summaryrefslogtreecommitdiff
path: root/lib/libcrypto/curve25519
diff options
context:
space:
mode:
authorJoel Sing <jsing@cvs.openbsd.org>2022-11-06 16:31:20 +0000
committerJoel Sing <jsing@cvs.openbsd.org>2022-11-06 16:31:20 +0000
commitcf0aebed2a0fc88fd04a4641318fdff7f0724626 (patch)
treefe50794a83d97a6329977a3ed2e1f8280146f77e /lib/libcrypto/curve25519
parent301e4a2a119f0904354bef2ba62e187f026fb261 (diff)
Enable Ed25519 internal to libcrypto.
Based on a diff from tb@
Diffstat (limited to 'lib/libcrypto/curve25519')
-rw-r--r--lib/libcrypto/curve25519/curve25519.c15
-rw-r--r--lib/libcrypto/curve25519/curve25519.h44
2 files changed, 44 insertions, 15 deletions
diff --git a/lib/libcrypto/curve25519/curve25519.c b/lib/libcrypto/curve25519/curve25519.c
index 6df03a3a6b8..ba177365878 100644
--- a/lib/libcrypto/curve25519/curve25519.c
+++ b/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: curve25519.c,v 1.6 2022/02/08 16:44:23 tb Exp $ */
+/* $OpenBSD: curve25519.c,v 1.7 2022/11/06 16:31:19 jsing Exp $ */
/*
* Copyright (c) 2015, Google Inc.
*
@@ -28,10 +28,7 @@
#include <string.h>
#include <openssl/curve25519.h>
-
-#ifdef ED25519
#include <openssl/sha.h>
-#endif
#include "curve25519_internal.h"
@@ -979,7 +976,6 @@ void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) {
s[31] ^= fe_isnegative(x) << 7;
}
-#ifdef ED25519
static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
fe recip;
fe x;
@@ -991,7 +987,6 @@ static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
fe_tobytes(s, y);
s[31] ^= fe_isnegative(x) << 7;
}
-#endif
static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729,
-8787816, -6275908, -3247719, -18696448, -12055116};
@@ -1146,7 +1141,6 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe_sub(r->T, t0, r->T);
}
-#ifdef ED25519
/* r = p - q */
static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
@@ -1162,7 +1156,6 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe_sub(r->Z, t0, r->T);
fe_add(r->T, t0, r->T);
}
-#endif
/* r = p + q */
void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
@@ -3624,7 +3617,6 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
}
}
-#ifdef ED25519
static void slide(signed char *r, const uint8_t *a) {
int i;
int b;
@@ -3799,7 +3791,6 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
x25519_ge_p1p1_to_p2(r, &t);
}
}
-#endif
/* The set of scalars is \Z/l
* where l = 2^252 + 27742317777372353535851937790883648493. */
@@ -4145,7 +4136,6 @@ x25519_sc_reduce(uint8_t *s) {
s[31] = s11 >> 17;
}
-#ifdef ED25519
/* Input:
* a[0]+256*a[1]+...+256^31*a[31] = a
* b[0]+256*b[1]+...+256^31*b[31] = b
@@ -4636,9 +4626,7 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
s[30] = s11 >> 9;
s[31] = s11 >> 17;
}
-#endif
-#ifdef ED25519
void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
uint8_t seed[32];
arc4random_buf(seed, 32);
@@ -4728,7 +4716,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
}
-#endif
/* Replace (f,g) with (g,f) if b == 1;
* replace (f,g) with (f,g) if b == 0.
diff --git a/lib/libcrypto/curve25519/curve25519.h b/lib/libcrypto/curve25519/curve25519.h
index c16a4e2632d..164f2e9e7f7 100644
--- a/lib/libcrypto/curve25519/curve25519.h
+++ b/lib/libcrypto/curve25519/curve25519.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */
+/* $OpenBSD: curve25519.h,v 1.4 2022/11/06 16:31:19 jsing Exp $ */
/*
* Copyright (c) 2015, Google Inc.
*
@@ -61,6 +61,48 @@ int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH],
const uint8_t private_key[X25519_KEY_LENGTH],
const uint8_t peers_public_value[X25519_KEY_LENGTH]);
+#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
+/*
+ * ED25519
+ *
+ * Ed25519 is a signature scheme using a twisted Edwards curve that is
+ * birationally equivalent to curve25519.
+ *
+ * Note that, unlike RFC 8032's formulation, our private key representation
+ * includes a public key suffix to make multiple key signing operations with the
+ * same key more efficient. The RFC 8032 private key is referred to in this
+ * implementation as the "seed" and is the first 32 bytes of our private key.
+ */
+
+#define ED25519_PRIVATE_KEY_LEN 64
+#define ED25519_PUBLIC_KEY_LEN 32
+#define ED25519_SIGNATURE_LEN 64
+
+/*
+ * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
+ * generated, public/private key pair.
+ */
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+ uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]);
+
+/*
+ * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
+ * |message| using |private_key|. It returns one on success or zero on
+ * allocation failure.
+ */
+int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+
+/*
+ * ED25519_verify returns one iff |signature| is a valid signature by
+ * |public_key| of |message_len| bytes from |message|. It returns zero
+ * otherwise.
+ */
+int ED25519_verify(const uint8_t *message, size_t message_len,
+ const uint8_t signature[ED25519_SIGNATURE_LEN],
+ const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+#endif
+
#if defined(__cplusplus)
} /* extern C */
#endif