-/* $OpenBSD: curve25519.c,v 1.6 2022/02/08 16:44:23 tb Exp $ */
+/* $OpenBSD: curve25519.c,v 1.7 2022/11/06 16:31:19 jsing Exp $ */
/*
* Copyright (c) 2015, Google Inc.
*
#include <string.h>
#include <openssl/curve25519.h>
-
-#ifdef ED25519
#include <openssl/sha.h>
-#endif
#include "curve25519_internal.h"
s[31] ^= fe_isnegative(x) << 7;
}
-#ifdef ED25519
static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
fe recip;
fe x;
fe_tobytes(s, y);
s[31] ^= fe_isnegative(x) << 7;
}
-#endif
static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729,
-8787816, -6275908, -3247719, -18696448, -12055116};
fe_sub(r->T, t0, r->T);
}
-#ifdef ED25519
/* r = p - q */
static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
fe_sub(r->Z, t0, r->T);
fe_add(r->T, t0, r->T);
}
-#endif
/* r = p + q */
void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
}
}
-#ifdef ED25519
static void slide(signed char *r, const uint8_t *a) {
int i;
int b;
x25519_ge_p1p1_to_p2(r, &t);
}
}
-#endif
/* The set of scalars is \Z/l
* where l = 2^252 + 27742317777372353535851937790883648493. */
s[31] = s11 >> 17;
}
-#ifdef ED25519
/* Input:
* a[0]+256*a[1]+...+256^31*a[31] = a
* b[0]+256*b[1]+...+256^31*b[31] = b
s[30] = s11 >> 9;
s[31] = s11 >> 17;
}
-#endif
-#ifdef ED25519
void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
uint8_t seed[32];
arc4random_buf(seed, 32);
return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
}
-#endif
/* Replace (f,g) with (g,f) if b == 1;
* replace (f,g) with (f,g) if b == 0.
-/* $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */
+/* $OpenBSD: curve25519.h,v 1.4 2022/11/06 16:31:19 jsing Exp $ */
/*
* Copyright (c) 2015, Google Inc.
*
const uint8_t private_key[X25519_KEY_LENGTH],
const uint8_t peers_public_value[X25519_KEY_LENGTH]);
+#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
+/*
+ * ED25519
+ *
+ * Ed25519 is a signature scheme using a twisted Edwards curve that is
+ * birationally equivalent to curve25519.
+ *
+ * Note that, unlike RFC 8032's formulation, our private key representation
+ * includes a public key suffix to make multiple key signing operations with the
+ * same key more efficient. The RFC 8032 private key is referred to in this
+ * implementation as the "seed" and is the first 32 bytes of our private key.
+ */
+
+#define ED25519_PRIVATE_KEY_LEN 64
+#define ED25519_PUBLIC_KEY_LEN 32
+#define ED25519_SIGNATURE_LEN 64
+
+/*
+ * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
+ * generated, public/private key pair.
+ */
+void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LEN],
+ uint8_t out_private_key[ED25519_PRIVATE_KEY_LEN]);
+
+/*
+ * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
+ * |message| using |private_key|. It returns one on success or zero on
+ * allocation failure.
+ */
+int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+ const uint8_t private_key[ED25519_PRIVATE_KEY_LEN]);
+
+/*
+ * ED25519_verify returns one iff |signature| is a valid signature by
+ * |public_key| of |message_len| bytes from |message|. It returns zero
+ * otherwise.
+ */
+int ED25519_verify(const uint8_t *message, size_t message_len,
+ const uint8_t signature[ED25519_SIGNATURE_LEN],
+ const uint8_t public_key[ED25519_PUBLIC_KEY_LEN]);
+#endif
+
#if defined(__cplusplus)
} /* extern C */
#endif
projects / openbsd / commitdiff