             msg, msg_len);
+}
+
+int
+crypto_core_ed25519_from_string_ro(unsigned char p[crypto_core_ed25519_BYTES],
+                                   const char *ctx, const unsigned char *msg,
+                                   size_t msg_len)
+{
+    unsigned char px[2 * crypto_core_ed25519_BYTES];
+
+    if (_string_to_points(px, 2, "edwards25519_XMD:SHA-512_ELL2_RO_",
+                          sizeof "edwards25519_XMD:SHA-512_ELL2_RO_" - 1U, ctx,
+                          msg, msg_len) != 0) {
+        return -1;
+    }
+    return crypto_core_ed25519_add(p, &px[0], &px[crypto_core_ed25519_BYTES]);
+}
+
 void
 crypto_core_ed25519_random(unsigned char *p)
 {
-    unsigned char h[crypto_core_ed25519_HASHBYTES];
+    unsigned char h[crypto_core_ed25519_UNIFORMBYTES];
 
     randombytes_buf(h, sizeof h);
-    (void) crypto_core_ed25519_from_hash(p, h);
+    (void) crypto_core_ed25519_from_uniform(p, h);
 }
 
 void

src/libsodium/include/sodium/crypto_core_ed25519.h

@@ -48,7 +48,19 @@ int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r)
 
 SODIUM_EXPORT
 int crypto_core_ed25519_from_hash(unsigned char *p, const unsigned char *h)
-            __attribute__ ((nonnull));
+            __attribute__ ((nonnull)) __attribute__ ((deprecated));
+
+SODIUM_EXPORT
+int crypto_core_ed25519_from_string(unsigned char p[crypto_core_ed25519_BYTES],
+                                    const char *ctx, const unsigned char *msg,
+                                    size_t msg_len)
+            __attribute__ ((nonnull(1)));
+
+SODIUM_EXPORT
+int crypto_core_ed25519_from_string_ro(unsigned char p[crypto_core_ed25519_BYTES],
+                                       const char *ctx, const unsigned char *msg,
+                                       size_t msg_len)
+            __attribute__ ((nonnull(1)));
 
 SODIUM_EXPORT
 void crypto_core_ed25519_random(unsigned char *p)

test/symbols/all-symbols.txt

@@ -191,6 +191,8 @@ crypto_box_zerobytes
 crypto_core_ed25519_add
 crypto_core_ed25519_bytes
 crypto_core_ed25519_from_hash
+crypto_core_ed25519_from_string
+crypto_core_ed25519_from_string_ro
 crypto_core_ed25519_from_uniform
 crypto_core_ed25519_hashbytes
 crypto_core_ed25519_is_valid_point