openbsd/src/lib/libcrypto/curve25519, branch OPENBSD_7_3_BASE

Prevent Ed25519 signature malleability

2022-11-17T19:01:59+00:00

Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing

Expose direct access API for Ed25519.

2022-11-13T14:05:04+00:00

zap stray space (CRITICAL!)

2022-11-11T01:44:26+00:00

Make X25519_public_from_private() internally reachable.

2022-11-09T17:45:55+00:00

Rename public_value to public_key for consistency.

2022-11-09T17:40:51+00:00

ok tb@

Rework ED25519 API.

2022-11-09T17:39:29+00:00

BoringSSL implemented a compound private key, which includes a copy of the public key as a performance optimisation for signing. However, this does not readily match with how EVP works, makes the ED25519 API inconsistent with the X25519 API, diverges from th RFC and does not align with the OpenSSL API. Instead, the caller can readily compute the public key and pass this in to the signing process. ok tb@

Refactor/split ED25519_keypair.

2022-11-08T17:07:17+00:00

This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.

Change function argument to reduce differences with BoringSSL.

2022-11-08T17:01:57+00:00

Remove pointless loops.

2022-11-08T16:50:29+00:00

From BoringSSL 997c706d43504.

Enable Ed25519 internal to libcrypto.

2022-11-06T16:31:19+00:00

Based on a diff from tb@