openbsd/src/lib/libcrypto/curve25519, branch OPENBSD_7_8_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_8_BASE 2025-07-29T10:52:20+00:00 curve25519.c: zap trailing whitespace introduced in previous 2025-07-29T10:52:20+00:00 tb 2025-07-29T10:52:20+00:00 urn:sha1:ec8cce1dd4e99a67543a272dfa89573835b3d118 avoid undefined behavior when shifting into sign bit 2025-07-17T00:55:48+00:00 kenjiro 2025-07-17T00:55:48+00:00 urn:sha1:904ebeb7f3b2f0d375bada0148d4f4a954efffa7 Shifting a signed int64_t into the sign bit is undefined behavior in C. /dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error: left shift of negative value -222076011 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable To avoid this, import int64_lshift21() from BoringSSL, a helper function that casts the input to uint64_t before shifting and back to int64_t afterward. This ensures defined behavior when shifting left by 21 bits, avoiding undefined behavior in expressions like `carry << 21`. This change addresses potential runtime issues detected by sanitizers when shifting signed values with high bits set. ok tb beck Hide symbols in curve22519 2023-07-08T15:12:49+00:00 beck 2023-07-08T15:12:49+00:00 urn:sha1:46b46c2fb9731b7443e79217c78fb5ae2b1bd80e ok tb@ Revert r1.9 and reinstate r1.6 2023-04-02T15:36:53+00:00 tb 2023-04-02T15:36:53+00:00 urn:sha1:c01f8faa3a8de1f114114281a879992d176be925 The argument change to x5519_ge_scalarmult_base() was made to match the prototype in the header. More recent compilers warn about such ptr vs array mismatches. Prevent Ed25519 signature malleability 2022-11-17T19:01:59+00:00 tb 2022-11-17T19:01:59+00:00 urn:sha1:3df451964c26e01d8ff57468d02c495bfe18832d Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing Expose direct access API for Ed25519. 2022-11-13T14:05:04+00:00 tb 2022-11-13T14:05:04+00:00 urn:sha1:7ca0eeb03bbc151b382c5dfcdf48f377be94bea7 zap stray space (CRITICAL!) 2022-11-11T01:44:26+00:00 tb 2022-11-11T01:44:26+00:00 urn:sha1:e917fd8e13a8b1acf3b53461d4ba34d7022a216e Make X25519_public_from_private() internally reachable. 2022-11-09T17:45:55+00:00 jsing 2022-11-09T17:45:55+00:00 urn:sha1:ce63bfbe542f710d82181ab0975b822aaf517973 Rename public_value to public_key for consistency. 2022-11-09T17:40:51+00:00 jsing 2022-11-09T17:40:51+00:00 urn:sha1:ff5faa687445f18e922b9b5263b369e9e7f5a57c ok tb@ Rework ED25519 API. 2022-11-09T17:39:29+00:00 jsing 2022-11-09T17:39:29+00:00 urn:sha1:a9fdcf2b38e7f119a0b1e428a0f9cae93f210ed4 BoringSSL implemented a compound private key, which includes a copy of the public key as a performance optimisation for signing. However, this does not readily match with how EVP works, makes the ED25519 API inconsistent with the X25519 API, diverges from th RFC and does not align with the OpenSSL API. Instead, the caller can readily compute the public key and pass this in to the signing process. ok tb@