Comments and tweaks based on review by asn

Add some documentation

Rename "derive" -> "blind"

Check for failure on randombytes().

src/common/crypto_curve25519.c

@@ -128,7 +128,13 @@ curve25519_keypair_generate(curve25519_keypair_t *keypair_out,
   return 0;
 }
 
-/** DOCDOC */
+/** Write the <b>datalen</b> bytes from <b>data</b> to the file named
+ * <b>fname</b> in the tagged-data format.  This format contains a
+ * 32-byte header, followed by the data itself.  The header is the
+ * NUL-padded string "== <b>typestring</b>: <b>tag</b> ==".  The length
+ * of <b>typestring</b> and <b>tag</b> must therefore be no more than
+ * 24.
+ **/
 int
 crypto_write_tagged_contents_to_file(const char *fname,
                                      const char *typestring,
@@ -159,7 +165,11 @@ crypto_write_tagged_contents_to_file(const char *fname,
   return r;
 }
 
-/** DOCDOC */
+/** Read a tagged-data file from <b>fname</b> into the
+ * <b>data_out_len</b>-byte buffer in <b>data_out</b>. Check that the
+ * typestring matches <b>typestring</b>; store the tag into a newly allocated
+ * string in <b>tag_out</b>. Return -1 on failure, and the number of bytes of
+ * data on success. */
 ssize_t
 crypto_read_tagged_contents_from_file(const char *fname,
                                       const char *typestring,

src/common/crypto_ed25519.c

@@ -138,6 +138,8 @@ ed25519_checksig_batch(int *okay_out,
   }
 
 #if 0
+  /* This is how we'd do it if we were using ed25519_donna.  I'll keep this
+   * code around here in case we ever do that. */
   const uint8_t **ms;
   size_t *lens;
   const uint8_t **pks;
@@ -249,7 +251,7 @@ ed25519_keypair_blind(ed25519_keypair_t *out,
 {
   ed25519_public_key_t pubkey_check;
 
-  ed25519_ref10_derive_secret_key(out->seckey.seckey,
+  ed25519_ref10_blind_secret_key(out->seckey.seckey,
                                   inp->seckey.seckey, param);
 
   ed25519_public_blind(&pubkey_check, &inp->pubkey, param);
@@ -272,7 +274,7 @@ ed25519_public_blind(ed25519_public_key_t *out,
                      const ed25519_public_key_t *inp,
                      const uint8_t *param)
 {
-  ed25519_ref10_derive_public_key(out->pubkey, inp->pubkey, param);
+  ed25519_ref10_blind_public_key(out->pubkey, inp->pubkey, param);
   return 0;
 }
 

src/ext/ed25519/ref10/blinding.c

@@ -19,7 +19,7 @@ gettweak(unsigned char *out, const unsigned char *param)
   out[31] |= 64;
 }
 
-int ed25519_ref10_derive_secret_key(unsigned char *out,
+int ed25519_ref10_blind_secret_key(unsigned char *out,
                               const unsigned char *inp,
                               const unsigned char *param)
 {
@@ -40,7 +40,7 @@ int ed25519_ref10_derive_secret_key(unsigned char *out,
   return 0;
 }
 
-int ed25519_ref10_derive_public_key(unsigned char *out,
+int ed25519_ref10_blind_public_key(unsigned char *out,
                               const unsigned char *inp,
                               const unsigned char *param)
 {
@@ -58,7 +58,8 @@ int ed25519_ref10_derive_public_key(unsigned char *out,
    * strongly that I'm about to code my own ge_scalarmult_vartime). */
 
   /* We negate the public key first, so that we can pass it to
-   * frombytes_negate_vartime, which negates it again. */
+   * frombytes_negate_vartime, which negates it again. If there were a
+   * "ge_frombytes", we'd use that, but there isn't. */
   memcpy(pkcopy, inp, 32);
   pkcopy[31] ^= (1<<7);
   ge_frombytes_negate_vartime(&A, pkcopy);
@@ -69,7 +70,7 @@ int ed25519_ref10_derive_public_key(unsigned char *out,
   memwipe(tweak, 0, sizeof(tweak));
   memwipe(&A, 0, sizeof(A));
   memwipe(&Aprime, 0, sizeof(Aprime));
-  memwipe(&pkcopy, 0, sizeof(pkcopy));
+  memwipe(pkcopy, 0, sizeof(pkcopy));
 
   return 0;
 }

src/ext/ed25519/ref10/crypto_hash_sha512.h

@@ -1,8 +1,12 @@
 /* Added for Tor. */
 #include <openssl/sha.h>
+
+/* Set 'out' to the 512-bit SHA512 hash of the 'len'-byte string in 'inp' */
 #define crypto_hash_sha512(out, inp, len) \
   SHA512((inp), (len), (out))
 
+/* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1',
+ * concatenated with the 'len2'-byte string in 'inp2'. */
 #define crypto_hash_sha512_2(out, inp1, len1, inp2, len2)               \
   do {                                                                  \
       SHA512_CTX sha_ctx_;                                              \
@@ -12,6 +16,9 @@
       SHA512_Final((out), &sha_ctx_);                                   \
  } while(0)
 
+/* Set 'out' to the 512-bit SHA512 hash of the 'len1'-byte string in 'inp1',
+ * concatenated with the 'len2'-byte string in 'inp2', concatenated with
+ * the 'len3'-byte string in 'len3'. */
 #define crypto_hash_sha512_3(out, inp1, len1, inp2, len2, inp3, len3)   \
   do {                                                                  \
       SHA512_CTX sha_ctx_;                                              \

src/ext/ed25519/ref10/ed25519_ref10.h

@@ -20,10 +20,10 @@ int ed25519_ref10_sign(
 int ed25519_ref10_pubkey_from_curve25519_pubkey(unsigned char *out,
                                                 const unsigned char *inp,
                                                 int signbit);
-int ed25519_ref10_derive_secret_key(unsigned char *out,
+int ed25519_ref10_blind_secret_key(unsigned char *out,
                               const unsigned char *inp,
                               const unsigned char *param);
-int ed25519_ref10_derive_public_key(unsigned char *out,
+int ed25519_ref10_blind_public_key(unsigned char *out,
                               const unsigned char *inp,
                               const unsigned char *param);
 

src/ext/ed25519/ref10/keypair.c

@@ -1,4 +1,4 @@
-/* Modified for Tor: new API, 32-byte secret keys. */
+/* Modified for Tor: new API, 64-byte secret keys. */
 #include <string.h>
 #include "randombytes.h"
 #include "crypto_sign.h"
@@ -10,7 +10,8 @@ crypto_sign_seckey(unsigned char *sk)
 {
   unsigned char seed[32];
 
-  randombytes(seed,32);
+  if (randombytes(seed,32) < 0)
+    return -1;
 
   crypto_sign_seckey_expand(sk, seed);
 

src/ext/ed25519/ref10/open.c

@@ -1,3 +1,4 @@
+/* (Modified by Tor to verify signature separately from message) */
 #include <string.h>
 #include "crypto_sign.h"
 #include "crypto_hash_sha512.h"
@@ -5,6 +6,7 @@
 #include "ge.h"
 #include "sc.h"
 
+/* 'signature' must be 64-bytes long. */
 int crypto_sign_open(
   const unsigned char *signature,
   const unsigned char *m,uint64_t mlen,

src/ext/ed25519/ref10/sign.c

@@ -1,3 +1,4 @@
+/* (Modified by Tor to generate detached signatures.) */
 #include <string.h>
 #include "crypto_sign.h"
 #include "crypto_hash_sha512.h"