From d4d001df371f2ccd13eee7f9d7f4c6594a080168 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 5 Apr 2017 16:09:57 +0100
Subject: [PATCH] Make Ed25519 consistent with X25519
Rename and change ED25519_keypair_from_seed to ED25519_public_from_private
to be consistent with X25519 API.
Modidy ED25519_sign to take separate public key argument instead of
requiring it to follow the private key.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
---
crypto/ec/curve25519.c | 22 ++++++----------------
crypto/ec/ec_lcl.h | 8 +++-----
2 files changed, 9 insertions(+), 21 deletions(-)
diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c
index a8b664ec26..72580334ff 100644
--- a/crypto/ec/curve25519.c
+++ b/crypto/ec/curve25519.c
@@ -4590,15 +4590,9 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
s[30] = s11 >> 9;
s[31] = s11 >> 17;
}
-#if 0
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
- uint8_t seed[32];
- RAND_bytes(seed, 32);
- ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
-}
-#endif
+
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
- const uint8_t private_key[64]) {
+ const uint8_t public_key[32], const uint8_t private_key[32]) {
uint8_t az[SHA512_DIGEST_LENGTH];
uint8_t nonce[SHA512_DIGEST_LENGTH];
ge_p3 R;
@@ -4622,7 +4616,7 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
SHA512_Init(&hash_ctx);
SHA512_Update(&hash_ctx, out_sig, 32);
- SHA512_Update(&hash_ctx, private_key + 32, 32);
+ SHA512_Update(&hash_ctx, public_key, 32);
SHA512_Update(&hash_ctx, message, message_len);
SHA512_Final(hram, &hash_ctx);
@@ -4670,13 +4664,12 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
}
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
- uint8_t out_private_key[64],
- const uint8_t seed[32]) {
+void ED25519_public_from_private(uint8_t out_public_key[32],
+ const uint8_t private_key[32]) {
uint8_t az[SHA512_DIGEST_LENGTH];
ge_p3 A;
- SHA512(seed, 32, az);
+ SHA512(private_key, 32, az);
az[0] &= 248;
az[31] &= 63;
@@ -4684,9 +4677,6 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32],
ge_scalarmult_base(&A, az);
ge_p3_tobytes(out_public_key, &A);
-
- memcpy(out_private_key, seed, 32);
- memcpy(out_private_key + 32, out_public_key, 32);
}
int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index 7d2c27c9f3..10c0ac140f 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -608,14 +608,12 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey);
-void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]);
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
- const uint8_t private_key[64]);
+ const uint8_t public_key[32], const uint8_t private_key[32]);
int ED25519_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[64], const uint8_t public_key[32]);
-void ED25519_keypair_from_seed(uint8_t out_public_key[32],
- uint8_t out_private_key[64],
- const uint8_t seed[32]);
+void ED25519_public_from_private(uint8_t out_public_key[32],
+ const uint8_t private_key[32]);
int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
const uint8_t peer_public_value[32]);
--
2.25.1