openbsd/src/lib/libcrypto/curve25519, branch OPENBSD_7_7

Hide symbols in curve22519

2023-07-08T15:12:49+00:00

ok tb@

Revert r1.9 and reinstate r1.6

2023-04-02T15:36:53+00:00

The argument change to x5519_ge_scalarmult_base() was made to match the prototype in the header. More recent compilers warn about such ptr vs array mismatches.

Prevent Ed25519 signature malleability

2022-11-17T19:01:59+00:00

Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing

Expose direct access API for Ed25519.

2022-11-13T14:05:04+00:00

zap stray space (CRITICAL!)

2022-11-11T01:44:26+00:00

Make X25519_public_from_private() internally reachable.

2022-11-09T17:45:55+00:00

Rename public_value to public_key for consistency.

2022-11-09T17:40:51+00:00

ok tb@

Rework ED25519 API.

2022-11-09T17:39:29+00:00

BoringSSL implemented a compound private key, which includes a copy of the public key as a performance optimisation for signing. However, this does not readily match with how EVP works, makes the ED25519 API inconsistent with the X25519 API, diverges from th RFC and does not align with the OpenSSL API. Instead, the caller can readily compute the public key and pass this in to the signing process. ok tb@

Refactor/split ED25519_keypair.

2022-11-08T17:07:17+00:00

This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.

Change function argument to reduce differences with BoringSSL.

2022-11-08T17:01:57+00:00