Refactor/split ED25519_keypair.

This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.
author: jsing <> 2022-11-08 17:07:17 +0000
committer: jsing <> 2022-11-08 17:07:17 +0000
commit: 27c24322af3fca9f304fa1354083afab3f7936ac (patch)
tree: e91257a03a763d3d237930fddaae3bdf3b823f1d
parent: b9365b175ab806c695b4ada3ea43095a8627e0d0 (diff)
download: openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.tar.gz
openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.tar.bz2
openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.zip
2 files changed, 24 insertions, 16 deletions
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 7713b8716c..8d29379eb2 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.9 2022/11/08 17:01:57 jsing Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.10 2022/11/08 17:07:17 jsing Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -4618,20 +4618,7 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
  uint8_t seed[32];
  arc4random_buf(seed, 32);
+  ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
-  uint8_t az[SHA512_DIGEST_LENGTH];
-  SHA512(seed, 32, az);
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-  ge_p3 A;
-  x25519_ge_scalarmult_base(&A, az);
-  ge_p3_tobytes(out_public_key, &A);
-  memcpy(out_private_key, seed, 32);
-  memmove(out_private_key + 32, out_public_key, 32);
 }
 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
@@ -4705,6 +4692,24 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
+void ED25519_keypair_from_seed(uint8_t out_public_key[32],
+                               uint8_t out_private_key[64],
+                               const uint8_t seed[32]) {
+  uint8_t az[SHA512_DIGEST_LENGTH];
+  SHA512(seed, 32, az);
+  az[0] &= 248;
+  az[31] &= 63;
+  az[31] |= 64;
+  ge_p3 A;
+  x25519_ge_scalarmult_base(&A, az);
+  ge_p3_tobytes(out_public_key, &A);
+  memcpy(out_private_key, seed, 32);
+  memcpy(out_private_key + 32, out_public_key, 32);
+}
 /* Replace (f,g) with (g,f) if b == 1;
 * replace (f,g) with (f,g) if b == 0.
 *
diff --git a/src/lib/libcrypto/curve25519/curve25519_internal.h b/src/lib/libcrypto/curve25519/curve25519_internal.h
index 09d20a4fec..9d2ee9b4d7 100644
--- a/src/lib/libcrypto/curve25519/curve25519_internal.h
+++ b/src/lib/libcrypto/curve25519/curve25519_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519_internal.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */
+/*      $OpenBSD: curve25519_internal.h,v 1.4 2022/11/08 17:07:17 jsing Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -94,6 +94,9 @@ void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
 void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32],
    const uint8_t point[32]);
+void ED25519_keypair_from_seed(uint8_t out_public_key[32],
+    uint8_t out_private_key[64], const uint8_t seed[32]);
 __END_HIDDEN_DECLS
 #endif  /* HEADER_CURVE25519_INTERNAL_H */
author	jsing <>	2022-11-08 17:07:17 +0000
committer	jsing <>	2022-11-08 17:07:17 +0000
commit	27c24322af3fca9f304fa1354083afab3f7936ac (patch)
tree	e91257a03a763d3d237930fddaae3bdf3b823f1d
parent	b9365b175ab806c695b4ada3ea43095a8627e0d0 (diff)
download	openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.tar.gz openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.tar.bz2 openbsd-27c24322af3fca9f304fa1354083afab3f7936ac.zip

diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c index 7713b8716c..8d29379eb2 100644 --- a/src/lib/libcrypto/curve25519/curve25519.c +++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: curve25519.c,v 1.9 2022/11/08 17:01:57 jsing Exp $ */	1	/* $OpenBSD: curve25519.c,v 1.10 2022/11/08 17:07:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015, Google Inc.	3	* Copyright (c) 2015, Google Inc.
4	*	4	*
@@ -4618,20 +4618,7 @@ sc_muladd(uint8_t s, const uint8_t a, const uint8_t *b,
4618	void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {	4618	void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
4619	uint8_t seed[32];	4619	uint8_t seed[32];
4620	arc4random_buf(seed, 32);	4620	arc4random_buf(seed, 32);
4621		4621	ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
4622	uint8_t az[SHA512_DIGEST_LENGTH];
4623	SHA512(seed, 32, az);
4624
4625	az[0] &= 248;
4626	az[31] &= 63;
4627	az[31] \|= 64;
4628
4629	ge_p3 A;
4630	x25519_ge_scalarmult_base(&A, az);
4631	ge_p3_tobytes(out_public_key, &A);
4632
4633	memcpy(out_private_key, seed, 32);
4634	memmove(out_private_key + 32, out_public_key, 32);
4635	}	4622	}
4636		4623
4637	int ED25519_sign(uint8_t out_sig, const uint8_t message, size_t message_len,	4624	int ED25519_sign(uint8_t out_sig, const uint8_t message, size_t message_len,
@@ -4705,6 +4692,24 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
4705	return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;	4692	return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
4706	}	4693	}
4707		4694
		4695	void ED25519_keypair_from_seed(uint8_t out_public_key[32],
		4696	uint8_t out_private_key[64],
		4697	const uint8_t seed[32]) {
		4698	uint8_t az[SHA512_DIGEST_LENGTH];
		4699	SHA512(seed, 32, az);
		4700
		4701	az[0] &= 248;
		4702	az[31] &= 63;
		4703	az[31] \|= 64;
		4704
		4705	ge_p3 A;
		4706	x25519_ge_scalarmult_base(&A, az);
		4707	ge_p3_tobytes(out_public_key, &A);
		4708
		4709	memcpy(out_private_key, seed, 32);
		4710	memcpy(out_private_key + 32, out_public_key, 32);
		4711	}
		4712
4708	/* Replace (f,g) with (g,f) if b == 1;	4713	/* Replace (f,g) with (g,f) if b == 1;
4709	* replace (f,g) with (f,g) if b == 0.	4714	* replace (f,g) with (f,g) if b == 0.
4710	*	4715	*


diff --git a/src/lib/libcrypto/curve25519/curve25519_internal.h b/src/lib/libcrypto/curve25519/curve25519_internal.h index 09d20a4fec..9d2ee9b4d7 100644 --- a/src/lib/libcrypto/curve25519/curve25519_internal.h +++ b/src/lib/libcrypto/curve25519/curve25519_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: curve25519_internal.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */	1	/* $OpenBSD: curve25519_internal.h,v 1.4 2022/11/08 17:07:17 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015, Google Inc.	3	* Copyright (c) 2015, Google Inc.
4	*	4	*
@@ -94,6 +94,9 @@ void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
94	void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32],	94	void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32],
95	const uint8_t point[32]);	95	const uint8_t point[32]);
96		96
		97	void ED25519_keypair_from_seed(uint8_t out_public_key[32],
		98	uint8_t out_private_key[64], const uint8_t seed[32]);
		99
97	__END_HIDDEN_DECLS	100	__END_HIDDEN_DECLS
98		101
99	#endif /* HEADER_CURVE25519_INTERNAL_H */	102	#endif /* HEADER_CURVE25519_INTERNAL_H */