summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/curve25519 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Hide symbols in curve22519beck2023-07-081-1/+6
| | | | ok tb@
* Revert r1.9 and reinstate r1.6tb2023-04-021-2/+2
| | | | | | The argument change to x5519_ge_scalarmult_base() was made to match the prototype in the header. More recent compilers warn about such ptr vs array mismatches.
* Prevent Ed25519 signature malleabilitytb2022-11-171-1/+28
| | | | | | | | | | | | Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing
* Expose direct access API for Ed25519.tb2022-11-131-3/+1
|
* zap stray space (CRITICAL!)tb2022-11-111-2/+2
|
* Make X25519_public_from_private() internally reachable.jsing2022-11-092-5/+8
|
* Rename public_value to public_key for consistency.jsing2022-11-091-9/+9
| | | | ok tb@
* Rework ED25519 API.jsing2022-11-093-45/+40
| | | | | | | | | | | BoringSSL implemented a compound private key, which includes a copy of the public key as a performance optimisation for signing. However, this does not readily match with how EVP works, makes the ED25519 API inconsistent with the X25519 API, diverges from th RFC and does not align with the OpenSSL API. Instead, the caller can readily compute the public key and pass this in to the signing process. ok tb@
* Refactor/split ED25519_keypair.jsing2022-11-082-16/+24
| | | | | | This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.
* Change function argument to reduce differences with BoringSSL.jsing2022-11-081-2/+2
|
* Remove pointless loops.jsing2022-11-081-13/+1
| | | | From BoringSSL 997c706d43504.
* Enable Ed25519 internal to libcrypto.jsing2022-11-062-15/+44
| | | | Based on a diff from tb@
* Change second argument of x25519_ge_scalarmult_base() fromtb2022-02-081-2/+2
| | | | | | | | a 'const uint8_t *a' to a 'const uint8_t a[32]' to match the prototype in curve25519_internal.h and the other variant inside OPENSSL_SMALL. ok millert
* $OpenBSD$tb2019-05-114-0/+4
|
* Define X25519_KEY_LENGTH and use it so we have fewer magic numbers.jsing2016-12-172-6/+12
| | | | ok beck@
* Use __{BEGIN,END}_HIDDEN_DECLS to avoid exporting the internal symbolsguenther2016-11-071-6/+2
| | | | ok jsing@
* Avoid compiling in an unused function.jsing2016-11-061-0/+2
| | | | Spotted by guenther@
* adjust guards to elide unused Bi arraybcook2016-11-061-2/+0
| | | | ok jsing@
* Add support for X25519.jsing2016-11-054-0/+5130
This brings in code from BoringSSL, which is mostly taken from SUPERCOP. ok beck@ bcook@