rumpk/hal/crypto.zig

// SPDX-License-Identifier: LCL-1.0
// Copyright (c) 2026 Markus Maiwald
// Stewardship: Self Sovereign Society Foundation
//
// This file is part of the Nexus Commonwealth.
// See legal/LICENSE_COMMONWEALTH.md for license terms.

//! Rumpk HAL: Cryptographic Functions
//!
//! Provides SipHash-2-4 (128-bit) for packet IDs and Ed25519 signature verification.
//! All functions are exported for use by the ION layer.

const std = @import("std");

/// SipHash-2-4 (128-bit) for secure packet IDs
export fn hal_crypto_siphash(key: *const [16]u8, data: [*]const u8, len: usize, out: *[16]u8) void {
    var hasher = std.crypto.auth.siphash.SipHash128(2, 4).init(key);
    hasher.update(data[0..len]);
    hasher.final(out);
}

/// Ed25519 Signature Verification
export fn hal_crypto_ed25519_verify(sig: *const [64]u8, msg: [*]const u8, msg_len: usize, pk: *const [32]u8) bool {
    const Ed25519 = std.crypto.sign.Ed25519;

    const public_key = Ed25519.PublicKey.fromBytes(pk.*) catch return false;
    const signature = Ed25519.Signature.fromBytes(sig.*);

    signature.verify(msg[0..msg_len], public_key) catch return false;
    return true;
}

/// BLAKE3 Hash (256-bit) for key derivation
/// Used by Monolith (SPEC-503) to derive VolumeKey from 4MB keyfile
export fn hal_crypto_blake3(data: [*]const u8, len: usize, out: *[32]u8) void {
    var hasher = std.crypto.hash.Blake3.init(.{});
    hasher.update(data[0..len]);
    hasher.final(out);
}