| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
The argument change to x5519_ge_scalarmult_base() was made to match the
prototype in the header. More recent compilers warn about such ptr vs
array mismatches.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add a check that ensures that the upper half s of an Ed25519 signature is
bounded by the group order, i.e, 0 <= s < order. This is required by the
Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple
modifications of signatures such as adding (a multiple of) the group order
to the upper half of the signature.
Found with EdDSA testcase 63 of project Wycheproof.
ok beck jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
BoringSSL implemented a compound private key, which includes a copy of the
public key as a performance optimisation for signing. However, this does
not readily match with how EVP works, makes the ED25519 API inconsistent
with the X25519 API, diverges from th RFC and does not align with the
OpenSSL API. Instead, the caller can readily compute the public key and
pass this in to the signing process.
ok tb@
|
| |
|
|
|
|
| |
This brings in ED25519_keypair_from_seed() from BoringSSL commit
c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences
between us and BoringSSL.
|
| | |
|
| |
|
|
| |
From BoringSSL 997c706d43504.
|
| |
|
|
| |
Based on a diff from tb@
|
| |
|
|
|
|
|
|
| |
a 'const uint8_t *a' to a 'const uint8_t a[32]' to match
the prototype in curve25519_internal.h and the other variant
inside OPENSSL_SMALL.
ok millert
|
| | |
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
Spotted by guenther@
|
| |
|
|
| |
ok jsing@
|
|
|
This brings in code from BoringSSL, which is mostly taken from SUPERCOP.
ok beck@ bcook@
|
