Add Curve25519->Ed25519 support to ed25519-donna (Not yet used).

This needs to be done to allow for the possibility of removing the
ref10 code at a later date, though it is not performance critical.
When integrated by kludging it into tor, it passes unit tests, and is
twice as fast.

diff --git a/src/ext/ed25519/donna/README.tor b/src/ext/ed25519/donna/README.tor
index fa11a367713827008e383577c2e2246de1ee5b0e..212fb119a2be1e08d930806f4192661465149872 100644 (file)
--- a/src/ext/ed25519/donna/README.tor
+++ b/src/ext/ed25519/donna/README.tor
@@ -20,6 +20,10 @@ as of 8757bd4cd209cb032853ece0ce413f122eef212c.
     * There's an implementation of multiplicative key blinding so we
       can use it for next-gen hidden service descriptors.
 
+    * There's an implementation of 'convert a curve25519 key to an
+      ed25519 key' so we can do cross-certification with curve25519
+      keys.
+
  * `ED25519_FN(ed25519_randombytes_unsafe)` is now static.
 
  * `ed25519-randombytes-custom.h` has the appropriate code to call

diff --git a/src/ext/ed25519/donna/ed25519_donna_tor.h b/src/ext/ed25519/donna/ed25519_donna_tor.h
index a5a53f38bb7bbbba56ade18459eaec60ee5ffbde..d225407b1c89421fe27d9cb760c62075056919ce 100644 (file)
--- a/src/ext/ed25519/donna/ed25519_donna_tor.h
+++ b/src/ext/ed25519/donna/ed25519_donna_tor.h
@@ -27,4 +27,7 @@ int ed25519_donna_blind_secret_key(unsigned char *out, const unsigned char *inp,
 int ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp,
   const unsigned char *param);
 
+int ed25519_donna_pubkey_from_curve25519_pubkey(unsigned char *out,
+  const unsigned char *inp, int signbit);
+
 #endif

diff --git a/src/ext/ed25519/donna/ed25519_tor.c b/src/ext/ed25519/donna/ed25519_tor.c
index 5f2c9c956136736c5e86a983c713a20de1a8fe52..7f5894da79f874d910c4b8a204034432633c2d2a 100644 (file)
--- a/src/ext/ed25519/donna/ed25519_tor.c
+++ b/src/ext/ed25519/donna/ed25519_tor.c
@@ -139,6 +139,8 @@ ED25519_FN(curved25519_scalarmult_basepoint) (curved25519_key pk, const curved25
     * Routines that deal with the private key now use the expanded form.
 
     * Support for multiplicative key blinding has been added.
+
+    * Support for converting a Curve25519 key to an Ed25519 key has been added.
  */
 
 int
@@ -317,5 +319,26 @@ ed25519_donna_blind_public_key(unsigned char *out, const unsigned char *inp,
   return 0;
 }
 
+int
+ed25519_donna_pubkey_from_curve25519_pubkey(unsigned char *out,
+  const unsigned char *inp, int signbit)
+{
+  static const bignum25519 one = { 1 };
+  bignum25519 ALIGN(16) u, uminus1, uplus1, inv_uplus1, y;
+
+  /* Prop228: y = (u-1)/(u+1) */
+  curve25519_expand(u, inp);
+  curve25519_sub(uminus1, u, one);
+  curve25519_add(uplus1, u, one);
+  curve25519_recip(inv_uplus1, uplus1);
+  curve25519_mul(y, uminus1, inv_uplus1);
+  curve25519_contract(out, y);
+
+  /* Propagate sign. */
+  out[31] |= (!!signbit) << 7;
+
+  return 0;
+}
+
 #include "test-internals.c"