Tweak ed25519 ref10 signing interface to use less space.

Unit tests still pass.

src/common/crypto_ed25519.c

@@ -59,29 +59,13 @@ ed25519_sign(ed25519_signature_t *signature_out,
              const uint8_t *msg, size_t len,
              const ed25519_keypair_t *keypair)
 {
-  uint8_t keys[64];
-  uint8_t *tmp;
-  uint64_t tmplen;
-
-  /* XXXX Make crypto_sign in ref10 friendlier so we don't need this stupid
-   * copying. */
-  tor_assert(len < SIZE_T_CEILING - 64);
-  tmplen = ((uint64_t)len) + 64;
-  tmp = tor_malloc(tmplen);
 
-  memcpy(keys, keypair->seckey.seckey, 32);
-  memcpy(keys+32, keypair->pubkey.pubkey, 32);
-
-  if (ed25519_ref10_sign(tmp, &tmplen, msg, len, keys) < 0) {
-    tor_free(tmp);
+  if (ed25519_ref10_sign(signature_out->sig, msg, len,
+                         keypair->seckey.seckey,
+                         keypair->pubkey.pubkey) < 0) {
     return -1;
   }
 
-  memcpy(signature_out->sig, tmp, 64);
-  memwipe(keys, 0, sizeof(keys));
-
-  tor_free(tmp);
-
   return 0;
 }
 

src/ext/ed25519/ref10/crypto_hash_sha512.h

@@ -2,3 +2,22 @@
 #include <openssl/sha.h>
 #define crypto_hash_sha512(out, inp, len) \
   SHA512((inp), (len), (out))
+
+#define crypto_hash_sha512_2(out, inp1, len1, inp2, len2)               \
+  do {                                                                  \
+      SHA512_CTX sha_ctx_;                                              \
+      SHA512_Init(&sha_ctx_);                                           \
+      SHA512_Update(&sha_ctx_, (inp1), (len1));                         \
+      SHA512_Update(&sha_ctx_, (inp2), (len2));                         \
+      SHA512_Final((out), &sha_ctx_);                                   \
+ } while(0)
+
+#define crypto_hash_sha512_3(out, inp1, len1, inp2, len2, inp3, len3)   \
+  do {                                                                  \
+      SHA512_CTX sha_ctx_;                                              \
+      SHA512_Init(&sha_ctx_);                                           \
+      SHA512_Update(&sha_ctx_, (inp1), (len1));                         \
+      SHA512_Update(&sha_ctx_, (inp2), (len2));                         \
+      SHA512_Update(&sha_ctx_, (inp3), (len3));                         \
+      SHA512_Final((out), &sha_ctx_);                                   \
+ } while(0)

src/ext/ed25519/ref10/ed25519_ref10.h

@@ -11,8 +11,8 @@ int ed25519_ref10_open(
   const unsigned char *sm,uint64_t smlen,
   const unsigned char *pk);
 int ed25519_ref10_sign(
-  unsigned char *sm,uint64_t *smlen,
+  unsigned char *sig,
   const unsigned char *m,uint64_t mlen,
-  const unsigned char *sk);
+  const unsigned char *sk, const unsigned char *pk);
 
 #endif

src/ext/ed25519/ref10/sign.c

@@ -5,37 +5,30 @@
 #include "sc.h"
 
 int crypto_sign(
-  unsigned char *sm,uint64_t *smlen,
+  unsigned char *sig,
   const unsigned char *m,uint64_t mlen,
-  const unsigned char *sk
+  const unsigned char *sk,const unsigned char *pk
 )
 {
-  unsigned char pk[32];
   unsigned char az[64];
   unsigned char nonce[64];
   unsigned char hram[64];
   ge_p3 R;
 
-  memmove(pk,sk + 32,32);
-
   crypto_hash_sha512(az,sk,32);
   az[0] &= 248;
   az[31] &= 63;
   az[31] |= 64;
 
-  *smlen = mlen + 64;
-  memmove(sm + 64,m,mlen);
-  memmove(sm + 32,az + 32,32);
-  crypto_hash_sha512(nonce,sm + 32,mlen + 32);
-  memmove(sm + 32,pk,32);
+  crypto_hash_sha512_2(nonce, az+32, 32, m, mlen);
 
   sc_reduce(nonce);
   ge_scalarmult_base(&R,nonce);
-  ge_p3_tobytes(sm,&R);
+  ge_p3_tobytes(sig,&R);
 
-  crypto_hash_sha512(hram,sm,mlen + 64);
+  crypto_hash_sha512_3(hram, sig, 32, pk, 32, m, mlen);
   sc_reduce(hram);
-  sc_muladd(sm + 32,hram,az,nonce);
+  sc_muladd(sig + 32,hram,az,nonce);
 
   return 0;
 }