1 files changed, 0 insertions, 211 deletions
diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3
deleted file mode 100644
index a327f8c7b2..0000000000
--- a/src/lib/libcrypto/man/X25519.3
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
-.\" contains some text from: BoringSSL curve25519.h, curve25519.c
-.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
-.\"
-.\" Copyright (c) 2015 Google Inc.
-.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" According to the BoringSSL git history, those parts of the text in
-.\" the present manual page that are Copyrighted by Google were probably
-.\" written by Adam Langley <agl@google.com> in 2015.
-.\" I fail to see any such text in the public domain files written
-.\" by Daniel J. Bernstein and others that are included in SUPERCOP
-.\" and that Adam Langley's BoringSSL implementation is based on.
-.\"
-.Dd $Mdocdate: December 15 2022 $
-.Dt X25519 3
-.Os
-.Sh NAME
-.Nm X25519 ,
-.Nm X25519_keypair ,
-.Nm ED25519_keypair ,
-.Nm ED25519_sign ,
-.Nm ED25519_verify
-.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
-.Sh SYNOPSIS
-.In openssl/curve25519.h
-.Ft int
-.Fo X25519
-.Fa "uint8_t out_shared_key[X25519_KEY_LENGTH]"
-.Fa "const uint8_t private_key[X25519_KEY_LENGTH]"
-.Fa "const uint8_t peer_public_value[X25519_KEY_LENGTH]"
-.Fc
-.Ft void
-.Fo X25519_keypair
-.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"
-.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"
-.Fc
-.Ft void
-.Fo ED25519_keypair
-.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]"
-.Fc
-.Ft int
-.Fo ED25519_sign
-.Fa "uint8_t *out_sig"
-.Fa "const uint8_t *message"
-.Fa "size_t message_len"
-.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]"
-.Fc
-.Ft int
-.Fo ED25519_verify
-.Fa "const uint8_t *message"
-.Fa "size_t message_len"
-.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]"
-.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fc
-.Sh DESCRIPTION
-Curve25519 is an elliptic curve over a prime field
-specified in RFC 7748 section 4.1.
-The prime field is defined by the prime number 2^255 - 19.
-.Pp
-X25519
-is the Diffie-Hellman primitive built from Curve25519 as described
-in RFC 7748 section 5.
-Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman
-(ECDH) protocol.
-.Pp
-.Fn X25519
-writes a shared key to
-.Fa out_shared_key
-that is calculated from the given
-.Fa private_key
-and the
-.Fa peer_public_value
-by scalar multiplication.
-Do not use the shared key directly, rather use a key derivation
-function and also include the two public values as inputs.
-.Pp
-.Fn X25519_keypair
-sets
-.Fa out_public_value
-and
-.Fa out_private_key
-to a freshly generated public/private key pair.
-First, the
-.Fa out_private_key
-is generated with
-.Xr arc4random_buf 3 .
-Then, the opposite of the masking described in RFC 7748 section 5
-is applied to it to make sure that the generated private key is never
-correctly masked.
-The purpose is to cause incorrect implementations on the peer side
-to consistently fail.
-Correct implementations will decode the key correctly even when it is
-not correctly masked.
-Finally, the
-.Fa out_public_value
-is calculated from the
-.Fa out_private_key
-by multiplying it with the Montgomery base point
-.Vt uint8_t u[32] No = Brq 9 .
-.Pp
-The size of a public and private key is
-.Dv X25519_KEY_LENGTH No = 32
-bytes each.
-.Pp
-Ed25519 is a signature scheme using a twisted Edwards curve
-that is birationally equivalent to Curve25519.
-.Pp
-.Fn ED25519_keypair
-sets
-.Fa out_public_key
-and
-.Fa out_private_key
-to a freshly generated public/private key pair.
-First, the
-.Fa out_private_key
-is generated with
-.Xr arc4random_buf 3 .
-Then, the
-.Fa out_public_key
-is calculated from the private key.
-.Pp
-.Fn ED25519_sign
-signs the
-.Fa message
-of
-.Fa message_len
-bytes using the
-.Fa public_key
-and the
-.Fa private_key
-and writes the signature to
-.Fa out_sig .
-.Pp
-.Fn ED25519_verify
-checks that signing the
-.Fa message
-of
-.Fa message_len
-bytes using the
-.Fa public_key
-would indeed result in the given
-.Fa signature .
-.Pp
-The sizes of a public and private keys are
-.Dv ED25519_PUBLIC_KEY_LENGTH
-and
-.Dv ED25519_PRIVATE_KEY_LENGTH ,
-which are both 32 bytes, and the size of a signature is
-.Dv ED25519_SIGNATURE_LENGTH No = 64
-bytes.
-.Sh RETURN VALUES
-.Fn X25519
-and
-.Fn ED25519_sign
-return 1 on success or 0 on error.
-.Fn X25519
-can fail if the input is a point of small order.
-.Fn ED25519_sign
-always succeeds in LibreSSL, but the API reserves the return value 0
-for memory allocation failure.
-.Pp
-.Fn ED25519_verify
-returns 1 if the
-.Fa signature
-is valid or 0 otherwise.
-.Sh SEE ALSO
-.Xr ECDH_compute_key 3 ,
-.Xr EVP_DigestSign 3 ,
-.Xr EVP_DigestVerify 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_keygen 3
-.Rs
-.%A Daniel J. Bernstein
-.%R A state-of-the-art Diffie-Hellman function:\
-    How do I use Curve25519 in my own software?
-.%U https://cr.yp.to/ecdh.html
-.Re
-.Rs
-.%A Daniel J. Bernstein
-.%A Niels Duif
-.%A Tanja Lange
-.%A Peter Schwabe
-.%A Bo-Yin Yang
-.%T High-Speed High-Security Signatures
-.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011
-.%I Springer
-.%J Lecture Notes in Computer Science
-.%V vol 6917
-.%U https://doi.org/10.1007/978-3-642-23951-9_9
-.%C Nara, Japan
-.%D September 29, 2011
-.Re
-.Sh STANDARDS
-RFC 7748: Elliptic Curves for Security
-.Pp
-RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)

diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3 deleted file mode 100644 index a327f8c7b2..0000000000 --- a/src/lib/libcrypto/man/X25519.3 +++ /dev/null
@@ -1,211 +0,0 @@
1	.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
2	.\" contains some text from: BoringSSL curve25519.h, curve25519.c
3	.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
4	.\"
5	.\" Copyright (c) 2015 Google Inc.
6	.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
7	.\"
8	.\" Permission to use, copy, modify, and/or distribute this software for any
9	.\" purpose with or without fee is hereby granted, provided that the above
10	.\" copyright notice and this permission notice appear in all copies.
11	.\"
12	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
13	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
14	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
15	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
16	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
17	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
18	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19	.\"
20	.\" According to the BoringSSL git history, those parts of the text in
21	.\" the present manual page that are Copyrighted by Google were probably
22	.\" written by Adam Langley <agl@google.com> in 2015.
23	.\" I fail to see any such text in the public domain files written
24	.\" by Daniel J. Bernstein and others that are included in SUPERCOP
25	.\" and that Adam Langley's BoringSSL implementation is based on.
26	.\"
27	.Dd $Mdocdate: December 15 2022 $
28	.Dt X25519 3
29	.Os
30	.Sh NAME
31	.Nm X25519 ,
32	.Nm X25519_keypair ,
33	.Nm ED25519_keypair ,
34	.Nm ED25519_sign ,
35	.Nm ED25519_verify
36	.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
37	.Sh SYNOPSIS
38	.In openssl/curve25519.h
39	.Ft int
40	.Fo X25519
41	.Fa "uint8_t out_shared_key[X25519_KEY_LENGTH]"
42	.Fa "const uint8_t private_key[X25519_KEY_LENGTH]"
43	.Fa "const uint8_t peer_public_value[X25519_KEY_LENGTH]"
44	.Fc
45	.Ft void
46	.Fo X25519_keypair
47	.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"
48	.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"
49	.Fc
50	.Ft void
51	.Fo ED25519_keypair
52	.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]"
53	.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]"
54	.Fc
55	.Ft int
56	.Fo ED25519_sign
57	.Fa "uint8_t *out_sig"
58	.Fa "const uint8_t *message"
59	.Fa "size_t message_len"
60	.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
61	.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]"
62	.Fc
63	.Ft int
64	.Fo ED25519_verify
65	.Fa "const uint8_t *message"
66	.Fa "size_t message_len"
67	.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]"
68	.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
69	.Fc
70	.Sh DESCRIPTION
71	Curve25519 is an elliptic curve over a prime field
72	specified in RFC 7748 section 4.1.
73	The prime field is defined by the prime number 2^255 - 19.
74	.Pp
75	X25519
76	is the Diffie-Hellman primitive built from Curve25519 as described
77	in RFC 7748 section 5.
78	Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman
79	(ECDH) protocol.
80	.Pp
81	.Fn X25519
82	writes a shared key to
83	.Fa out_shared_key
84	that is calculated from the given
85	.Fa private_key
86	and the
87	.Fa peer_public_value
88	by scalar multiplication.
89	Do not use the shared key directly, rather use a key derivation
90	function and also include the two public values as inputs.
91	.Pp
92	.Fn X25519_keypair
93	sets
94	.Fa out_public_value
95	and
96	.Fa out_private_key
97	to a freshly generated public/private key pair.
98	First, the
99	.Fa out_private_key
100	is generated with
101	.Xr arc4random_buf 3 .
102	Then, the opposite of the masking described in RFC 7748 section 5
103	is applied to it to make sure that the generated private key is never
104	correctly masked.
105	The purpose is to cause incorrect implementations on the peer side
106	to consistently fail.
107	Correct implementations will decode the key correctly even when it is
108	not correctly masked.
109	Finally, the
110	.Fa out_public_value
111	is calculated from the
112	.Fa out_private_key
113	by multiplying it with the Montgomery base point
114	.Vt uint8_t u[32] No = Brq 9 .
115	.Pp
116	The size of a public and private key is
117	.Dv X25519_KEY_LENGTH No = 32
118	bytes each.
119	.Pp
120	Ed25519 is a signature scheme using a twisted Edwards curve
121	that is birationally equivalent to Curve25519.
122	.Pp
123	.Fn ED25519_keypair
124	sets
125	.Fa out_public_key
126	and
127	.Fa out_private_key
128	to a freshly generated public/private key pair.
129	First, the
130	.Fa out_private_key
131	is generated with
132	.Xr arc4random_buf 3 .
133	Then, the
134	.Fa out_public_key
135	is calculated from the private key.
136	.Pp
137	.Fn ED25519_sign
138	signs the
139	.Fa message
140	of
141	.Fa message_len
142	bytes using the
143	.Fa public_key
144	and the
145	.Fa private_key
146	and writes the signature to
147	.Fa out_sig .
148	.Pp
149	.Fn ED25519_verify
150	checks that signing the
151	.Fa message
152	of
153	.Fa message_len
154	bytes using the
155	.Fa public_key
156	would indeed result in the given
157	.Fa signature .
158	.Pp
159	The sizes of a public and private keys are
160	.Dv ED25519_PUBLIC_KEY_LENGTH
161	and
162	.Dv ED25519_PRIVATE_KEY_LENGTH ,
163	which are both 32 bytes, and the size of a signature is
164	.Dv ED25519_SIGNATURE_LENGTH No = 64
165	bytes.
166	.Sh RETURN VALUES
167	.Fn X25519
168	and
169	.Fn ED25519_sign
170	return 1 on success or 0 on error.
171	.Fn X25519
172	can fail if the input is a point of small order.
173	.Fn ED25519_sign
174	always succeeds in LibreSSL, but the API reserves the return value 0
175	for memory allocation failure.
176	.Pp
177	.Fn ED25519_verify
178	returns 1 if the
179	.Fa signature
180	is valid or 0 otherwise.
181	.Sh SEE ALSO
182	.Xr ECDH_compute_key 3 ,
183	.Xr EVP_DigestSign 3 ,
184	.Xr EVP_DigestVerify 3 ,
185	.Xr EVP_PKEY_derive 3 ,
186	.Xr EVP_PKEY_keygen 3
187	.Rs
188	.%A Daniel J. Bernstein
189	.%R A state-of-the-art Diffie-Hellman function:\
190	How do I use Curve25519 in my own software?
191	.%U https://cr.yp.to/ecdh.html
192	.Re
193	.Rs
194	.%A Daniel J. Bernstein
195	.%A Niels Duif
196	.%A Tanja Lange
197	.%A Peter Schwabe
198	.%A Bo-Yin Yang
199	.%T High-Speed High-Security Signatures
200	.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011
201	.%I Springer
202	.%J Lecture Notes in Computer Science
203	.%V vol 6917
204	.%U https://doi.org/10.1007/978-3-642-23951-9_9
205	.%C Nara, Japan
206	.%D September 29, 2011
207	.Re
208	.Sh STANDARDS
209	RFC 7748: Elliptic Curves for Security
210	.Pp
211	RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)