3 files changed, 40 insertions, 45 deletions

diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 8d29379eb2..56373db923 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.10 2022/11/08 17:07:17 jsing Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.11 2022/11/09 17:39:29 jsing Exp $ */
 /*
  * Copyright (c) 2015, Google Inc.
  *
@@ -4615,14 +4615,30 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
   s[31] = s11 >> 17;
 }
 
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
-  uint8_t seed[32];
-  arc4random_buf(seed, 32);
-  ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
+void ED25519_public_from_private(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH],
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH]) {
+  uint8_t az[SHA512_DIGEST_LENGTH];
+  SHA512(private_key, 32, az);
+
+  az[0] &= 248;
+  az[31] &= 63;
+  az[31] |= 64;
+
+  ge_p3 A;
+  x25519_ge_scalarmult_base(&A, az);
+  ge_p3_tobytes(out_public_key, &A);
+}
+
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH],
+    uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]) {
+  arc4random_buf(out_private_key, 32);
+
+  ED25519_public_from_private(out_public_key, out_private_key);
 }
 
 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
-                 const uint8_t private_key[64]) {
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH],
+    const uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH]) {
   uint8_t az[SHA512_DIGEST_LENGTH];
   SHA512(private_key, 32, az);
 
@@ -4644,7 +4660,7 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
 
   SHA512_Init(&hash_ctx);
   SHA512_Update(&hash_ctx, out_sig, 32);
-  SHA512_Update(&hash_ctx, private_key + 32, 32);
+  SHA512_Update(&hash_ctx, public_key, 32);
   SHA512_Update(&hash_ctx, message, message_len);
   uint8_t hram[SHA512_DIGEST_LENGTH];
   SHA512_Final(hram, &hash_ctx);
@@ -4656,7 +4672,8 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
 }
 
 int ED25519_verify(const uint8_t *message, size_t message_len,
-                   const uint8_t signature[64], const uint8_t public_key[32]) {
+    const uint8_t signature[ED25519_SIGNATURE_LENGTH],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]) {
   ge_p3 A;
   if ((signature[63] & 224) != 0 ||
       x25519_ge_frombytes_vartime(&A, public_key) != 0) {
@@ -4692,24 +4709,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
   return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
 
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
-                               uint8_t out_private_key[64],
-                               const uint8_t seed[32]) {
-  uint8_t az[SHA512_DIGEST_LENGTH];
-  SHA512(seed, 32, az);
-
-  az[0] &= 248;
-  az[31] &= 63;
-  az[31] |= 64;
-
-  ge_p3 A;
-  x25519_ge_scalarmult_base(&A, az);
-  ge_p3_tobytes(out_public_key, &A);
-
-  memcpy(out_private_key, seed, 32);
-  memcpy(out_private_key + 32, out_public_key, 32);
-}
-
 /* Replace (f,g) with (g,f) if b == 1;
  * replace (f,g) with (f,g) if b == 0.
  *
diff --git a/src/lib/libcrypto/curve25519/curve25519.h b/src/lib/libcrypto/curve25519/curve25519.h
index 164f2e9e7f..8b84c889cd 100644
--- a/src/lib/libcrypto/curve25519/curve25519.h
+++ b/src/lib/libcrypto/curve25519/curve25519.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.h,v 1.4 2022/11/06 16:31:19 jsing Exp $ */
+/*      $OpenBSD: curve25519.h,v 1.5 2022/11/09 17:39:29 jsing Exp $ */
 /*
  * Copyright (c) 2015, Google Inc.
  *
@@ -67,31 +67,27 @@ int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH],
  *
  * Ed25519 is a signature scheme using a twisted Edwards curve that is
  * birationally equivalent to curve25519.
- *
- * Note that, unlike RFC 8032's formulation, our private key representation
- * includes a public key suffix to make multiple key signing operations with the
- * same key more efficient. The RFC 8032 private key is referred to in this
- * implementation as the "seed" and is the first 32 bytes of our private key.
  */
 
-#define ED25519_PRIVATE_KEY_LEN 64
-#define ED25519_PUBLIC_KEY_LEN  32
-#define ED25519_SIGNATURE_LEN   64
+#define ED25519_PRIVATE_KEY_LENGTH      32
+#define ED25519_PUBLIC_KEY_LENGTH       32
+#define ED25519_SIGNATURE_LENGTH        64
 
 /*
  * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
  * generated, public/private key pair.
  */
-void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
-    uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]); 
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH],
+    uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]); 
 
 /*
  * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
- * |message| using |private_key|. It returns one on success or zero on
- * allocation failure.
+ * |message| using |public_key| and |private_key|. It returns one on success
+ * or zero on allocation failure.
  */
 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
-    const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH],
+    const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]);
 
 /*
  * ED25519_verify returns one iff |signature| is a valid signature by
@@ -99,8 +95,8 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
  * otherwise.
  */
 int ED25519_verify(const uint8_t *message, size_t message_len,
-    const uint8_t signature[ED25519_SIGNATURE_LEN],
-    const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+    const uint8_t signature[ED25519_SIGNATURE_LENGTH],
+    const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]);
 #endif
 
 #if defined(__cplusplus)
diff --git a/src/lib/libcrypto/curve25519/curve25519_internal.h b/src/lib/libcrypto/curve25519/curve25519_internal.h
index 9d2ee9b4d7..0a98781651 100644
--- a/src/lib/libcrypto/curve25519/curve25519_internal.h
+++ b/src/lib/libcrypto/curve25519/curve25519_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519_internal.h,v 1.4 2022/11/08 17:07:17 jsing Exp $ */
+/*      $OpenBSD: curve25519_internal.h,v 1.5 2022/11/09 17:39:29 jsing Exp $ */
 /*
  * Copyright (c) 2015, Google Inc.
  *
@@ -94,8 +94,8 @@ void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
 void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32],
     const uint8_t point[32]);
 
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
-    uint8_t out_private_key[64], const uint8_t seed[32]);
+void ED25519_public_from_private(uint8_t out_public_key[32],
+    const uint8_t private_key[32]);
 
 __END_HIDDEN_DECLS