Enable Ed25519 internal to libcrypto.

Based on a diff from tb@
author: jsing <> 2022-11-06 16:31:19 +0000
committer: jsing <> 2022-11-06 16:31:19 +0000
commit: 31e087414121c2fe69dc13e645736cfb41326928 (patch)
tree: 6558ea2fc10732e5fd37dfb480ab28ba02bb29fb
parent: f2eba431d20bd067a9ae63ed15fa21eaa1187379 (diff)
download: openbsd-31e087414121c2fe69dc13e645736cfb41326928.tar.gz
openbsd-31e087414121c2fe69dc13e645736cfb41326928.tar.bz2
openbsd-31e087414121c2fe69dc13e645736cfb41326928.zip
2 files changed, 44 insertions, 15 deletions
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 6df03a3a6b..ba17736587 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.6 2022/02/08 16:44:23 tb Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.7 2022/11/06 16:31:19 jsing Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -28,10 +28,7 @@
 #include <string.h>
 #include <openssl/curve25519.h>
-#ifdef ED25519
 #include <openssl/sha.h>
-#endif
 #include "curve25519_internal.h"
@@ -979,7 +976,6 @@ void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) {
  s[31] ^= fe_isnegative(x) << 7;
 }
-#ifdef ED25519
 static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
  fe recip;
  fe x;
@@ -991,7 +987,6 @@ static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
  fe_tobytes(s, y);
  s[31] ^= fe_isnegative(x) << 7;
 }
-#endif
 static const fe d = {-10913610, 13857413, -15372611, 6949391,   114729,
                     -8787816,  -6275908, -3247719,  -18696448, -12055116};
@@ -1146,7 +1141,6 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe_sub(r->T, t0, r->T);
 }
-#ifdef ED25519
 /* r = p - q */
 static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe t0;
@@ -1162,7 +1156,6 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
  fe_sub(r->Z, t0, r->T);
  fe_add(r->T, t0, r->T);
 }
-#endif
 /* r = p + q */
 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
@@ -3624,7 +3617,6 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
  }
 }
-#ifdef ED25519
 static void slide(signed char *r, const uint8_t *a) {
  int i;
  int b;
@@ -3799,7 +3791,6 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
    x25519_ge_p1p1_to_p2(r, &t);
  }
 }
-#endif
 /* The set of scalars is \Z/l
 * where l = 2^252 + 27742317777372353535851937790883648493. */
@@ -4145,7 +4136,6 @@ x25519_sc_reduce(uint8_t *s) {
  s[31] = s11 >> 17;
 }
-#ifdef ED25519
 /* Input:
 *   a[0]+256*a[1]+...+256^31*a[31] = a
 *   b[0]+256*b[1]+...+256^31*b[31] = b
@@ -4636,9 +4626,7 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  s[30] = s11 >> 9;
  s[31] = s11 >> 17;
 }
-#endif
-#ifdef ED25519
 void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
  uint8_t seed[32];
  arc4random_buf(seed, 32);
@@ -4728,7 +4716,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
-#endif
 /* Replace (f,g) with (g,f) if b == 1;
 * replace (f,g) with (f,g) if b == 0.
diff --git a/src/lib/libcrypto/curve25519/curve25519.h b/src/lib/libcrypto/curve25519/curve25519.h
index c16a4e2632..164f2e9e7f 100644
--- a/src/lib/libcrypto/curve25519/curve25519.h
+++ b/src/lib/libcrypto/curve25519/curve25519.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */
+/*      $OpenBSD: curve25519.h,v 1.4 2022/11/06 16:31:19 jsing Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -61,6 +61,48 @@ int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH],
    const uint8_t private_key[X25519_KEY_LENGTH],
    const uint8_t peers_public_value[X25519_KEY_LENGTH]);
+#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
+/*
+ * ED25519
+ *
+ * Ed25519 is a signature scheme using a twisted Edwards curve that is
+ * birationally equivalent to curve25519.
+ *
+ * Note that, unlike RFC 8032's formulation, our private key representation
+ * includes a public key suffix to make multiple key signing operations with the
+ * same key more efficient. The RFC 8032 private key is referred to in this
+ * implementation as the "seed" and is the first 32 bytes of our private key.
+ */
+#define ED25519_PRIVATE_KEY_LEN 64
+#define ED25519_PUBLIC_KEY_LEN  32
+#define ED25519_SIGNATURE_LEN   64
+/*
+ * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
+ * generated, public/private key pair.
+ */
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+    uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]); 
+/*
+ * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
+ * |message| using |private_key|. It returns one on success or zero on
+ * allocation failure.
+ */
+int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+/*
+ * ED25519_verify returns one iff |signature| is a valid signature by
+ * |public_key| of |message_len| bytes from |message|. It returns zero
+ * otherwise.
+ */
+int ED25519_verify(const uint8_t *message, size_t message_len,
+    const uint8_t signature[ED25519_SIGNATURE_LEN],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+#endif
 #if defined(__cplusplus)
 }  /* extern C */
 #endif
author	jsing <>	2022-11-06 16:31:19 +0000
committer	jsing <>	2022-11-06 16:31:19 +0000
commit	31e087414121c2fe69dc13e645736cfb41326928 (patch)
tree	6558ea2fc10732e5fd37dfb480ab28ba02bb29fb
parent	f2eba431d20bd067a9ae63ed15fa21eaa1187379 (diff)
download	openbsd-31e087414121c2fe69dc13e645736cfb41326928.tar.gz openbsd-31e087414121c2fe69dc13e645736cfb41326928.tar.bz2 openbsd-31e087414121c2fe69dc13e645736cfb41326928.zip