Add x25519 - os - An operating system

commit 9ad099d9ada7dc701a181d2fe3ef9ae1fd8367a7
parent 9acc9c83345f5029d4de384ae52960085a26e96c
Author: erai <erai@omiltem.net>
Date:   Sun, 19 May 2024 16:44:55 -0400

Add x25519

Diffstat:
M ed25519.c  | 507 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
M ed25519_test.c  | 98 ++++++++++++++++++++++++++++---------------------------------------------------
M sha256.c  | 3 ---
A x25519_test.c  | 35 +++++++++++++++++++++++++++++++++++

4 files changed, 547 insertions(+), 96 deletions(-)
diff --git a/ed25519.c b/ed25519.c
@@ -1,8 +1,10 @@
+// https://www.rfc-editor.org/rfc/rfc7748
 // https://www.rfc-editor.org/rfc/rfc8032
 // p = 2**255 - 19
 // = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
 // = 57896044618658097711785492504343953926634992332820282019728792003956564819949
-// order = 2**252 + 0x14def9dea2f79cd65812631a5cf5d3ed
+// order
+// L = 2**252 + 0x14def9dea2f79cd65812631a5cf5d3ed
 // = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
 // = 7237005577332262213973186563042994240857116359379907606001950938285454250989
 // cofactor = 8
@@ -52,6 +54,14 @@ struct _ed25519_point {
 	y: _ed25519_limb;
 }
 
+struct _x25519_block {
+	_x0: int;
+	_x1: int;
+	_x2: int;
+	_x3: int;
+	_x4: int;
+}
+
 ed25519_reduce(r: *int) {
 	var c: int;
 	var k: int;
@@ -94,14 +104,17 @@ ed25519_add(r: *int, a: *int, b: *int) {
 
 ed25519_sub(r: *int, a: *int, b: *int) {
 	var c: int;
-	c = 1 + a[0] + (-19 & (-1 >> 32)) + (~b[0] & (-1 >> 32)); r[0] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[1] + (-1 >> 32) + (~b[1] & (-1 >> 32)); r[1] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[2] + (-1 >> 32) + (~b[2] & (-1 >> 32)); r[2] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[3] + (-1 >> 32) + (~b[3] & (-1 >> 32)); r[3] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[4] + (-1 >> 32) + (~b[4] & (-1 >> 32)); r[4] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[5] + (-1 >> 32) + (~b[5] & (-1 >> 32)); r[5] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[6] + (-1 >> 32) + (~b[6] & (-1 >> 32)); r[6] = c & (-1 >> 32); c = c >> 32;
-	c = c + a[7] + (-1 >> 33) + (~b[7] & (-1 >> 32)); r[7] = c & (-1 >> 33);
+
+	c = 1 + a[0] + (-19 & (-1 >> 32)) + (b[0] ^ (-1 >> 32)); r[0] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[1] + (-1 >> 32) + (b[1] ^ (-1 >> 32)); r[1] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[2] + (-1 >> 32) + (b[2] ^ (-1 >> 32)); r[2] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[3] + (-1 >> 32) + (b[3] ^ (-1 >> 32)); r[3] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[4] + (-1 >> 32) + (b[4] ^ (-1 >> 32)); r[4] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[5] + (-1 >> 32) + (b[5] ^ (-1 >> 32)); r[5] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[6] + (-1 >> 32) + (b[6] ^ (-1 >> 32)); r[6] = c & (-1 >> 32); c = c >> 32;
+	c = c + a[7] + (-1 >> 33) + (b[7] ^ (-1 >> 32)); r[7] = c & (-1 >> 32); c = c >> 32;
+
+	ed25519_reduce(r);
 }
 
 ed25519_mul(r: *int, a: *int, b: *int) {
@@ -209,7 +222,8 @@ ed25519_inv(r: *int, a: *int)  {
 	}
 }
 
-ed25519_select(r: *int, a: *int, b: *int, k: int) {
+ed25519_selectl(r: *int, a: *int, b: *int, k: int) {
+	k = -(k & 1);
 	r[0] = (a[0] & ~k) | (b[0] & k);
 	r[1] = (a[1] & ~k) | (b[1] & k);
 	r[2] = (a[2] & ~k) | (b[2] & k);
@@ -218,14 +232,17 @@ ed25519_select(r: *int, a: *int, b: *int, k: int) {
 	r[5] = (a[5] & ~k) | (b[5] & k);
 	r[6] = (a[6] & ~k) | (b[6] & k);
 	r[7] = (a[7] & ~k) | (b[7] & k);
-	r[8] = (a[8] & ~k) | (b[8] & k);
-	r[9] = (a[9] & ~k) | (b[9] & k);
-	r[10] = (a[10] & ~k) | (b[10] & k);
-	r[11] = (a[11] & ~k) | (b[11] & k);
-	r[12] = (a[12] & ~k) | (b[12] & k);
-	r[13] = (a[13] & ~k) | (b[13] & k);
-	r[14] = (a[14] & ~k) | (b[14] & k);
-	r[15] = (a[15] & ~k) | (b[15] & k);
+}
+
+ed25519_zero(r: *int) {
+	r[0] = 0;
+	r[1] = 0;
+	r[2] = 0;
+	r[3] = 0;
+	r[4] = 0;
+	r[5] = 0;
+	r[6] = 0;
+	r[7] = 0;
 }
 
 ed25519_one(r: *int) {
@@ -239,6 +256,28 @@ ed25519_one(r: *int) {
 	r[7] = 0;
 }
 
+ed25519_d(d: *int) {
+	d[7] = (0x5203 << 16) | 0x6cee;
+	d[6] = (0x2b6f << 16) | 0xfe73;
+	d[5] = (0x8cc7 << 16) | 0x4079;
+	d[4] = (0x7779 << 16) | 0xe898;
+	d[3] = (0x0070 << 16) | 0x0a4d;
+	d[2] = (0x4141 << 16) | 0xd8ab;
+	d[1] = (0x75eb << 16) | 0x4dca;
+	d[0] = (0x1359 << 16) | 0x78a3;
+}
+
+ed25519_a(a: *int) {
+	a[7] = 0;
+	a[6] = 0;
+	a[5] = 0;
+	a[4] = 0;
+	a[3] = 0;
+	a[2] = 0;
+	a[1] = 0;
+	a[0] = 486662;
+}
+
 ////           x1 * y2 + x2 * y1                y1 * y2 - a * x1 * x2
 //// x3 = ---------------------------,  y3 = ---------------------------
 ////       1 + d * x1 * x2 * y1 * y2          1 - d * x1 * x2 * y1 * y2
@@ -269,14 +308,7 @@ ed25519_pa(r: *int, a: *int, b: * int) {
 	dxy2 = &_dxy2.x0;
 	d = &_d.x0;
 
-	d[7] = (0x5203 << 16) | 0x6cee;
-	d[6] = (0x2b6f << 16) | 0xfe73;
-	d[5] = (0x8cc7 << 16) | 0x4079;
-	d[4] = (0x7779 << 16) | 0xe898;
-	d[3] = (0x0070 << 16) | 0x0a4d;
-	d[2] = (0x4141 << 16) | 0xd8ab;
-	d[1] = (0x75eb << 16) | 0x4dca;
-	d[0] = (0x1359 << 16) | 0x78a3;
+	ed25519_d(d);
 
 	ed25519_mul(y1y2, &a[8], &b[8]);
 	ed25519_mul(x1x2, a, b);
@@ -311,8 +343,8 @@ ed25519_pk(r: *int, a: *int, k: *int) {
 	var i: int;
 	var j: int;
 
-	b = (&_b):*int;
-	c = (&_c):*int;
+	b = &_b.x.x0;
+	c = &_c.x.x0;
 
 	b[0] = a[0] & (-1 >> 32); r[0] = 0;
 	b[1] = a[1] & (-1 >> 32); r[1] = 0;
@@ -342,7 +374,8 @@ ed25519_pk(r: *int, a: *int, k: *int) {
 			}
 			ed25519_pa(r, r, r);
 			ed25519_pa(c, r, b);
-			ed25519_select(r, r, c, -((e >> 31) & 1));
+			ed25519_selectl(r, r, c, -((e >> 31) & 1));
+			ed25519_selectl(&r[8], &r[8], &c[8], -((e >> 31) & 1));
 			e = e << 1;
 			j = j + 1;
 		}
@@ -354,3 +387,419 @@ ed25519_pk(r: *int, a: *int, k: *int) {
 		i = i - 1;
 	}
 }
+
+ed25519_base(p: *int) {
+	p[7] = (0x2169 << 16) | 0x36d3;
+	p[6] = (0xcd6e << 16) | 0x53fe;
+	p[5] = (0xc0a4 << 16) | 0xe231;
+	p[4] = (0xfdd6 << 16) | 0xdc5c;
+	p[3] = (0x692c << 16) | 0xc760;
+	p[2] = (0x9525 << 16) | 0xa7b2;
+	p[1] = (0xc956 << 16) | 0x2d60;
+	p[0] = (0x8f25 << 16) | 0xd51a;
+	p[15] = (0x6666 << 16) | 0x6666;
+	p[14] = (0x6666 << 16) | 0x6666;
+	p[13] = (0x6666 << 16) | 0x6666;
+	p[12] = (0x6666 << 16) | 0x6666;
+	p[11] = (0x6666 << 16) | 0x6666;
+	p[10] = (0x6666 << 16) | 0x6666;
+	p[9] = (0x6666 << 16) | 0x6666;
+	p[8] = (0x6666 << 16) | 0x6658;
+}
+
+// 2**((p-1)//4)
+ed25519_sqrtz(z: *int) {
+	z[7] = (0x2b83 << 16) | 0x2480;
+	z[6] = (0x4fc1 << 16) | 0xdf0b;
+	z[5] = (0x2b4d << 16) | 0x0099;
+	z[4] = (0x3dfb << 16) | 0xd7a7;
+	z[3] = (0x2f43 << 16) | 0x1806;
+	z[2] = (0xad2f << 16) | 0xe478;
+	z[1] = (0xc4ee << 16) | 0x1b27;
+	z[0] = (0x4a0e << 16) | 0xa0b0;
+}
+
+// sqrt(x) = x**((p+3)/8) * [1 or 2**((p-1)/4)]
+ed25519_sqrt(r: *int, x: *int): int {
+	var _a: _ed25519_limb;
+	var _z: _ed25519_limb;
+	var a: *int;
+	var z: *int;
+	var i: int;
+
+	a = &_a.x0;
+	z = &_z.x0;
+
+	ed25519_one(a);
+
+	i = 0;
+	loop {
+		if i == 252 {
+			break;
+		}
+
+		ed25519_mul(a, a, a);
+
+		if i != 251 {
+			ed25519_mul(a, a, x);
+		}
+
+		i = i + 1;
+	}
+
+	ed25519_mul(z, a, a);
+	ed25519_sub(z, z, x);
+	i = ed25519_zerop(z);
+
+	ed25519_sqrtz(z);
+	ed25519_mul(z, z, a);
+
+	ed25519_selectl(a, z, a, i);
+
+	ed25519_mul(z, a, a);
+	ed25519_sub(z, z, x);
+
+	i = ed25519_zerop(z);
+
+	r[0] = a[0];
+	r[1] = a[1];
+	r[2] = a[2];
+	r[3] = a[3];
+	r[4] = a[4];
+	r[5] = a[5];
+	r[6] = a[6];
+	r[7] = a[7];
+
+	return i;
+}
+
+// x**2 = (1 - y**2) / (d * y**2 - 1) mod p
+ed25519_decode(p: *int, src: *byte) {
+}
+
+ed25519_encode(dest: *byte, p: *int) {
+	dest[0] = p[8]:byte;
+	dest[1] = (p[8] >> 8):byte;
+	dest[2] = (p[8] >> 16):byte;
+	dest[3] = (p[8] >> 24):byte;
+	dest[4] = p[9]:byte;
+	dest[5] = (p[9] >> 8):byte;
+	dest[6] = (p[9] >> 16):byte;
+	dest[7] = (p[9] >> 24):byte;
+	dest[8] = p[10]:byte;
+	dest[9] = (p[10] >> 8):byte;
+	dest[10] = (p[10] >> 16):byte;
+	dest[11] = (p[10] >> 24):byte;
+	dest[12] = p[11]:byte;
+	dest[13] = (p[11] >> 8):byte;
+	dest[14] = (p[11] >> 16):byte;
+	dest[15] = (p[11] >> 24):byte;
+	dest[16] = p[12]:byte;
+	dest[17] = (p[12] >> 8):byte;
+	dest[18] = (p[12] >> 16):byte;
+	dest[19] = (p[12] >> 24):byte;
+	dest[20] = p[13]:byte;
+	dest[21] = (p[13] >> 8):byte;
+	dest[22] = (p[13] >> 16):byte;
+	dest[23] = (p[13] >> 24):byte;
+	dest[24] = p[14]:byte;
+	dest[25] = (p[14] >> 8):byte;
+	dest[26] = (p[14] >> 16):byte;
+	dest[27] = (p[14] >> 24):byte;
+	dest[28] = p[15]:byte;
+	dest[29] = (p[15] >> 8):byte;
+	dest[30] = (p[15] >> 16):byte;
+	dest[31] = (p[15] >> 24):byte | ((p[0] & 1) << 7):byte;
+}
+
+ed25519_pub(p: *byte, k: *byte) {
+	// h || prefix = SHA-512(b)
+	// s = clamp(h)
+	// A = [s]B
+	// public key = A
+}
+
+ed25519_sign(k: *byte) {
+	// h || prefix = SHA-512(b)
+	// s = clamp(h)
+	// A = [s]B
+	// r = SHA-512(prefix || M)
+	// R = [r]B
+	// k = SHA-512(R || A || M)
+	// S = r + k * s mod L
+	// signature = R || S
+}
+
+ed25519_verify(p: *byte) {
+	// A = public key
+	// R || S = signature
+	// k' = SHA-512(R || A || M)
+	// [S]B = R + [k']A
+}
+
+ed25519_bi(d: *int) {
+	d[7] = (0x0f26 << 16) | 0xedf4;
+	d[6] = (0x60a0 << 16) | 0x06bb;
+	d[5] = (0xd27b << 16) | 0x08dc;
+	d[4] = (0x03fc << 16) | 0x4f7e;
+	d[3] = (0xc5a1 << 16) | 0xd3d1;
+	d[2] = (0x4b7d << 16) | 0x1a82;
+	d[1] = (0xcc6e << 16) | 0x04aa;
+	d[0] = (0xff45 << 16) | 0x7e06;
+}
+
+// u = (1 + y) / (1 - y)
+// v = sqrt(-486664) * u / x
+cv25519_of_ed25519(uv: *int, xy: *int) {
+	var _a: _ed25519_limb;
+	var _b: _ed25519_limb;
+	var _c: _ed25519_limb;
+	var _d: _ed25519_limb;
+	var a: *int;
+	var b: *int;
+	var c: *int;
+	var d: *int;
+
+	a = &_a.x0;
+	b = &_b.x0;
+	c = &_c.x0;
+	d = &_d.x0;
+
+	ed25519_one(a);
+	ed25519_add(a, a, &xy[8]);
+	ed25519_one(b);
+	ed25519_sub(b, b, &xy[8]);
+	ed25519_inv(b, b);
+
+	ed25519_inv(d, xy);
+
+	ed25519_mul(uv, a, b);
+
+	ed25519_bi(c);
+	ed25519_mul(c, c, uv);
+	ed25519_mul(&uv[8], c, d);
+}
+
+// x = sqrt(-486664) * u / v
+// y = (u - 1) / (u + 1)
+ed25519_of_cv25519(xy: *int, uv: *int) {
+	var _a: _ed25519_limb;
+	var _b: _ed25519_limb;
+	var _c: _ed25519_limb;
+	var _d: _ed25519_limb;
+	var a: *int;
+	var b: *int;
+	var c: *int;
+	var d: *int;
+
+	a = &_a.x0;
+	b = &_b.x0;
+	c = &_c.x0;
+	d = &_d.x0;
+
+	ed25519_bi(a);
+	ed25519_mul(a, a, uv);
+	ed25519_inv(b, &uv[8]);
+
+	ed25519_one(c);
+	ed25519_sub(c, uv, c);
+	ed25519_one(d);
+	ed25519_add(d, uv, d);
+	ed25519_inv(d, d);
+
+	ed25519_mul(xy, a, b);
+	ed25519_mul(&xy[8], c, d);
+}
+
+// cv25519: v**2 = u**3 + a*u**2 + u mod p
+x25519_decode(uv: *int, u: *byte): int {
+	var _v: _ed25519_limb;
+	var v: *int;
+
+	v = &_v.x0;
+
+	uv[0] = u[0]:int | (u[1]:int << 8) | (u[2]:int << 16) | (u[3]:int << 24);
+	uv[1] = u[4]:int | (u[5]:int << 8) | (u[6]:int << 16) | (u[7]:int << 24);
+	uv[2] = u[8]:int | (u[9]:int << 8) | (u[10]:int << 16) | (u[11]:int << 24);
+	uv[3] = u[12]:int | (u[13]:int << 8) | (u[14]:int << 16) | (u[15]:int << 24);
+	uv[4] = u[16]:int | (u[17]:int << 8) | (u[18]:int << 16) | (u[19]:int << 24);
+	uv[5] = u[20]:int | (u[21]:int << 8) | (u[22]:int << 16) | (u[23]:int << 24);
+	uv[6] = u[24]:int | (u[25]:int << 8) | (u[26]:int << 16) | (u[27]:int << 24);
+	uv[7] = (u[28]:int | (u[29]:int << 8) | (u[30]:int << 16) | (u[31]:int << 24)) & (-1 >> 33);
+
+	ed25519_reduce(uv);
+
+	ed25519_a(v);
+	ed25519_add(v, v, uv);
+	ed25519_mul(v, v, uv);
+	ed25519_mul(v, v, uv);
+	ed25519_add(v, v, uv);
+
+	if !ed25519_sqrt(&uv[8], v) {
+		return 0;
+	}
+
+	return !ed25519_zerop(&uv[8]);
+}
+
+x25519_encode(u: *byte, uv: *int) {
+	u[0] = uv[0]:byte;
+	u[1] = (uv[0] >> 8):byte;
+	u[2] = (uv[0] >> 16):byte;
+	u[3] = (uv[0] >> 24):byte;
+	u[4] = uv[1]:byte;
+	u[5] = (uv[1] >> 8):byte;
+	u[6] = (uv[1] >> 16):byte;
+	u[7] = (uv[1] >> 24):byte;
+	u[8] = uv[2]:byte;
+	u[9] = (uv[2] >> 8):byte;
+	u[10] = (uv[2] >> 16):byte;
+	u[11] = (uv[2] >> 24):byte;
+	u[12] = uv[3]:byte;
+	u[13] = (uv[3] >> 8):byte;
+	u[14] = (uv[3] >> 16):byte;
+	u[15] = (uv[3] >> 24):byte;
+	u[16] = uv[4]:byte;
+	u[17] = (uv[4] >> 8):byte;
+	u[18] = (uv[4] >> 16):byte;
+	u[19] = (uv[4] >> 24):byte;
+	u[20] = uv[5]:byte;
+	u[21] = (uv[5] >> 8):byte;
+	u[22] = (uv[5] >> 16):byte;
+	u[23] = (uv[5] >> 24):byte;
+	u[24] = uv[6]:byte;
+	u[25] = (uv[6] >> 8):byte;
+	u[26] = (uv[6] >> 16):byte;
+	u[27] = (uv[6] >> 24):byte;
+	u[28] = uv[7]:byte;
+	u[29] = (uv[7] >> 8):byte;
+	u[30] = (uv[7] >> 16):byte;
+	u[31] = (uv[7] >> 24):byte;
+}
+
+x25519_base(u: *byte) {
+	bzero(u, 32);
+	u[0] = 9:byte;
+}
+
+x25519(uk: *byte, u: *byte, k: *byte): int {
+	var _uv: _ed25519_point;
+	var _xy: _ed25519_point;
+	var _kc: _ed25519_limb;
+	var uv: *int;
+	var xy: *int;
+	var kc: *int;
+
+	uv = &_uv.x.x0;
+	xy = &_xy.x.x0;
+	kc = &_kc.x0;
+
+	if !x25519_decode(uv, u) {
+		return 0;
+	}
+
+	ed25519_of_cv25519(xy, uv);
+	ed25519_clamp(kc, k);
+	ed25519_pk(xy, xy, kc);
+	cv25519_of_ed25519(uv, xy);
+	x25519_encode(uk, uv);
+	return 1;
+}
+
+ed25519_zerop(x: *int): int {
+	var a: int;
+	a = x[0] | x[1] | x[2] | x[3] | x[4] | x[5] | x[6] | x[7];
+	a = (a >> 32) | a;
+	a = (a >> 16) | a;
+	a = (a >> 8) | a;
+	a = (a >> 4) | a;
+	a = (a >> 2) | a;
+	a = (a >> 1) | a;
+	return (a & 1) ^ 1;
+}
+
+// cv25519: v**2 = u**3 + a*u**2 + u mod p
+x25519_check(uv: *int): int {
+	var _a: _ed25519_limb;
+	var _b: _ed25519_limb;
+	var a: *int;
+	var b: *int;
+
+	a = &_a.x0;
+	b = &_b.x0;
+
+	ed25519_a(a);
+	ed25519_mul(b, uv, uv);
+	ed25519_mul(a, a, b);
+	ed25519_mul(b, b, uv);
+	ed25519_add(a, a, b);
+	ed25519_add(a, a, uv);
+
+	ed25519_mul(b, &uv[8], &uv[8]);
+	ed25519_sub(a, a, b);
+
+	return ed25519_zerop(a);
+}
+
+// ed25519: -x**2 + y**2 = 1 + d*x**2*y**2 mod p
+ed25519_check(xy: *int): int {
+	var _a: _ed25519_limb;
+	var _b: _ed25519_limb;
+	var _c: _ed25519_limb;
+	var a: *int;
+	var b: *int;
+	var c: *int;
+
+	a = &_a.x0;
+	b = &_b.x0;
+	c = &_c.x0;
+
+	ed25519_mul(b, xy, xy);
+	ed25519_mul(c, &xy[8], &xy[8]);
+
+	ed25519_one(a);
+	ed25519_add(a, a, b);
+	ed25519_sub(a, a, c);
+
+	ed25519_mul(b, b, c);
+	ed25519_d(c);
+	ed25519_mul(b, b, c);
+
+	ed25519_add(a, a, b);
+
+	return ed25519_zerop(a);
+}
+
+ed25519_set_sign(xy: *int, sign: int) {
+	var _a: _ed25519_limb;
+	var a: *int;
+
+	a = &_a.x0;
+
+	ed25519_zero(a);
+	ed25519_sub(a, a, &xy[8]);
+
+	ed25519_selectl(&xy[8], &xy[8], a, ((xy[15] >> 30) ^ sign) & 1);
+}
+
+ed25519_clamp(k: *int, b: *byte) {
+	k[0] = (b[0]:int | (b[1]:int << 8) | (b[2]:int << 16) | (b[3]:int << 24)) & -8;
+	k[1] = b[4]:int | (b[5]:int << 8) | (b[6]:int << 16) | (b[7]:int << 24);
+	k[2] = b[8]:int | (b[9]:int << 8) | (b[10]:int << 16) | (b[11]:int << 24);
+	k[3] = b[12]:int | (b[13]:int << 8) | (b[14]:int << 16) | (b[15]:int << 24);
+	k[4] = b[16]:int | (b[17]:int << 8) | (b[18]:int << 16) | (b[19]:int << 24);
+	k[5] = b[20]:int | (b[21]:int << 8) | (b[22]:int << 16) | (b[23]:int << 24);
+	k[6] = b[24]:int | (b[25]:int << 8) | (b[26]:int << 16) | (b[27]:int << 24);
+	k[7] = ((b[28]:int | (b[29]:int << 8) | (b[30]:int << 16) | (b[31]:int << 24)) & (-1 >> 33)) | (1 << 30);
+}
+
+ed25519_fdputl(fd: int, x: *int) {
+	fdputh32(fd, x[7]);
+	fdputh32(fd, x[6]);
+	fdputh32(fd, x[5]);
+	fdputh32(fd, x[4]);
+	fdputh32(fd, x[3]);
+	fdputh32(fd, x[2]);
+	fdputh32(fd, x[1]);
+	fdputh32(fd, x[0]);
+}
diff --git a/ed25519_test.c b/ed25519_test.c
@@ -1,65 +1,35 @@
-main(c: int, v: **byte, e: **byte) {
-	var _r: _ed25519_point;
-	var _p: _ed25519_point;
-	var _k: _ed25519_point;
-	var r: *int;
-	var p: *int;
-	var k: *int;
-
-	r = (&_r):*int;
-	p = (&_p):*int;
-	k = (&_k):*int;
-
-	bzero(r: *byte, sizeof(_r));
-	bzero(p: *byte, sizeof(_p));
-	bzero(k: *byte, sizeof(_k));
-
-	p[7] = (0x2169 << 16) | 0x36d3;
-	p[6] = (0xcd6e << 16) | 0x53fe;
-	p[5] = (0xc0a4 << 16) | 0xe231;
-	p[4] = (0xfdd6 << 16) | 0xdc5c;
-	p[3] = (0x692c << 16) | 0xc760;
-	p[2] = (0x9525 << 16) | 0xa7b2;
-	p[1] = (0xc956 << 16) | 0x2d60;
-	p[0] = (0x8f25 << 16) | 0xd51a;
-
-	p[15] = (0x6666 << 16) | 0x6666;
-	p[14] = (0x6666 << 16) | 0x6666;
-	p[13] = (0x6666 << 16) | 0x6666;
-	p[12] = (0x6666 << 16) | 0x6666;
-	p[11] = (0x6666 << 16) | 0x6666;
-	p[10] = (0x6666 << 16) | 0x6666;
-	p[9] = (0x6666 << 16) | 0x6666;
-	p[8] = (0x6666 << 16) | 0x6658;
-
-	k[7] = (0x1000 << 16) | 0x0000;
-	k[6] = 0;
-	k[5] = 0;
-	k[4] = 0;
-	k[3] = (0x14de << 16) | 0xf9de;
-	k[2] = (0xa2f7 << 16) | 0x9cd6;
-	k[1] = (0x5812 << 16) | 0x631a;
-	k[0] = (0x5cf5 << 16) | 0xd3ed;
-
-	ed25519_pk(r, p, k);
-
-	fdputh32(1, r[7]);
-	fdputh32(1, r[6]);
-	fdputh32(1, r[5]);
-	fdputh32(1, r[4]);
-	fdputh32(1, r[3]);
-	fdputh32(1, r[2]);
-	fdputh32(1, r[1]);
-	fdputh32(1, r[0]);
-	fdputc(1, '\n');
-
-	fdputh32(1, r[15]);
-	fdputh32(1, r[14]);
-	fdputh32(1, r[13]);
-	fdputh32(1, r[12]);
-	fdputh32(1, r[11]);
-	fdputh32(1, r[10]);
-	fdputh32(1, r[9]);
-	fdputh32(1, r[8]);
-	fdputc(1, '\n');
+main(argc: int, argv: **byte, envp: **byte) {
+	var _a: _ed25519_point;
+	var a: *byte;
+	var _b: _ed25519_point;
+	var b: *byte;
+	var _c: _ed25519_point;
+	var c: *byte;
+	var ret: int;
+
+	a = (&_a):*byte;
+	b = (&_b):*byte;
+	c = (&_c):*byte;
+
+	assert(unhex(a, "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c") == 32, "unhex");
+	assert(unhex(b, "a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	assert(unhex(b, "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a") == 32, "unhex");
+	assert(x25519(c, c, b), "decode");
+	fdxxd(1, c, 32);
 }
diff --git a/sha256.c b/sha256.c
@@ -36,9 +36,6 @@ struct _sha256_digest {
 	d2: int;
 	d3: int;
 	d4: int;
-	d5: int;
-	d6: int;
-	d7: int;
 }
 
 sha256_init(r: *sha256_ctx) {
diff --git a/x25519_test.c b/x25519_test.c
@@ -0,0 +1,35 @@
+main(argc: int, argv: **byte, envp: **byte) {
+	var _a: _ed25519_point;
+	var a: *byte;
+	var _b: _ed25519_point;
+	var b: *byte;
+	var _c: _ed25519_point;
+	var c: *byte;
+	var ret: int;
+
+	a = (&_a):*byte;
+	b = (&_b):*byte;
+	c = (&_c):*byte;
+
+	assert(unhex(a, "e6db6867583030db3594c1a424b15f7c726624ec26b3353b10a903a6d0ab1c4c") == 32, "unhex");
+	assert(unhex(b, "a546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	fdxxd(1, c, 32);
+
+	x25519_base(a);
+	assert(unhex(b, "5dab087e624a8a4b79e17f8b83800ee66f3bb1292618b6fd1c2f8b27ff88e0eb") == 32, "unhex");
+	assert(x25519(c, a, b), "decode");
+	assert(unhex(b, "77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a") == 32, "unhex");
+	assert(x25519(c, c, b), "decode");
+	fdxxd(1, c, 32);
+}

	os An operating system
	git clone https://erai.gay/code/os/
	Log \| Files \| Refs \| README \| LICENSE

M	ed25519.c	\|	507	++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
M	ed25519_test.c	\|	98	++++++++++++++++++++++++++++---------------------------------------------------
M	sha256.c	\|	3	---
A	x25519_test.c	\|	35	+++++++++++++++++++++++++++++++++++