Make Ed25519 consistent with X25519

Rename and change ED25519_keypair_from_seed to ED25519_public_from_private
to be consistent with X25519 API.

Modidy ED25519_sign to take separate public key argument instead of
requiring it to follow the private key.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)

diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index a8b664ec264c47389aa44e5c72b085c3bdf7b052..72580334ff539279bca01ee093ecd4546b1f5d9a 100644 (file)
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -4590,15 +4590,9 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
   s[30] = s11 >> 9;
   s[31] = s11 >> 17;
 }
-#if 0
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
-  uint8_t seed[32];
-  RAND_bytes(seed, 32);
-  ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
-}
-#endif
+
 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
-                 const uint8_t private_key[64]) {
+                 const uint8_t public_key[32], const uint8_t private_key[32]) {
   uint8_t az[SHA512_DIGEST_LENGTH];
   uint8_t nonce[SHA512_DIGEST_LENGTH];
   ge_p3 R;
@@ -4622,7 +4616,7 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
 
   SHA512_Init(&hash_ctx);
   SHA512_Update(&hash_ctx, out_sig, 32);
-  SHA512_Update(&hash_ctx, private_key + 32, 32);
+  SHA512_Update(&hash_ctx, public_key, 32);
   SHA512_Update(&hash_ctx, message, message_len);
   SHA512_Final(hram, &hash_ctx);
 
@@ -4670,13 +4664,12 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
   return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
 
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
-                               uint8_t out_private_key[64],
-                               const uint8_t seed[32]) {
+void ED25519_public_from_private(uint8_t out_public_key[32],
+                                 const uint8_t private_key[32]) {
   uint8_t az[SHA512_DIGEST_LENGTH];
   ge_p3 A;
 
-  SHA512(seed, 32, az);
+  SHA512(private_key, 32, az);
 
   az[0] &= 248;
   az[31] &= 63;
@@ -4684,9 +4677,6 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32],
 
   ge_scalarmult_base(&A, az);
   ge_p3_tobytes(out_public_key, &A);
-
-  memcpy(out_private_key, seed, 32);
-  memcpy(out_private_key + 32, out_public_key, 32);
 }
 
 int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],

diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 7d2c27c9f3a1b0f676a1e02ff86f2959ac48c372..10c0ac140f3b9a31ec0069600d0892bbb08caa06 100644 (file)
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -608,14 +608,12 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
 int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
                           const ECDSA_SIG *sig, EC_KEY *eckey);
 
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]);
 int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
-                 const uint8_t private_key[64]);
+                 const uint8_t public_key[32], const uint8_t private_key[32]);
 int ED25519_verify(const uint8_t *message, size_t message_len,
                    const uint8_t signature[64], const uint8_t public_key[32]);
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
-                               uint8_t out_private_key[64],
-                               const uint8_t seed[32]);
+void ED25519_public_from_private(uint8_t out_public_key[32],
+                                 const uint8_t private_key[32]);
 
 int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
            const uint8_t peer_public_value[32]);