[openssl/openssl] 836080: Support all five EdDSA instances from RFC 8032

James Muir noreply at github.com
Fri Jan 13 07:12:15 UTC 2023

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 836080a89a1f5e45dac4e0df76b9270587f65d5b
  Author: James Muir <muir.james.a at gmail.com>
  Date:   2023-01-13 (Fri, 13 Jan 2023)

  Changed paths:
    M crypto/ec/curve25519.c
    M crypto/ec/curve448/curve448_local.h
    M crypto/ec/curve448/eddsa.c
    M crypto/ec/ecx_meth.c
    M doc/man7/EVP_SIGNATURE-ED25519.pod
    M include/crypto/ecx.h
    M include/openssl/core_names.h
    M providers/implementations/signature/eddsa_sig.c
    M test/curve448_internal_test.c
    M test/recipes/30-test_evp_data/evppkey_ecx.txt

  Log Message:
  Support all five EdDSA instances from RFC 8032

Fixes #6277

Make each of the five EdDSA instances defined in RFC 8032 -- Ed25519,
Ed25519ctx, Ed25519ph, Ed448, Ed448ph -- available via the EVP APIs.

The desired EdDSA instance is specified via an OSSL_PARAM.

All instances, except for Ed25519, allow context strings as input.
Context strings are passed via an OSSL_PARAM.  For Ed25519ctx, the
context string must be nonempty.

Ed25519, Ed25519ctx, Ed448 are PureEdDSA instances, which means that
the full message (not a digest) must be passed to sign and verify

Ed25519ph, Ed448ph are HashEdDSA instances, which means that the input
message is hashed before sign and verify.

All 21 test vectors from RFC 8032 have been added to evppkey_ecx.txt
(thanks to Shane Lontis for showing how to do that).  Those 21 test
vectors are exercised by evp_test.c and cover all five instances.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19705)

More information about the openssl-commits mailing list