Commit 0f3eeca9 authored by Yawning Angel's avatar Yawning Angel
Browse files

Integrate ed25519-donna (Not yet used). 

Integrate ed25519-donna into the build process, and provide an
interface that matches the `ref10` code.  Apart from the blinding and
Curve25519 key conversion, this functions as a drop-in replacement for
ref10 (verified by modifying crypto_ed25519.c).

Tests pass, and the benchmarks claim it is quite a bit faster, however
actually using the code requires additional integration work.
parent 7b10741b

.gitignore

+2 −0
Original line number Diff line number Diff line
@@ -144,6 +144,8 @@ cscope.* 
# /src/ext/

/src/ext/ed25519/ref10/libed25519_ref10.a

/src/ext/ed25519/ref10/libed25519_ref10.lib

/src/ext/ed25519/donna/libed25519_donna.a

/src/ext/ed25519/donna/libed25519_donna.lib



# /src/or/

/src/or/Makefile

src/common/include.am

+1 −0
Original line number Diff line number Diff line
@@ -43,6 +43,7 @@ endif 
endif



LIBDONNA += $(LIBED25519_REF10)

LIBDONNA += $(LIBED25519_DONNA)



if THREADS_PTHREADS

threads_impl_source=src/common/compat_pthreads.c

src/ext/ed25519/donna/README.tor

0 → 100644
+32 −0
Original line number Diff line number Diff line 


We've made the following changes to the stock ed25519-donna from

as of 8757bd4cd209cb032853ece0ce413f122eef212c.



 * Tor uses copies of `ed25519-donna.h` and `ed25519.c`, named

   `ed25519_donna_tor.h` and `ed25591_tor.c`.



   The main functional differences between the standard ed25519-donna

   and the Tor specific version are:



    * The external interface has been reworked to match that provided

       by Tor's copy of the SUPERCOP `ref10` code.



    * The secret (aka private) key is now stored/used in expanded form.



    * The internal math tests from `test-internals.c` have been wrapped

      in a function and the entire file is included to allow for

      runtime validation.



 * `ED25519_FN(ed25519_randombytes_unsafe)` is now static.



 * `ed25519-randombytes-custom.h` has the appropriate code to call

    Tor's `crypto_rand()` routine, instead of directly using OpenSSL's

    CSPRNG.



 * OSX pollutes the global namespace with an `ALIGN` macro, which is

   undef-ed right before the donna `ALIGN` macro is defined.



 * If building with Clang's AddressSanitizer, disable inline assembly

   since the compilation will fail in `ge25519_scalarmult_base_choose_niels`

   on x86_64 targets due to running out of registers.

src/ext/ed25519/donna/ed25519-donna-portable.h

+15 −0
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ 
	#include <sys/param.h>

	#define DONNA_INLINE inline __attribute__((always_inline))

	#define DONNA_NOINLINE __attribute__((noinline))

	/* Tor: OSX pollutes the global namespace with an ALIGN macro. */

	#undef ALIGN

	#define ALIGN(x) __attribute__((aligned(x)))

	#define ROTL32(a,b) (((a) << (b)) | ((a) >> (32 - b)))

	#define ROTR32(a,b) (((a) >> (b)) | ((a) << (32 - b)))
@@ -129,6 +131,19 @@ static inline void U64TO8_LE(unsigned char *p, const uint64_t v) { 
}

#endif



/* Tor: Detect and disable inline assembly when clang's AddressSanitizer

 * is present, due to compilation failing because it runs out of registers.

 *

 * The alternative is to annotate `ge25519_scalarmult_base_choose_niels`

 * and selectively disable AddressSanitizer insturmentation, however doing

 * things this way results in a "more sanitized" binary.

 */

#if defined(__has_feature)

	#if __has_feature(address_sanitizer)

		#define ED25519_NO_INLINE_ASM

	#endif

#endif



#include <stdlib.h>

#include <string.h>

src/ext/ed25519/donna/ed25519-randombytes-custom.h

+9 −0
Original line number Diff line number Diff line
@@ -6,3 +6,12 @@ 
	ed25519_randombytes_unsafe is used by the batch verification function

	to create random scalars

*/



/* Tor: Instead of calling OpenSSL's CSPRNG directly, call the wrapper. */

#include "crypto.h"



static void

ED25519_FN(ed25519_randombytes_unsafe) (void *p, size_t len)

{

  crypto_rand(p, len);

}