From dac51b63a4140febe34689a3aa7279b115464d88 Mon Sep 17 00:00:00 2001 From: jsing Date: Tue, 8 Nov 2022 17:07:17 +0000 Subject: [PATCH] Refactor/split ED25519_keypair. This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL. --- lib/libcrypto/curve25519/curve25519.c | 35 +++++++++++-------- .../curve25519/curve25519_internal.h | 5 ++- 2 files changed, 24 insertions(+), 16 deletions(-) diff --git a/lib/libcrypto/curve25519/curve25519.c b/lib/libcrypto/curve25519/curve25519.c index 7713b8716c4..8d29379eb23 100644 --- a/lib/libcrypto/curve25519/curve25519.c +++ b/lib/libcrypto/curve25519/curve25519.c @@ -1,4 +1,4 @@ -/* $OpenBSD: curve25519.c,v 1.9 2022/11/08 17:01:57 jsing Exp $ */ +/* $OpenBSD: curve25519.c,v 1.10 2022/11/08 17:07:17 jsing Exp $ */ /* * Copyright (c) 2015, Google Inc. * @@ -4618,20 +4618,7 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) { uint8_t seed[32]; arc4random_buf(seed, 32); - - uint8_t az[SHA512_DIGEST_LENGTH]; - SHA512(seed, 32, az); - - az[0] &= 248; - az[31] &= 63; - az[31] |= 64; - - ge_p3 A; - x25519_ge_scalarmult_base(&A, az); - ge_p3_tobytes(out_public_key, &A); - - memcpy(out_private_key, seed, 32); - memmove(out_private_key + 32, out_public_key, 32); + ED25519_keypair_from_seed(out_public_key, out_private_key, seed); } int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, @@ -4705,6 +4692,24 @@ int ED25519_verify(const uint8_t *message, size_t message_len, return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0; } +void ED25519_keypair_from_seed(uint8_t out_public_key[32], + uint8_t out_private_key[64], + const uint8_t seed[32]) { + uint8_t az[SHA512_DIGEST_LENGTH]; + SHA512(seed, 32, az); + + az[0] &= 248; + az[31] &= 63; + az[31] |= 64; + + ge_p3 A; + x25519_ge_scalarmult_base(&A, az); + ge_p3_tobytes(out_public_key, &A); + + memcpy(out_private_key, seed, 32); + memcpy(out_private_key + 32, out_public_key, 32); +} + /* Replace (f,g) with (g,f) if b == 1; * replace (f,g) with (f,g) if b == 0. * diff --git a/lib/libcrypto/curve25519/curve25519_internal.h b/lib/libcrypto/curve25519/curve25519_internal.h index 09d20a4fec0..9d2ee9b4d7f 100644 --- a/lib/libcrypto/curve25519/curve25519_internal.h +++ b/lib/libcrypto/curve25519/curve25519_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: curve25519_internal.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ +/* $OpenBSD: curve25519_internal.h,v 1.4 2022/11/08 17:07:17 jsing Exp $ */ /* * Copyright (c) 2015, Google Inc. * @@ -94,6 +94,9 @@ void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]); +void ED25519_keypair_from_seed(uint8_t out_public_key[32], + uint8_t out_private_key[64], const uint8_t seed[32]); + __END_HIDDEN_DECLS #endif /* HEADER_CURVE25519_INTERNAL_H */ -- 2.20.1