Merge branch 'jacob-ed'

configure.ac

@@ -643,6 +643,7 @@ AC_ARG_ENABLE([ecc25519],
 
 if test "$ENABLED_ECC25519" = "yes"
 then
+    ENABLED_FEMATH=yes
     AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC25519"
 fi
 
@@ -650,7 +651,31 @@ fi
 AM_CONDITIONAL([BUILD_ECC25519], [test "x$ENABLED_ECC25519" = "xyes"])
 
 
-# FP ECC, Fixed Point cache ECC 
+# ED25519
+AC_ARG_ENABLE([ed25519],
+    [AS_HELP_STRING([--enable-ed25519],[Enable ED25519 (default: disabled)])],
+    [ ENABLED_ED25519=$enableval ],
+    [ ENABLED_ED25519=no ]
+    )
+
+
+if test "$ENABLED_ED25519" = "yes"
+then
+    if test "$ENABLED_SHA512" = "no"
+    then
+        AC_MSG_ERROR([cannot enable ed25519 without enabling sha512.])
+    fi
+    ENABLED_FEMATH=yes
+    ENABLED_GEMATH=yes
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"
+fi
+
+
+AM_CONDITIONAL([BUILD_ED25519], [test "x$ENABLED_ED25519" = "xyes"])
+AM_CONDITIONAL([BUILD_FEMATH],  [test "x$ENABLED_FEMATH" = "xyes"])
+AM_CONDITIONAL([BUILD_GEMATH],  [test "x$ENABLED_GEMATH" = "xyes"])
+
+# FP ECC, Fixed Point cache ECC
 AC_ARG_ENABLE([fpecc],
     [  --enable-fpecc          Enable Fixed Point cache ECC (default: disabled)],
     [ ENABLED_FPECC=$enableval ],
@@ -1934,6 +1959,8 @@ echo "   * RSA:                       $ENABLED_RSA"
 echo "   * DSA:                       $ENABLED_DSA"
 echo "   * DH:                        $ENABLED_DH"
 echo "   * ECC:                       $ENABLED_ECC"
+echo "   * CURVE25519:                $ENABLED_ECC25519"
+echo "   * ED25519:                   $ENABLED_ED25519"
 echo "   * FPECC:                     $ENABLED_FPECC"
 echo "   * ECC_ENCRYPT:               $ENABLED_ECC_ENCRYPT"
 echo "   * ASN:                       $ENABLED_ASN"

src/include.am

@@ -169,7 +169,18 @@ endif
 
 if BUILD_ECC25519
 src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc25519.c
-src_libwolfssl_la_SOURCES += wolfcrypt/src/ecc25519_fe.c
+endif
+
+if BUILD_ED25519
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ed25519.c
+endif
+
+if BUILD_FEMATH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/fe_operations.c
+endif
+
+if BUILD_GEMATH
+src_libwolfssl_la_SOURCES += wolfcrypt/src/ge_operations.c
 endif
 
 if BUILD_LIBZ

wolfcrypt/benchmark/benchmark.c

@@ -60,6 +60,9 @@
 #ifdef HAVE_ECC25519
     #include <wolfssl/wolfcrypt/ecc25519.h>
 #endif
+#ifdef HAVE_ED25519
+    #include <wolfssl/wolfcrypt/ed25519.h>
+#endif
 
 #include <wolfssl/wolfcrypt/dh.h>
 #ifdef HAVE_CAVIUM
@@ -143,6 +146,10 @@ void bench_eccKeyAgree(void);
 void bench_ecc25519KeyGen(void);
 void bench_ecc25519KeyAgree(void);
 #endif
+#ifdef HAVE_ED25519
+void bench_ed25519KeyGen(void);
+void bench_ed25519KeySign(void);
+#endif
 #ifdef HAVE_NTRU
 void bench_ntru(void);
 void bench_ntruKeyGen(void);
@@ -354,6 +361,11 @@ int benchmark_test(void *args)
     bench_ecc25519KeyAgree();
 #endif
 
+#ifdef HAVE_ED25519
+    bench_ed25519KeyGen();
+    bench_ed25519KeySign();
+#endif
+
 #if defined(HAVE_LOCAL_RNG) && (defined(HAVE_HASHDRBG) || defined(NO_RC4))
     wc_FreeRng(&rng);
 #endif
@@ -1704,6 +1716,99 @@ void bench_ecc25519KeyAgree(void)
 }
 #endif /* HAVE_ECC25519 */
 
+#ifdef HAVE_ED25519
+void bench_ed25519KeyGen(void)
+{
+    ed25519_key genKey;
+    double start, total, each, milliEach;
+    int    i;
+
+    /* 256 bit */
+    start = current_time(1);
+
+    for(i = 0; i < genTimes; i++) {
+        wc_ed25519_init(&genKey);
+        wc_ed25519_make_key(&rng, 32, &genKey);
+        wc_ed25519_free(&genKey);
+    }
+
+    total = current_time(0) - start;
+    each  = total / genTimes;  /* per second  */
+    milliEach = each * 1000;   /* millisconds */
+    printf("\n");
+    printf("ED25519  key generation  %6.3f milliseconds, avg over %d"
+           " iterations\n", milliEach, genTimes);
+}
+
+
+void bench_ed25519KeySign(void)
+{
+    ed25519_key genKey, genKey2;
+    double start, total, each, milliEach;
+    int    i, ret;
+    byte   sig[ED25519_SIG_SIZE];
+    byte   digest[32];
+    word32 x = 0;
+
+    wc_ed25519_init(&genKey);
+    wc_ed25519_init(&genKey2);
+
+    ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &genKey);
+    if (ret != 0) {
+        printf("ed25519_make_key failed\n");
+        return;
+    }
+    ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &genKey2);
+    if (ret != 0) {
+        printf("ed25519_make_key failed\n");
+        return;
+    }
+
+    /* make dummy digest */
+    for (i = 0; i < (int)sizeof(digest); i++)
+        digest[i] = (byte)i;
+
+
+    start = current_time(1);
+
+    for(i = 0; i < agreeTimes; i++) {
+        x = sizeof(sig);
+        ret = wc_ed25519_sign_msg(digest, sizeof(digest), sig, &x, &genKey);
+        if (ret != 0) {
+            printf("ed25519_sign_hash failed\n");
+            return;
+        }
+    }
+
+    total = current_time(0) - start;
+    each  = total / agreeTimes;  /* per second  */
+    milliEach = each * 1000;   /* millisconds */
+    printf("ED25519  sign   time     %6.3f milliseconds, avg over %d"
+           " iterations\n", milliEach, agreeTimes);
+
+    start = current_time(1);
+
+    for(i = 0; i < agreeTimes; i++) {
+        int verify = 0;
+        ret = wc_ed25519_verify_msg(sig, x, digest, sizeof(digest), &verify,
+                                    &genKey);
+        if (ret != 0 || verify != 1) {
+            printf("ed25519_verify_hash failed\n");
+            return;
+        }
+    }
+
+    total = current_time(0) - start;
+    each  = total / agreeTimes;  /* per second  */
+    milliEach = each * 1000;     /* millisconds */
+    printf("ED25519  verify time     %6.3f milliseconds, avg over %d"
+           " iterations\n", milliEach, agreeTimes);
+
+    wc_ed25519_free(&genKey2);
+    wc_ed25519_free(&genKey);
+}
+#endif /* HAVE_ED25519 */
+
 
 #ifdef _WIN32
 

wolfcrypt/src/ecc25519.c

@@ -81,7 +81,26 @@ static int curve25519(unsigned char* q, unsigned char* n, unsigned char* p)
     fe_cswap(x2,x3,swap);
     fe_cswap(z2,z3,swap);
     swap = b;
-#include <wolfssl/wolfcrypt/ecc25519_montgomery.h>
+
+    /* montgomery */
+	fe_sub(tmp0,x3,z3);
+	fe_sub(tmp1,x2,z2);
+	fe_add(x2,x2,z2);
+	fe_add(z2,x3,z3);
+	fe_mul(z3,tmp0,x2);
+	fe_mul(z2,z2,tmp1);
+	fe_sq(tmp0,tmp1);
+	fe_sq(tmp1,x2);
+	fe_add(x3,z3,z2);
+	fe_sub(z2,z3,z2);
+	fe_mul(x2,tmp1,tmp0);
+	fe_sub(tmp1,tmp1,tmp0);
+	fe_sq(z2,z2);
+	fe_mul121666(z3,tmp1);
+	fe_sq(x3,x3);
+	fe_add(tmp0,tmp0,z3);
+	fe_mul(z3,x1,z2);
+	fe_mul(z2,tmp1,tmp0);
   }
   fe_cswap(x2,x3,swap);
   fe_cswap(z2,z3,swap);

wolfcrypt/test/test.c

@@ -66,6 +66,9 @@
 #ifdef HAVE_ECC25519
     #include <wolfssl/wolfcrypt/ecc25519.h>
 #endif
+#ifdef HAVE_ED25519
+    #include <wolfssl/wolfcrypt/ed25519.h>
+#endif
 #ifdef HAVE_BLAKE2
     #include <wolfssl/wolfcrypt/blake2.h>
 #endif
@@ -191,6 +194,9 @@ int pbkdf2_test(void);
 #ifdef HAVE_ECC25519
     int  ecc25519_test(void);
 #endif
+#ifdef HAVE_ED25519
+    int  ed25519_test(void);
+#endif
 #ifdef HAVE_BLAKE2
     int  blake2b_test(void);
 #endif
@@ -524,6 +530,13 @@ int wolfcrypt_test(void* args)
         printf( "ECC25519 test passed!\n");
 #endif
 
+#ifdef HAVE_ED25519
+    if ( (ret = ed25519_test()) != 0)
+        return err_sys("ED25519  test failed!\n", ret);
+    else
+        printf( "ED25519  test passed!\n");
+#endif
+
 #ifdef HAVE_LIBZ
     if ( (ret = compress_test()) != 0)
         return err_sys("COMPRESS test failed!\n", ret);
@@ -5274,7 +5287,7 @@ int ecc25519_test(void)
     if (y != x)
         return -1006;
 
-    if (memcmp(sharedA, sharedB, x))
+    if (XMEMCMP(sharedA, sharedB, x))
         return -1007;
 
     /* export a public key and import it for another user */
@@ -5289,7 +5302,7 @@ int ecc25519_test(void)
     if (wc_ecc25519_shared_secret(&userB, &pubKey, sharedB, &y) != 0)
         return -1010;
 
-    if (memcmp(sharedA, sharedB, y))
+    if (XMEMCMP(sharedA, sharedB, y))
         return -1011;
 
     /* import RFC test vectors and compare shared key */
@@ -5306,7 +5319,7 @@ int ecc25519_test(void)
     if (wc_ecc25519_shared_secret(&userA, &userB, sharedB, &y) != 0)
         return -1014;
 
-    if (memcmp(ss, sharedB, y))
+    if (XMEMCMP(ss, sharedB, y))
         return -1015;
 
     /* test swaping roles of keys and generating same shared key */
@@ -5314,7 +5327,7 @@ int ecc25519_test(void)
     if (wc_ecc25519_shared_secret(&userB, &userA, sharedB, &y) != 0)
         return -1016;
 
-    if (memcmp(ss, sharedB, y))
+    if (XMEMCMP(ss, sharedB, y))
         return -1017;
 
     /* clean up keys when done */
@@ -5331,6 +5344,418 @@ int ecc25519_test(void)
 #endif /* HAVE_ECC25519 */
 
 
+#ifdef HAVE_ED25519
+int ed25519_test(void)
+{
+    RNG    rng;
+    byte   out[ED25519_SIG_SIZE];
+    byte   exportPKey[ED25519_KEY_SIZE];
+    byte   exportSKey[ED25519_KEY_SIZE];
+    word32 outlen;
+    word32 exportPSz;
+    word32 exportSSz;
+    word32 keySz, sigSz;
+    int    i, verify;
+    ed25519_key key;
+    ed25519_key key2;
+
+    /* test vectors from
+       https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-02
+     */
+
+    const byte sKey1[] = {
+		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    };
+
+    const byte sKey2[] = {
+		0x4c,0xcd,0x08,0x9b,0x28,0xff,0x96,0xda,
+		0x9d,0xb6,0xc3,0x46,0xec,0x11,0x4e,0x0f,
+		0x5b,0x8a,0x31,0x9f,0x35,0xab,0xa6,0x24,
+		0xda,0x8c,0xf6,0xed,0x4f,0xb8,0xa6,0xfb
+    };
+
+    const byte sKey3[] = {
+		0xc5,0xaa,0x8d,0xf4,0x3f,0x9f,0x83,0x7b,
+		0xed,0xb7,0x44,0x2f,0x31,0xdc,0xb7,0xb1,
+		0x66,0xd3,0x85,0x35,0x07,0x6f,0x09,0x4b,
+		0x85,0xce,0x3a,0x2e,0x0b,0x44,0x58,0xf7
+    };
+
+    /* uncompressed test */
+    const byte sKey4[] = {
+		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    };
+
+    /* compressed prefix test */
+    const byte sKey5[] = {
+		0x9d,0x61,0xb1,0x9d,0xef,0xfd,0x5a,0x60,
+		0xba,0x84,0x4a,0xf4,0x92,0xec,0x2c,0xc4,
+		0x44,0x49,0xc5,0x69,0x7b,0x32,0x69,0x19,
+		0x70,0x3b,0xac,0x03,0x1c,0xae,0x7f,0x60
+    };
+
+    const byte sKey6[] = {
+		0xf5,0xe5,0x76,0x7c,0xf1,0x53,0x31,0x95,
+		0x17,0x63,0x0f,0x22,0x68,0x76,0xb8,0x6c,
+		0x81,0x60,0xcc,0x58,0x3b,0xc0,0x13,0x74,
+		0x4c,0x6b,0xf2,0x55,0xf5,0xcc,0x0e,0xe5
+    };
+
+    const byte* sKeys[] = {sKey1, sKey2, sKey3, sKey4, sKey5, sKey6};
+
+    const byte pKey1[] = {
+		0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
+		0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
+		0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
+		0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
+    };
+
+    const byte pKey2[] = {
+		0x3d,0x40,0x17,0xc3,0xe8,0x43,0x89,0x5a,
+		0x92,0xb7,0x0a,0xa7,0x4d,0x1b,0x7e,0xbc,
+        0x9c,0x98,0x2c,0xcf,0x2e,0xc4,0x96,0x8c,
+		0xc0,0xcd,0x55,0xf1,0x2a,0xf4,0x66,0x0c
+    };
+
+    const byte pKey3[] = {
+		0xfc,0x51,0xcd,0x8e,0x62,0x18,0xa1,0xa3,
+		0x8d,0xa4,0x7e,0xd0,0x02,0x30,0xf0,0x58,
+		0x08,0x16,0xed,0x13,0xba,0x33,0x03,0xac,
+		0x5d,0xeb,0x91,0x15,0x48,0x90,0x80,0x25
+    };
+
+    /* uncompressed test */
+    const byte pKey4[] = {
+		0x04,0x55,0xd0,0xe0,0x9a,0x2b,0x9d,0x34,
+		0x29,0x22,0x97,0xe0,0x8d,0x60,0xd0,0xf6,
+		0x20,0xc5,0x13,0xd4,0x72,0x53,0x18,0x7c,
+		0x24,0xb1,0x27,0x86,0xbd,0x77,0x76,0x45,
+		0xce,0x1a,0x51,0x07,0xf7,0x68,0x1a,0x02,
+		0xaf,0x25,0x23,0xa6,0xda,0xf3,0x72,0xe1,
+		0x0e,0x3a,0x07,0x64,0xc9,0xd3,0xfe,0x4b,
+		0xd5,0xb7,0x0a,0xb1,0x82,0x01,0x98,0x5a,
+		0xd7
+    };
+
+    /* compressed prefix */
+    const byte pKey5[] = {
+		0x40,0xd7,0x5a,0x98,0x01,0x82,0xb1,0x0a,0xb7,
+		0xd5,0x4b,0xfe,0xd3,0xc9,0x64,0x07,0x3a,
+		0x0e,0xe1,0x72,0xf3,0xda,0xa6,0x23,0x25,
+		0xaf,0x02,0x1a,0x68,0xf7,0x07,0x51,0x1a
+    };
+
+    const byte pKey6[] = {
+		0x27,0x81,0x17,0xfc,0x14,0x4c,0x72,0x34,
+		0x0f,0x67,0xd0,0xf2,0x31,0x6e,0x83,0x86,
+		0xce,0xff,0xbf,0x2b,0x24,0x28,0xc9,0xc5,
+		0x1f,0xef,0x7c,0x59,0x7f,0x1d,0x42,0x6e
+    };
+
+    const byte* pKeys[] = {pKey1, pKey2, pKey3, pKey4, pKey5, pKey6};
+    const byte  pKeySz[] = {sizeof(pKey1), sizeof(pKey2), sizeof(pKey3),
+                            sizeof(pKey4), sizeof(pKey5), sizeof(pKey6)};
+
+    const byte sig1[] = {
+		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    };
+
+    const byte sig2[] = {
+		0x92,0xa0,0x09,0xa9,0xf0,0xd4,0xca,0xb8,
+		0x72,0x0e,0x82,0x0b,0x5f,0x64,0x25,0x40,
+		0xa2,0xb2,0x7b,0x54,0x16,0x50,0x3f,0x8f,
+		0xb3,0x76,0x22,0x23,0xeb,0xdb,0x69,0xda,
+		0x08,0x5a,0xc1,0xe4,0x3e,0x15,0x99,0x6e,
+		0x45,0x8f,0x36,0x13,0xd0,0xf1,0x1d,0x8c,
+		0x38,0x7b,0x2e,0xae,0xb4,0x30,0x2a,0xee,
+		0xb0,0x0d,0x29,0x16,0x12,0xbb,0x0c,0x00
+    };
+
+    const byte sig3[] = {
+		0x62,0x91,0xd6,0x57,0xde,0xec,0x24,0x02,
+		0x48,0x27,0xe6,0x9c,0x3a,0xbe,0x01,0xa3,
+		0x0c,0xe5,0x48,0xa2,0x84,0x74,0x3a,0x44,
+		0x5e,0x36,0x80,0xd7,0xdb,0x5a,0xc3,0xac,
+		0x18,0xff,0x9b,0x53,0x8d,0x16,0xf2,0x90,
+		0xae,0x67,0xf7,0x60,0x98,0x4d,0xc6,0x59,
+		0x4a,0x7c,0x15,0xe9,0x71,0x6e,0xd2,0x8d,
+		0xc0,0x27,0xbe,0xce,0xea,0x1e,0xc4,0x0a
+    };
+
+    /* uncompressed test */
+    const byte sig4[] = {
+		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    };
+
+    /* compressed prefix */
+    const byte sig5[] = {
+		0xe5,0x56,0x43,0x00,0xc3,0x60,0xac,0x72,
+		0x90,0x86,0xe2,0xcc,0x80,0x6e,0x82,0x8a,
+		0x84,0x87,0x7f,0x1e,0xb8,0xe5,0xd9,0x74,
+		0xd8,0x73,0xe0,0x65,0x22,0x49,0x01,0x55,
+		0x5f,0xb8,0x82,0x15,0x90,0xa3,0x3b,0xac,
+		0xc6,0x1e,0x39,0x70,0x1c,0xf9,0xb4,0x6b,
+		0xd2,0x5b,0xf5,0xf0,0x59,0x5b,0xbe,0x24,
+		0x65,0x51,0x41,0x43,0x8e,0x7a,0x10,0x0b
+    };
+
+    const byte sig6[] = {
+		0x0a,0xab,0x4c,0x90,0x05,0x01,0xb3,0xe2,
+		0x4d,0x7c,0xdf,0x46,0x63,0x32,0x6a,0x3a,
+		0x87,0xdf,0x5e,0x48,0x43,0xb2,0xcb,0xdb,
+		0x67,0xcb,0xf6,0xe4,0x60,0xfe,0xc3,0x50,
+		0xaa,0x53,0x71,0xb1,0x50,0x8f,0x9f,0x45,
+		0x28,0xec,0xea,0x23,0xc4,0x36,0xd9,0x4b,
+		0x5e,0x8f,0xcd,0x4f,0x68,0x1e,0x30,0xa6,
+		0xac,0x00,0xa9,0x70,0x4a,0x18,0x8a,0x03
+    };
+
+    const byte* sigs[] = {sig1, sig2, sig3, sig4, sig5, sig6};
+
+    const byte msg1[]  = {};
+    const byte msg2[]  = {0x72};
+    const byte msg3[]  = {0xAF,0x82};
+
+    /* test of a 1024 byte long message */
+    const byte msg4[]  = {
+		0x08,0xb8,0xb2,0xb7,0x33,0x42,0x42,0x43,
+		0x76,0x0f,0xe4,0x26,0xa4,0xb5,0x49,0x08,
+		0x63,0x21,0x10,0xa6,0x6c,0x2f,0x65,0x91,
+		0xea,0xbd,0x33,0x45,0xe3,0xe4,0xeb,0x98,
+		0xfa,0x6e,0x26,0x4b,0xf0,0x9e,0xfe,0x12,
+		0xee,0x50,0xf8,0xf5,0x4e,0x9f,0x77,0xb1,
+		0xe3,0x55,0xf6,0xc5,0x05,0x44,0xe2,0x3f,
+		0xb1,0x43,0x3d,0xdf,0x73,0xbe,0x84,0xd8,
+		0x79,0xde,0x7c,0x00,0x46,0xdc,0x49,0x96,
+		0xd9,0xe7,0x73,0xf4,0xbc,0x9e,0xfe,0x57,
+		0x38,0x82,0x9a,0xdb,0x26,0xc8,0x1b,0x37,
+		0xc9,0x3a,0x1b,0x27,0x0b,0x20,0x32,0x9d,
+		0x65,0x86,0x75,0xfc,0x6e,0xa5,0x34,0xe0,
+		0x81,0x0a,0x44,0x32,0x82,0x6b,0xf5,0x8c,
+		0x94,0x1e,0xfb,0x65,0xd5,0x7a,0x33,0x8b,
+		0xbd,0x2e,0x26,0x64,0x0f,0x89,0xff,0xbc,
+		0x1a,0x85,0x8e,0xfc,0xb8,0x55,0x0e,0xe3,
+		0xa5,0xe1,0x99,0x8b,0xd1,0x77,0xe9,0x3a,
+		0x73,0x63,0xc3,0x44,0xfe,0x6b,0x19,0x9e,
+		0xe5,0xd0,0x2e,0x82,0xd5,0x22,0xc4,0xfe,
+		0xba,0x15,0x45,0x2f,0x80,0x28,0x8a,0x82,
+		0x1a,0x57,0x91,0x16,0xec,0x6d,0xad,0x2b,
+		0x3b,0x31,0x0d,0xa9,0x03,0x40,0x1a,0xa6,
+		0x21,0x00,0xab,0x5d,0x1a,0x36,0x55,0x3e,
+		0x06,0x20,0x3b,0x33,0x89,0x0c,0xc9,0xb8,
+		0x32,0xf7,0x9e,0xf8,0x05,0x60,0xcc,0xb9,
+		0xa3,0x9c,0xe7,0x67,0x96,0x7e,0xd6,0x28,
+		0xc6,0xad,0x57,0x3c,0xb1,0x16,0xdb,0xef,
+		0xef,0xd7,0x54,0x99,0xda,0x96,0xbd,0x68,
+		0xa8,0xa9,0x7b,0x92,0x8a,0x8b,0xbc,0x10,
+		0x3b,0x66,0x21,0xfc,0xde,0x2b,0xec,0xa1,
+		0x23,0x1d,0x20,0x6b,0xe6,0xcd,0x9e,0xc7,
+		0xaf,0xf6,0xf6,0xc9,0x4f,0xcd,0x72,0x04,
+		0xed,0x34,0x55,0xc6,0x8c,0x83,0xf4,0xa4,
+		0x1d,0xa4,0xaf,0x2b,0x74,0xef,0x5c,0x53,
+		0xf1,0xd8,0xac,0x70,0xbd,0xcb,0x7e,0xd1,
+		0x85,0xce,0x81,0xbd,0x84,0x35,0x9d,0x44,
+		0x25,0x4d,0x95,0x62,0x9e,0x98,0x55,0xa9,
+		0x4a,0x7c,0x19,0x58,0xd1,0xf8,0xad,0xa5,
+		0xd0,0x53,0x2e,0xd8,0xa5,0xaa,0x3f,0xb2,
+		0xd1,0x7b,0xa7,0x0e,0xb6,0x24,0x8e,0x59,
+		0x4e,0x1a,0x22,0x97,0xac,0xbb,0xb3,0x9d,
+		0x50,0x2f,0x1a,0x8c,0x6e,0xb6,0xf1,0xce,
+		0x22,0xb3,0xde,0x1a,0x1f,0x40,0xcc,0x24,
+		0x55,0x41,0x19,0xa8,0x31,0xa9,0xaa,0xd6,
+		0x07,0x9c,0xad,0x88,0x42,0x5d,0xe6,0xbd,
+		0xe1,0xa9,0x18,0x7e,0xbb,0x60,0x92,0xcf,
+		0x67,0xbf,0x2b,0x13,0xfd,0x65,0xf2,0x70,
+		0x88,0xd7,0x8b,0x7e,0x88,0x3c,0x87,0x59,
+		0xd2,0xc4,0xf5,0xc6,0x5a,0xdb,0x75,0x53,
+		0x87,0x8a,0xd5,0x75,0xf9,0xfa,0xd8,0x78,
+		0xe8,0x0a,0x0c,0x9b,0xa6,0x3b,0xcb,0xcc,
+		0x27,0x32,0xe6,0x94,0x85,0xbb,0xc9,0xc9,
+		0x0b,0xfb,0xd6,0x24,0x81,0xd9,0x08,0x9b,
+		0xec,0xcf,0x80,0xcf,0xe2,0xdf,0x16,0xa2,
+		0xcf,0x65,0xbd,0x92,0xdd,0x59,0x7b,0x07,
+		0x07,0xe0,0x91,0x7a,0xf4,0x8b,0xbb,0x75,
+		0xfe,0xd4,0x13,0xd2,0x38,0xf5,0x55,0x5a,
+		0x7a,0x56,0x9d,0x80,0xc3,0x41,0x4a,0x8d,
+		0x08,0x59,0xdc,0x65,0xa4,0x61,0x28,0xba,
+		0xb2,0x7a,0xf8,0x7a,0x71,0x31,0x4f,0x31,
+		0x8c,0x78,0x2b,0x23,0xeb,0xfe,0x80,0x8b,
+		0x82,0xb0,0xce,0x26,0x40,0x1d,0x2e,0x22,
+		0xf0,0x4d,0x83,0xd1,0x25,0x5d,0xc5,0x1a,
+		0xdd,0xd3,0xb7,0x5a,0x2b,0x1a,0xe0,0x78,
+		0x45,0x04,0xdf,0x54,0x3a,0xf8,0x96,0x9b,
+		0xe3,0xea,0x70,0x82,0xff,0x7f,0xc9,0x88,
+		0x8c,0x14,0x4d,0xa2,0xaf,0x58,0x42,0x9e,
+		0xc9,0x60,0x31,0xdb,0xca,0xd3,0xda,0xd9,
+		0xaf,0x0d,0xcb,0xaa,0xaf,0x26,0x8c,0xb8,
+		0xfc,0xff,0xea,0xd9,0x4f,0x3c,0x7c,0xa4,
+		0x95,0xe0,0x56,0xa9,0xb4,0x7a,0xcd,0xb7,
+		0x51,0xfb,0x73,0xe6,0x66,0xc6,0xc6,0x55,
+		0xad,0xe8,0x29,0x72,0x97,0xd0,0x7a,0xd1,
+		0xba,0x5e,0x43,0xf1,0xbc,0xa3,0x23,0x01,
+		0x65,0x13,0x39,0xe2,0x29,0x04,0xcc,0x8c,
+		0x42,0xf5,0x8c,0x30,0xc0,0x4a,0xaf,0xdb,
+		0x03,0x8d,0xda,0x08,0x47,0xdd,0x98,0x8d,
+		0xcd,0xa6,0xf3,0xbf,0xd1,0x5c,0x4b,0x4c,
+		0x45,0x25,0x00,0x4a,0xa0,0x6e,0xef,0xf8,
+		0xca,0x61,0x78,0x3a,0xac,0xec,0x57,0xfb,
+		0x3d,0x1f,0x92,0xb0,0xfe,0x2f,0xd1,0xa8,
+		0x5f,0x67,0x24,0x51,0x7b,0x65,0xe6,0x14,
+		0xad,0x68,0x08,0xd6,0xf6,0xee,0x34,0xdf,
+		0xf7,0x31,0x0f,0xdc,0x82,0xae,0xbf,0xd9,
+		0x04,0xb0,0x1e,0x1d,0xc5,0x4b,0x29,0x27,
+		0x09,0x4b,0x2d,0xb6,0x8d,0x6f,0x90,0x3b,
+		0x68,0x40,0x1a,0xde,0xbf,0x5a,0x7e,0x08,
+		0xd7,0x8f,0xf4,0xef,0x5d,0x63,0x65,0x3a,
+		0x65,0x04,0x0c,0xf9,0xbf,0xd4,0xac,0xa7,
+		0x98,0x4a,0x74,0xd3,0x71,0x45,0x98,0x67,
+		0x80,0xfc,0x0b,0x16,0xac,0x45,0x16,0x49,
+		0xde,0x61,0x88,0xa7,0xdb,0xdf,0x19,0x1f,
+		0x64,0xb5,0xfc,0x5e,0x2a,0xb4,0x7b,0x57,
+		0xf7,0xf7,0x27,0x6c,0xd4,0x19,0xc1,0x7a,
+		0x3c,0xa8,0xe1,0xb9,0x39,0xae,0x49,0xe4,
+		0x88,0xac,0xba,0x6b,0x96,0x56,0x10,0xb5,
+		0x48,0x01,0x09,0xc8,0xb1,0x7b,0x80,0xe1,
+		0xb7,0xb7,0x50,0xdf,0xc7,0x59,0x8d,0x5d,
+		0x50,0x11,0xfd,0x2d,0xcc,0x56,0x00,0xa3,
+		0x2e,0xf5,0xb5,0x2a,0x1e,0xcc,0x82,0x0e,
+		0x30,0x8a,0xa3,0x42,0x72,0x1a,0xac,0x09,
+		0x43,0xbf,0x66,0x86,0xb6,0x4b,0x25,0x79,
+		0x37,0x65,0x04,0xcc,0xc4,0x93,0xd9,0x7e,
+		0x6a,0xed,0x3f,0xb0,0xf9,0xcd,0x71,0xa4,
+		0x3d,0xd4,0x97,0xf0,0x1f,0x17,0xc0,0xe2,
+		0xcb,0x37,0x97,0xaa,0x2a,0x2f,0x25,0x66,
+		0x56,0x16,0x8e,0x6c,0x49,0x6a,0xfc,0x5f,
+		0xb9,0x32,0x46,0xf6,0xb1,0x11,0x63,0x98,
+		0xa3,0x46,0xf1,0xa6,0x41,0xf3,0xb0,0x41,
+		0xe9,0x89,0xf7,0x91,0x4f,0x90,0xcc,0x2c,
+		0x7f,0xff,0x35,0x78,0x76,0xe5,0x06,0xb5,
+		0x0d,0x33,0x4b,0xa7,0x7c,0x22,0x5b,0xc3,
+		0x07,0xba,0x53,0x71,0x52,0xf3,0xf1,0x61,
+		0x0e,0x4e,0xaf,0xe5,0x95,0xf6,0xd9,0xd9,
+		0x0d,0x11,0xfa,0xa9,0x33,0xa1,0x5e,0xf1,
+		0x36,0x95,0x46,0x86,0x8a,0x7f,0x3a,0x45,
+		0xa9,0x67,0x68,0xd4,0x0f,0xd9,0xd0,0x34,
+		0x12,0xc0,0x91,0xc6,0x31,0x5c,0xf4,0xfd,
+		0xe7,0xcb,0x68,0x60,0x69,0x37,0x38,0x0d,
+		0xb2,0xea,0xaa,0x70,0x7b,0x4c,0x41,0x85,
+		0xc3,0x2e,0xdd,0xcd,0xd3,0x06,0x70,0x5e,
+		0x4d,0xc1,0xff,0xc8,0x72,0xee,0xee,0x47,
+		0x5a,0x64,0xdf,0xac,0x86,0xab,0xa4,0x1c,
+		0x06,0x18,0x98,0x3f,0x87,0x41,0xc5,0xef,
+		0x68,0xd3,0xa1,0x01,0xe8,0xa3,0xb8,0xca,
+		0xc6,0x0c,0x90,0x5c,0x15,0xfc,0x91,0x08,
+		0x40,0xb9,0x4c,0x00,0xa0,0xb9,0xd0
+    };
+
+    const byte* msgs[] = {msg1, msg2, msg3, msg1, msg1, msg4};
+    const word16 msgSz[] = {sizeof(msg1), sizeof(msg2), sizeof(msg3),
+                            sizeof(msg1), sizeof(msg1), sizeof(msg4)};
+
+    /* create ed25519 keys */
+    wc_InitRng(&rng);
+    wc_ed25519_init(&key);
+    wc_ed25519_init(&key2);
+    wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key);
+    wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key2);
+
+    /* helper functions for signature and key size */
+    keySz = wc_ed25519_size(&key);
+    sigSz = wc_ed25519_sig_size(&key);
+
+    for (i = 0; i < 6; i++) {
+        outlen = sizeof(out);
+        XMEMSET(out, 0, sizeof(out));
+
+        if (wc_ed25519_import_private_key(sKeys[i], ED25519_KEY_SIZE, pKeys[i],
+                pKeySz[i], &key) != 0)
+            return -1021;
+
+        if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key)
+                != 0)
+            return -1022;
+
+        if (XMEMCMP(out, sigs[i], 64))
+            return -1023;
+
+        /* test verify on good msg */
+        if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
+                    &key) != 0 || verify != 1)
+            return -1024;
+
+        /* test verify on bad msg */
+        out[outlen-1] = out[outlen-1] + 1;
+        if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
+                    &key) == 0 || verify == 1)
+            return -1025;
+
+        /* test api for import/exporting keys */
+        exportPSz = sizeof(exportPKey);
+        exportSSz = sizeof(exportSKey);
+        if (wc_ed25519_export_public(&key, exportPKey, &exportPSz) != 0)
+            return -1026;
+
+        if (wc_ed25519_import_public(exportPKey, exportPSz, &key2) != 0)
+            return -1027;
+
+        if (wc_ed25519_export_private_only(&key, exportSKey, &exportSSz) != 0)
+            return -1028;
+
+        if (wc_ed25519_import_private_key(exportSKey, exportSSz,
+                                          exportPKey, exportPSz, &key2) != 0)
+            return -1029;
+
+        /* clear "out" buffer and test sign with imported keys */
+        outlen = sizeof(out);
+        XMEMSET(out, 0, sizeof(out));
+        if (wc_ed25519_sign_msg(msgs[i], msgSz[i], out, &outlen, &key2) != 0)
+            return -1030;
+
+        if (wc_ed25519_verify_msg(out, outlen, msgs[i], msgSz[i], &verify,
+                                  &key2) != 0 || verify != 1)
+            return -1031;
+
+        if (XMEMCMP(out, sigs[i], 64))
+            return -1032;
+    }
+
+    /* clean up keys when done */
+    wc_ed25519_free(&key);
+    wc_ed25519_free(&key2);
+
+#if defined(HAVE_HASHDRBG) || defined(NO_RC4)
+    wc_FreeRng(&rng);
+#endif
+
+    /* hush warrnings of unused keySz and sigSz */
+    (void)keySz;
+    (void)sigSz;
+
+    return 0;
+}
+#endif /* HAVE_ED25519 */
+
+
 #ifdef HAVE_LIBZ
 
 const byte sample_text[] =

wolfssl/wolfcrypt/ecc25519.h

@@ -26,7 +26,7 @@
 
 #ifdef HAVE_ECC25519
 
-#include <wolfssl/wolfcrypt/ecc25519_fe.h>
+#include <wolfssl/wolfcrypt/fe_operations.h>
 #include <wolfssl/wolfcrypt/random.h>
 
 #ifdef __cplusplus

wolfssl/wolfcrypt/ecc25519_fe.h

@@ -1,61 +0,0 @@
-/* ecc25519_fe.h
- *
- * Copyright (C) 2006-2015 wolfSSL Inc.
- *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
- /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
-
-#ifndef WOLF_CRYPT_ECC25519_FE_H
-#define WOLF_CRYPT_ECC25519_FE_H
-
-#include <wolfssl/wolfcrypt/settings.h>
-
-#ifdef HAVE_ECC25519
-
-#include <stdint.h>
-
-typedef int32_t fe[10];
-
-/*
-fe means field element.
-Here the field is \Z/(2^255-19).
-An element t, entries t[0]...t[9], represents the integer
-t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
-Bounds on each t[i] vary depending on context.
-*/
-
-void fe_frombytes(fe,const unsigned char *);
-void fe_tobytes(unsigned char *,fe);
-
-void fe_copy(fe,fe);
-void fe_0(fe);
-void fe_1(fe);
-void fe_cswap(fe,fe,unsigned int);
-
-void fe_add(fe,fe,fe);
-void fe_sub(fe,fe,fe);
-void fe_mul(fe,fe,fe);
-void fe_sq(fe,fe);
-void fe_mul121666(fe,fe);
-void fe_invert(fe,fe);
-
-
-#endif /* HAVE_ECC25519 */
-#endif /* include guard */
-

wolfssl/wolfcrypt/ecc25519_montgomery.h

@@ -1,42 +0,0 @@
-/* ecc25519_montgomery.h
- *
- * Copyright (C) 2006-2015 wolfSSL Inc.
- *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
- /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
-
-fe_sub(tmp0,x3,z3);
-fe_sub(tmp1,x2,z2);
-fe_add(x2,x2,z2);
-fe_add(z2,x3,z3);
-fe_mul(z3,tmp0,x2);
-fe_mul(z2,z2,tmp1);
-fe_sq(tmp0,tmp1);
-fe_sq(tmp1,x2);
-fe_add(x3,z3,z2);
-fe_sub(z2,z3,z2);
-fe_mul(x2,tmp1,tmp0);
-fe_sub(tmp1,tmp1,tmp0);
-fe_sq(z2,z2);
-fe_mul121666(z3,tmp1);
-fe_sq(x3,x3);
-fe_add(tmp0,tmp0,z3);
-fe_mul(z3,x1,z2);
-fe_mul(z2,tmp1,tmp0);
-

wolfssl/wolfcrypt/ecc25519_pow225521.h

@@ -1,46 +0,0 @@
-/* ecc25519_pow225521.h
- *
- * Copyright (C) 2006-2015 wolfSSL Inc.
- *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
- */
-
- /* Based On Daniel J Bernstein's curve25519 Public Domain ref10 work. */
-
-fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
-fe_sq(t1,t0); for (i = 1;i < 2;++i) fe_sq(t1,t1);
-fe_mul(t1,z,t1);
-fe_mul(t0,t0,t1);
-fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2);
-fe_mul(t1,t1,t2);
-fe_sq(t2,t1); for (i = 1;i < 5;++i) fe_sq(t2,t2);
-fe_mul(t1,t2,t1);
-fe_sq(t2,t1); for (i = 1;i < 10;++i) fe_sq(t2,t2);
-fe_mul(t2,t2,t1);
-fe_sq(t3,t2); for (i = 1;i < 20;++i) fe_sq(t3,t3);
-fe_mul(t2,t3,t2);
-fe_sq(t2,t2); for (i = 1;i < 10;++i) fe_sq(t2,t2);
-fe_mul(t1,t2,t1);
-fe_sq(t2,t1); for (i = 1;i < 50;++i) fe_sq(t2,t2);
-fe_mul(t2,t2,t1);
-fe_sq(t3,t2); for (i = 1;i < 100;++i) fe_sq(t3,t3);
-fe_mul(t2,t3,t2);
-fe_sq(t2,t2); for (i = 1;i < 50;++i) fe_sq(t2,t2);
-fe_mul(t1,t2,t1);
-fe_sq(t1,t1); for (i = 1;i < 5;++i) fe_sq(t1,t1);
-fe_mul(out,t1,t0);
-

wolfssl/wolfcrypt/ed25519.h

@@ -0,0 +1,94 @@
+/* ed25519.h
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifndef WOLF_CRYPT_ED25519_H
+#define WOLF_CRYPT_ED25519_H
+
+#include <wolfssl/wolfcrypt/types.h>
+
+#ifdef HAVE_ED25519
+
+#include <wolfssl/wolfcrypt/fe_operations.h>
+#include <wolfssl/wolfcrypt/ge_operations.h>
+#include <wolfssl/wolfcrypt/random.h>
+#include <wolfssl/wolfcrypt/sha512.h>
+
+#ifdef __cplusplus
+    extern "C" {
+#endif
+
+
+/* info about EdDSA curve specifically ed25519, defined as an elliptic curve
+   over GF(p) */
+/*
+    32,                key size
+    "ED25519",         curve name
+    "2^255-19",        prime number
+    "SHA512",          hash function
+    "-121665/121666",  value of d
+*/
+
+#define ED25519_KEY_SIZE 32
+#define ED25519_SIG_SIZE 64
+
+
+/* An ED25519 Key */
+typedef struct {
+    byte    p[32];        /* compressed public key */
+    byte    k[64];        /* private key : 32 secret -- 32 public */
+} ed25519_key;
+
+
+WOLFSSL_API
+int wc_ed25519_make_key(RNG* rng, int keysize, ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
+                        word32 *outlen, ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
+                          word32 msglen, int* stat, ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_init(ed25519_key* key);
+WOLFSSL_API
+void wc_ed25519_free(ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_import_public(const byte* in, word32 inLen, ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
+                               const byte* pub, word32 pubSz, ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_export_public(ed25519_key*, byte* out, word32* outLen);
+WOLFSSL_API
+int wc_ed25519_export_private_only(ed25519_key* key, byte* out, word32* outLen);
+
+/* size helper */
+WOLFSSL_API
+int wc_ed25519_size(ed25519_key* key);
+WOLFSSL_API
+int wc_ed25519_sig_size(ed25519_key* key);
+
+#ifdef __cplusplus
+    }    /* extern "C" */
+#endif
+
+#endif /* HAVE_ED25519 */
+#endif /* WOLF_CRYPT_ED25519_H */
+

wolfssl/wolfcrypt/fe_operations.h

@@ -0,0 +1,67 @@
+/* fe_operations.h
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+ /* Based On Daniel J Bernstein's curve25519 and ed25519 Public Domain ref10
+    work. */
+
+#ifndef WOLF_CRYPT_FE_OPERATIONS_H
+#define WOLF_CRYPT_FE_OPERATIONS_H
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#if defined(HAVE_ECC25519) || defined(HAVE_ED25519)
+
+#include <stdint.h>
+
+/*
+fe means field element.
+Here the field is \Z/(2^255-19).
+An element t, entries t[0]...t[9], represents the integer
+t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
+Bounds on each t[i] vary depending on context.
+*/
+
+typedef int32_t fe[10];
+
+WOLFSSL_LOCAL void fe_0(fe);
+WOLFSSL_LOCAL void fe_1(fe);
+WOLFSSL_LOCAL void fe_add(fe, const fe, const fe);
+WOLFSSL_LOCAL void fe_tobytes(unsigned char *, const fe);
+WOLFSSL_LOCAL void fe_sub(fe, const fe, const fe);
+WOLFSSL_LOCAL void fe_invert(fe, const fe);
+WOLFSSL_LOCAL void fe_sq(fe, const fe);
+WOLFSSL_LOCAL void fe_sq2(fe,const fe);
+WOLFSSL_LOCAL void fe_frombytes(fe,const unsigned char *);
+WOLFSSL_LOCAL void fe_mul(fe,const fe,const fe);
+WOLFSSL_LOCAL void fe_copy(fe, const fe);
+WOLFSSL_LOCAL void fe_cswap(fe,fe,unsigned int);
+WOLFSSL_LOCAL void fe_mul121666(fe,fe);
+WOLFSSL_LOCAL int fe_isnonzero(const fe);
+WOLFSSL_LOCAL int fe_isnegative(const fe);
+WOLFSSL_LOCAL void fe_cmov(fe,const fe,unsigned int);
+WOLFSSL_LOCAL void fe_neg(fe,const fe);
+WOLFSSL_LOCAL void fe_pow22523(fe,const fe);
+WOLFSSL_LOCAL uint64_t load_3(const unsigned char *in);
+WOLFSSL_LOCAL uint64_t load_4(const unsigned char *in);
+
+#endif /* HAVE_ECC25519 or HAVE_ED25519 */
+#endif /* WOLF_CRYPT_FE_OPERATIONS_H */
+

wolfssl/wolfcrypt/ge_operations.h

@@ -0,0 +1,106 @@
+/* ge_operations.h
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+ /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
+
+#ifndef WOLF_CRYPT_GE_OPERATIONS_H
+#define WOLF_CRYPT_GE_OPERATIONS_H
+
+#include <wolfssl/wolfcrypt/settings.h>
+
+#ifdef HAVE_ED25519
+
+#include <stdint.h>
+#include <wolfssl/wolfcrypt/fe_operations.h>
+
+/*
+ge means group element.
+
+Here the group is the set of pairs (x,y) of field elements (see fe.h)
+satisfying -x^2 + y^2 = 1 + d x^2y^2
+where d = -121665/121666.
+
+Representations:
+  ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+  ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+  ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+  ge_precomp (Duif): (y+x,y-x,2dxy)
+*/
+
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+} ge_p2;
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p3;
+
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p1p1;
+
+typedef struct {
+  fe yplusx;
+  fe yminusx;
+  fe xy2d;
+} ge_precomp;
+
+typedef struct {
+  fe YplusX;
+  fe YminusX;
+  fe Z;
+  fe T2d;
+} ge_cached;
+
+WOLFSSL_LOCAL void ge_tobytes(unsigned char *,const ge_p2 *);
+WOLFSSL_LOCAL void ge_p3_tobytes(unsigned char *,const ge_p3 *);
+WOLFSSL_LOCAL int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *);
+
+WOLFSSL_LOCAL void ge_p2_0(ge_p2 *);
+WOLFSSL_LOCAL void ge_p3_0(ge_p3 *);
+WOLFSSL_LOCAL void ge_precomp_0(ge_precomp *);
+WOLFSSL_LOCAL void ge_p3_to_p2(ge_p2 *,const ge_p3 *);
+WOLFSSL_LOCAL void ge_p3_to_cached(ge_cached *,const ge_p3 *);
+WOLFSSL_LOCAL void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *);
+WOLFSSL_LOCAL void ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *);
+WOLFSSL_LOCAL void ge_p2_dbl(ge_p1p1 *,const ge_p2 *);
+WOLFSSL_LOCAL void ge_p3_dbl(ge_p1p1 *,const ge_p3 *);
+
+WOLFSSL_LOCAL void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+WOLFSSL_LOCAL void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+WOLFSSL_LOCAL void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+WOLFSSL_LOCAL void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+WOLFSSL_LOCAL void ge_scalarmult_base(ge_p3 *,const unsigned char *);
+WOLFSSL_LOCAL void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,
+                                         const ge_p3 *,const unsigned char *);
+
+#endif /* HAVE_ED25519 */
+#endif /* WOLF_CRYPT_GE_OPERATIONS_H */
+

wolfssl/wolfcrypt/include.am

@@ -15,9 +15,9 @@ nobase_include_HEADERS+= \
                          wolfssl/wolfcrypt/dsa.h \
                          wolfssl/wolfcrypt/ecc.h \
                          wolfssl/wolfcrypt/ecc25519.h \
-                         wolfssl/wolfcrypt/ecc25519_fe.h \
+                         wolfssl/wolfcrypt/ed25519.h \
-                         wolfssl/wolfcrypt/ecc25519_pow225521.h \
+                         wolfssl/wolfcrypt/fe_operations.h \
-                         wolfssl/wolfcrypt/ecc25519_montgomery.h \
+                         wolfssl/wolfcrypt/ge_operations.h \
                          wolfssl/wolfcrypt/error-crypt.h \
                          wolfssl/wolfcrypt/fips_test.h \
                          wolfssl/wolfcrypt/hc128.h \