summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto')
-rw-r--r--src/lib/libcrypto/curve25519/curve25519.c15
-rw-r--r--src/lib/libcrypto/curve25519/curve25519.h44
2 files changed, 44 insertions, 15 deletions
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 6df03a3a6b..ba17736587 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: curve25519.c,v 1.6 2022/02/08 16:44:23 tb Exp $ */ 1/* $OpenBSD: curve25519.c,v 1.7 2022/11/06 16:31:19 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2015, Google Inc. 3 * Copyright (c) 2015, Google Inc.
4 * 4 *
@@ -28,10 +28,7 @@
28#include <string.h> 28#include <string.h>
29 29
30#include <openssl/curve25519.h> 30#include <openssl/curve25519.h>
31
32#ifdef ED25519
33#include <openssl/sha.h> 31#include <openssl/sha.h>
34#endif
35 32
36#include "curve25519_internal.h" 33#include "curve25519_internal.h"
37 34
@@ -979,7 +976,6 @@ void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) {
979 s[31] ^= fe_isnegative(x) << 7; 976 s[31] ^= fe_isnegative(x) << 7;
980} 977}
981 978
982#ifdef ED25519
983static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) { 979static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
984 fe recip; 980 fe recip;
985 fe x; 981 fe x;
@@ -991,7 +987,6 @@ static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
991 fe_tobytes(s, y); 987 fe_tobytes(s, y);
992 s[31] ^= fe_isnegative(x) << 7; 988 s[31] ^= fe_isnegative(x) << 7;
993} 989}
994#endif
995 990
996static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729, 991static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729,
997 -8787816, -6275908, -3247719, -18696448, -12055116}; 992 -8787816, -6275908, -3247719, -18696448, -12055116};
@@ -1146,7 +1141,6 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
1146 fe_sub(r->T, t0, r->T); 1141 fe_sub(r->T, t0, r->T);
1147} 1142}
1148 1143
1149#ifdef ED25519
1150/* r = p - q */ 1144/* r = p - q */
1151static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { 1145static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
1152 fe t0; 1146 fe t0;
@@ -1162,7 +1156,6 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
1162 fe_sub(r->Z, t0, r->T); 1156 fe_sub(r->Z, t0, r->T);
1163 fe_add(r->T, t0, r->T); 1157 fe_add(r->T, t0, r->T);
1164} 1158}
1165#endif
1166 1159
1167/* r = p + q */ 1160/* r = p + q */
1168void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { 1161void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
@@ -3624,7 +3617,6 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
3624 } 3617 }
3625} 3618}
3626 3619
3627#ifdef ED25519
3628static void slide(signed char *r, const uint8_t *a) { 3620static void slide(signed char *r, const uint8_t *a) {
3629 int i; 3621 int i;
3630 int b; 3622 int b;
@@ -3799,7 +3791,6 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
3799 x25519_ge_p1p1_to_p2(r, &t); 3791 x25519_ge_p1p1_to_p2(r, &t);
3800 } 3792 }
3801} 3793}
3802#endif
3803 3794
3804/* The set of scalars is \Z/l 3795/* The set of scalars is \Z/l
3805 * where l = 2^252 + 27742317777372353535851937790883648493. */ 3796 * where l = 2^252 + 27742317777372353535851937790883648493. */
@@ -4145,7 +4136,6 @@ x25519_sc_reduce(uint8_t *s) {
4145 s[31] = s11 >> 17; 4136 s[31] = s11 >> 17;
4146} 4137}
4147 4138
4148#ifdef ED25519
4149/* Input: 4139/* Input:
4150 * a[0]+256*a[1]+...+256^31*a[31] = a 4140 * a[0]+256*a[1]+...+256^31*a[31] = a
4151 * b[0]+256*b[1]+...+256^31*b[31] = b 4141 * b[0]+256*b[1]+...+256^31*b[31] = b
@@ -4636,9 +4626,7 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
4636 s[30] = s11 >> 9; 4626 s[30] = s11 >> 9;
4637 s[31] = s11 >> 17; 4627 s[31] = s11 >> 17;
4638} 4628}
4639#endif
4640 4629
4641#ifdef ED25519
4642void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) { 4630void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
4643 uint8_t seed[32]; 4631 uint8_t seed[32];
4644 arc4random_buf(seed, 32); 4632 arc4random_buf(seed, 32);
@@ -4728,7 +4716,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
4728 4716
4729 return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0; 4717 return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
4730} 4718}
4731#endif
4732 4719
4733/* Replace (f,g) with (g,f) if b == 1; 4720/* Replace (f,g) with (g,f) if b == 1;
4734 * replace (f,g) with (f,g) if b == 0. 4721 * replace (f,g) with (f,g) if b == 0.
diff --git a/src/lib/libcrypto/curve25519/curve25519.h b/src/lib/libcrypto/curve25519/curve25519.h
index c16a4e2632..164f2e9e7f 100644
--- a/src/lib/libcrypto/curve25519/curve25519.h
+++ b/src/lib/libcrypto/curve25519/curve25519.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ 1/* $OpenBSD: curve25519.h,v 1.4 2022/11/06 16:31:19 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2015, Google Inc. 3 * Copyright (c) 2015, Google Inc.
4 * 4 *
@@ -61,6 +61,48 @@ int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH],
61 const uint8_t private_key[X25519_KEY_LENGTH], 61 const uint8_t private_key[X25519_KEY_LENGTH],
62 const uint8_t peers_public_value[X25519_KEY_LENGTH]); 62 const uint8_t peers_public_value[X25519_KEY_LENGTH]);
63 63
64#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
65/*
66 * ED25519
67 *
68 * Ed25519 is a signature scheme using a twisted Edwards curve that is
69 * birationally equivalent to curve25519.
70 *
71 * Note that, unlike RFC 8032's formulation, our private key representation
72 * includes a public key suffix to make multiple key signing operations with the
73 * same key more efficient. The RFC 8032 private key is referred to in this
74 * implementation as the "seed" and is the first 32 bytes of our private key.
75 */
76
77#define ED25519_PRIVATE_KEY_LEN 64
78#define ED25519_PUBLIC_KEY_LEN 32
79#define ED25519_SIGNATURE_LEN 64
80
81/*
82 * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
83 * generated, public/private key pair.
84 */
85void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
86 uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]);
87
88/*
89 * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
90 * |message| using |private_key|. It returns one on success or zero on
91 * allocation failure.
92 */
93int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
94 const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
95
96/*
97 * ED25519_verify returns one iff |signature| is a valid signature by
98 * |public_key| of |message_len| bytes from |message|. It returns zero
99 * otherwise.
100 */
101int ED25519_verify(const uint8_t *message, size_t message_len,
102 const uint8_t signature[ED25519_SIGNATURE_LEN],
103 const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
104#endif
105
64#if defined(__cplusplus) 106#if defined(__cplusplus)
65} /* extern C */ 107} /* extern C */
66#endif 108#endif
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 20:37:00 +0000