Merge pull request #364 from libtom/feature/curve25519

Add curve25519

helper.pl

@@ -62,6 +62,7 @@ sub check_source {
           $file !~ m|src/ciphers/.*\.c$| &&
           $file !~ m|src/hashes/.*\.c$| &&
           $file !~ m|src/math/.+_desc.c$| &&
+          $file !~ m|src/pk/ec25519/tweetnacl.c$| &&
           $file !~ m|src/stream/sober128/sober128_stream.c$| &&
           $l =~ /^static(\s+[a-zA-Z0-9_]+)+\s+([^_][a-zA-Z0-9_]+)\s*\(/) {
         push @{$troubles->{staticfunc_name}}, "$lineno($2)";

libtomcrypt_VS2008.vcproj

@@ -2311,6 +2311,14 @@
 					>
 				</File>
 			</Filter>
+			<Filter
+				Name="ec25519"
+				>
+				<File
+					RelativePath="src\pk\ec25519\tweetnacl.c"
+					>
+				</File>
+			</Filter>
 			<Filter
 				Name="ecc"
 				>
@@ -2467,6 +2475,38 @@
 					>
 				</File>
 			</Filter>
+			<Filter
+				Name="ed25519"
+				>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_export.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_import.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_import_x509.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_make_key.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_set_key.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_sign.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\ed25519\ed25519_verify.c"
+					>
+				</File>
+			</Filter>
 			<Filter
 				Name="pkcs1"
 				>
@@ -2567,6 +2607,34 @@
 					>
 				</File>
 			</Filter>
+			<Filter
+				Name="x25519"
+				>
+				<File
+					RelativePath="src\pk\x25519\x25519_export.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\x25519\x25519_import.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\x25519\x25519_import_x509.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\x25519\x25519_make_key.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\x25519\x25519_set_ku.c"
+					>
+				</File>
+				<File
+					RelativePath="src\pk\x25519\x25519_shared_secret.c"
+					>
+				</File>
+			</Filter>
 		</Filter>
 		<Filter
 			Name="prngs"

makefile.mingw

@@ -179,29 +179,34 @@ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.
 src/pk/dsa/dsa_generate_key.o src/pk/dsa/dsa_generate_pqg.o src/pk/dsa/dsa_import.o \
 src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_set.o src/pk/dsa/dsa_set_pqg_dsaparam.o \
 src/pk/dsa/dsa_shared_secret.o src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o \
-src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o src/pk/ecc/ecc_ansi_x963_export.o \
-src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o \
-src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o src/pk/ecc/ecc_find_curve.o \
-src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o src/pk/ecc/ecc_get_size.o \
-src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o src/pk/ecc/ecc_import_pkcs8.o \
-src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_recover_key.o \
-src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o \
-src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o \
-src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_export_point.o \
-src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
+src/pk/dsa/dsa_verify_key.o src/pk/ec25519/tweetnacl.o src/pk/ecc/ecc.o \
+src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \
+src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o \
+src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
+src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
+src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
+src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
+src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o \
+src/pk/ecc/ltc_ecc_export_point.o src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
 src/pk/ecc/ltc_ecc_is_point_at_infinity.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mul2add.o \
 src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \
 src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \
-src/pk/ecc/ltc_ecc_verify_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \
-src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \
-src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \
-src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \
-src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
-src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o \
-src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o \
-src/pk/rsa/rsa_sign_saltlen_get.o src/pk/rsa/rsa_verify_hash.o src/prngs/chacha20.o src/prngs/fortuna.o \
-src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \
-src/prngs/sprng.o src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
+src/pk/ecc/ltc_ecc_verify_key.o src/pk/ed25519/ed25519_export.o src/pk/ed25519/ed25519_import.o \
+src/pk/ed25519/ed25519_import_x509.o src/pk/ed25519/ed25519_make_key.o \
+src/pk/ed25519/ed25519_set_key.o src/pk/ed25519/ed25519_sign.o src/pk/ed25519/ed25519_verify.o \
+src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o src/pk/pkcs1/pkcs_1_oaep_decode.o \
+src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o src/pk/pkcs1/pkcs_1_pss_decode.o \
+src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o src/pk/pkcs1/pkcs_1_v1_5_encode.o \
+src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o \
+src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o src/pk/rsa/rsa_import.o \
+src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o src/pk/rsa/rsa_make_key.o \
+src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
+src/pk/rsa/rsa_verify_hash.o src/pk/x25519/x25519_export.o src/pk/x25519/x25519_import.o \
+src/pk/x25519/x25519_import_x509.o src/pk/x25519/x25519_make_key.o src/pk/x25519/x25519_set_ku.o \
+src/pk/x25519/x25519_shared_secret.o src/prngs/chacha20.o src/prngs/fortuna.o src/prngs/rc4.o \
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
+src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
 src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
@@ -217,11 +222,11 @@ src/stream/sosemanuk/sosemanuk_memory.o src/stream/sosemanuk/sosemanuk_test.o
 
 #List of test objects to compile
 TOBJECTS=tests/base16_test.o tests/base32_test.o tests/base64_test.o tests/cipher_hash_test.o \
-tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/file_test.o \
-tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o tests/multi_test.o tests/no_prng.o \
-tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o tests/pkcs_1_oaep_test.o \
-tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o tests/rotate_test.o tests/rsa_test.o \
-tests/ssh_test.o tests/store_test.o tests/test.o
+tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/ed25519_test.o \
+tests/file_test.o tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o \
+tests/multi_test.o tests/no_prng.o tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o \
+tests/pkcs_1_oaep_test.o tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o \
+tests/rotate_test.o tests/rsa_test.o tests/ssh_test.o tests/store_test.o tests/test.o tests/x25519_test.o
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

makefile.msvc

@@ -172,29 +172,34 @@ src/pk/dsa/dsa_decrypt_key.obj src/pk/dsa/dsa_encrypt_key.obj src/pk/dsa/dsa_exp
 src/pk/dsa/dsa_generate_key.obj src/pk/dsa/dsa_generate_pqg.obj src/pk/dsa/dsa_import.obj \
 src/pk/dsa/dsa_make_key.obj src/pk/dsa/dsa_set.obj src/pk/dsa/dsa_set_pqg_dsaparam.obj \
 src/pk/dsa/dsa_shared_secret.obj src/pk/dsa/dsa_sign_hash.obj src/pk/dsa/dsa_verify_hash.obj \
-src/pk/dsa/dsa_verify_key.obj src/pk/ecc/ecc.obj src/pk/ecc/ecc_ansi_x963_export.obj \
-src/pk/ecc/ecc_ansi_x963_import.obj src/pk/ecc/ecc_decrypt_key.obj src/pk/ecc/ecc_encrypt_key.obj \
-src/pk/ecc/ecc_export.obj src/pk/ecc/ecc_export_openssl.obj src/pk/ecc/ecc_find_curve.obj \
-src/pk/ecc/ecc_free.obj src/pk/ecc/ecc_get_key.obj src/pk/ecc/ecc_get_oid_str.obj src/pk/ecc/ecc_get_size.obj \
-src/pk/ecc/ecc_import.obj src/pk/ecc/ecc_import_openssl.obj src/pk/ecc/ecc_import_pkcs8.obj \
-src/pk/ecc/ecc_import_x509.obj src/pk/ecc/ecc_make_key.obj src/pk/ecc/ecc_recover_key.obj \
-src/pk/ecc/ecc_set_curve.obj src/pk/ecc/ecc_set_curve_internal.obj src/pk/ecc/ecc_set_key.obj \
-src/pk/ecc/ecc_shared_secret.obj src/pk/ecc/ecc_sign_hash.obj src/pk/ecc/ecc_sizes.obj \
-src/pk/ecc/ecc_ssh_ecdsa_encode_name.obj src/pk/ecc/ecc_verify_hash.obj src/pk/ecc/ltc_ecc_export_point.obj \
-src/pk/ecc/ltc_ecc_import_point.obj src/pk/ecc/ltc_ecc_is_point.obj \
+src/pk/dsa/dsa_verify_key.obj src/pk/ec25519/tweetnacl.obj src/pk/ecc/ecc.obj \
+src/pk/ecc/ecc_ansi_x963_export.obj src/pk/ecc/ecc_ansi_x963_import.obj src/pk/ecc/ecc_decrypt_key.obj \
+src/pk/ecc/ecc_encrypt_key.obj src/pk/ecc/ecc_export.obj src/pk/ecc/ecc_export_openssl.obj \
+src/pk/ecc/ecc_find_curve.obj src/pk/ecc/ecc_free.obj src/pk/ecc/ecc_get_key.obj src/pk/ecc/ecc_get_oid_str.obj \
+src/pk/ecc/ecc_get_size.obj src/pk/ecc/ecc_import.obj src/pk/ecc/ecc_import_openssl.obj \
+src/pk/ecc/ecc_import_pkcs8.obj src/pk/ecc/ecc_import_x509.obj src/pk/ecc/ecc_make_key.obj \
+src/pk/ecc/ecc_recover_key.obj src/pk/ecc/ecc_set_curve.obj src/pk/ecc/ecc_set_curve_internal.obj \
+src/pk/ecc/ecc_set_key.obj src/pk/ecc/ecc_shared_secret.obj src/pk/ecc/ecc_sign_hash.obj \
+src/pk/ecc/ecc_sizes.obj src/pk/ecc/ecc_ssh_ecdsa_encode_name.obj src/pk/ecc/ecc_verify_hash.obj \
+src/pk/ecc/ltc_ecc_export_point.obj src/pk/ecc/ltc_ecc_import_point.obj src/pk/ecc/ltc_ecc_is_point.obj \
 src/pk/ecc/ltc_ecc_is_point_at_infinity.obj src/pk/ecc/ltc_ecc_map.obj src/pk/ecc/ltc_ecc_mul2add.obj \
 src/pk/ecc/ltc_ecc_mulmod.obj src/pk/ecc/ltc_ecc_mulmod_timing.obj src/pk/ecc/ltc_ecc_points.obj \
 src/pk/ecc/ltc_ecc_projective_add_point.obj src/pk/ecc/ltc_ecc_projective_dbl_point.obj \
-src/pk/ecc/ltc_ecc_verify_key.obj src/pk/pkcs1/pkcs_1_i2osp.obj src/pk/pkcs1/pkcs_1_mgf1.obj \
-src/pk/pkcs1/pkcs_1_oaep_decode.obj src/pk/pkcs1/pkcs_1_oaep_encode.obj src/pk/pkcs1/pkcs_1_os2ip.obj \
-src/pk/pkcs1/pkcs_1_pss_decode.obj src/pk/pkcs1/pkcs_1_pss_encode.obj src/pk/pkcs1/pkcs_1_v1_5_decode.obj \
-src/pk/pkcs1/pkcs_1_v1_5_encode.obj src/pk/rsa/rsa_decrypt_key.obj src/pk/rsa/rsa_encrypt_key.obj \
-src/pk/rsa/rsa_export.obj src/pk/rsa/rsa_exptmod.obj src/pk/rsa/rsa_free.obj src/pk/rsa/rsa_get_size.obj \
-src/pk/rsa/rsa_import.obj src/pk/rsa/rsa_import_pkcs8.obj src/pk/rsa/rsa_import_x509.obj \
-src/pk/rsa/rsa_make_key.obj src/pk/rsa/rsa_set.obj src/pk/rsa/rsa_sign_hash.obj \
-src/pk/rsa/rsa_sign_saltlen_get.obj src/pk/rsa/rsa_verify_hash.obj src/prngs/chacha20.obj src/prngs/fortuna.obj \
-src/prngs/rc4.obj src/prngs/rng_get_bytes.obj src/prngs/rng_make_prng.obj src/prngs/sober128.obj \
-src/prngs/sprng.obj src/prngs/yarrow.obj src/stream/chacha/chacha_crypt.obj src/stream/chacha/chacha_done.obj \
+src/pk/ecc/ltc_ecc_verify_key.obj src/pk/ed25519/ed25519_export.obj src/pk/ed25519/ed25519_import.obj \
+src/pk/ed25519/ed25519_import_x509.obj src/pk/ed25519/ed25519_make_key.obj \
+src/pk/ed25519/ed25519_set_key.obj src/pk/ed25519/ed25519_sign.obj src/pk/ed25519/ed25519_verify.obj \
+src/pk/pkcs1/pkcs_1_i2osp.obj src/pk/pkcs1/pkcs_1_mgf1.obj src/pk/pkcs1/pkcs_1_oaep_decode.obj \
+src/pk/pkcs1/pkcs_1_oaep_encode.obj src/pk/pkcs1/pkcs_1_os2ip.obj src/pk/pkcs1/pkcs_1_pss_decode.obj \
+src/pk/pkcs1/pkcs_1_pss_encode.obj src/pk/pkcs1/pkcs_1_v1_5_decode.obj src/pk/pkcs1/pkcs_1_v1_5_encode.obj \
+src/pk/rsa/rsa_decrypt_key.obj src/pk/rsa/rsa_encrypt_key.obj src/pk/rsa/rsa_export.obj \
+src/pk/rsa/rsa_exptmod.obj src/pk/rsa/rsa_free.obj src/pk/rsa/rsa_get_size.obj src/pk/rsa/rsa_import.obj \
+src/pk/rsa/rsa_import_pkcs8.obj src/pk/rsa/rsa_import_x509.obj src/pk/rsa/rsa_make_key.obj \
+src/pk/rsa/rsa_set.obj src/pk/rsa/rsa_sign_hash.obj src/pk/rsa/rsa_sign_saltlen_get.obj \
+src/pk/rsa/rsa_verify_hash.obj src/pk/x25519/x25519_export.obj src/pk/x25519/x25519_import.obj \
+src/pk/x25519/x25519_import_x509.obj src/pk/x25519/x25519_make_key.obj src/pk/x25519/x25519_set_ku.obj \
+src/pk/x25519/x25519_shared_secret.obj src/prngs/chacha20.obj src/prngs/fortuna.obj src/prngs/rc4.obj \
+src/prngs/rng_get_bytes.obj src/prngs/rng_make_prng.obj src/prngs/sober128.obj src/prngs/sprng.obj \
+src/prngs/yarrow.obj src/stream/chacha/chacha_crypt.obj src/stream/chacha/chacha_done.obj \
 src/stream/chacha/chacha_ivctr32.obj src/stream/chacha/chacha_ivctr64.obj \
 src/stream/chacha/chacha_keystream.obj src/stream/chacha/chacha_memory.obj \
 src/stream/chacha/chacha_setup.obj src/stream/chacha/chacha_test.obj src/stream/rabbit/rabbit.obj \
@@ -210,11 +215,11 @@ src/stream/sosemanuk/sosemanuk_memory.obj src/stream/sosemanuk/sosemanuk_test.ob
 
 #List of test objects to compile
 TOBJECTS=tests/base16_test.obj tests/base32_test.obj tests/base64_test.obj tests/cipher_hash_test.obj \
-tests/common.obj tests/der_test.obj tests/dh_test.obj tests/dsa_test.obj tests/ecc_test.obj tests/file_test.obj \
-tests/mac_test.obj tests/misc_test.obj tests/modes_test.obj tests/mpi_test.obj tests/multi_test.obj tests/no_prng.obj \
-tests/padding_test.obj tests/pkcs_1_eme_test.obj tests/pkcs_1_emsa_test.obj tests/pkcs_1_oaep_test.obj \
-tests/pkcs_1_pss_test.obj tests/pkcs_1_test.obj tests/prng_test.obj tests/rotate_test.obj tests/rsa_test.obj \
-tests/ssh_test.obj tests/store_test.obj tests/test.obj
+tests/common.obj tests/der_test.obj tests/dh_test.obj tests/dsa_test.obj tests/ecc_test.obj tests/ed25519_test.obj \
+tests/file_test.obj tests/mac_test.obj tests/misc_test.obj tests/modes_test.obj tests/mpi_test.obj \
+tests/multi_test.obj tests/no_prng.obj tests/padding_test.obj tests/pkcs_1_eme_test.obj tests/pkcs_1_emsa_test.obj \
+tests/pkcs_1_oaep_test.obj tests/pkcs_1_pss_test.obj tests/pkcs_1_test.obj tests/prng_test.obj \
+tests/rotate_test.obj tests/rsa_test.obj tests/ssh_test.obj tests/store_test.obj tests/test.obj tests/x25519_test.obj
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

makefile.unix

@@ -189,29 +189,34 @@ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.
 src/pk/dsa/dsa_generate_key.o src/pk/dsa/dsa_generate_pqg.o src/pk/dsa/dsa_import.o \
 src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_set.o src/pk/dsa/dsa_set_pqg_dsaparam.o \
 src/pk/dsa/dsa_shared_secret.o src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o \
-src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o src/pk/ecc/ecc_ansi_x963_export.o \
-src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o \
-src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o src/pk/ecc/ecc_find_curve.o \
-src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o src/pk/ecc/ecc_get_size.o \
-src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o src/pk/ecc/ecc_import_pkcs8.o \
-src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_recover_key.o \
-src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o \
-src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o \
-src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_export_point.o \
-src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
+src/pk/dsa/dsa_verify_key.o src/pk/ec25519/tweetnacl.o src/pk/ecc/ecc.o \
+src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \
+src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o \
+src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
+src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
+src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
+src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
+src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o \
+src/pk/ecc/ltc_ecc_export_point.o src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
 src/pk/ecc/ltc_ecc_is_point_at_infinity.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mul2add.o \
 src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \
 src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \
-src/pk/ecc/ltc_ecc_verify_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \
-src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \
-src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \
-src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \
-src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
-src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o \
-src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o \
-src/pk/rsa/rsa_sign_saltlen_get.o src/pk/rsa/rsa_verify_hash.o src/prngs/chacha20.o src/prngs/fortuna.o \
-src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \
-src/prngs/sprng.o src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
+src/pk/ecc/ltc_ecc_verify_key.o src/pk/ed25519/ed25519_export.o src/pk/ed25519/ed25519_import.o \
+src/pk/ed25519/ed25519_import_x509.o src/pk/ed25519/ed25519_make_key.o \
+src/pk/ed25519/ed25519_set_key.o src/pk/ed25519/ed25519_sign.o src/pk/ed25519/ed25519_verify.o \
+src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o src/pk/pkcs1/pkcs_1_oaep_decode.o \
+src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o src/pk/pkcs1/pkcs_1_pss_decode.o \
+src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o src/pk/pkcs1/pkcs_1_v1_5_encode.o \
+src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o \
+src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o src/pk/rsa/rsa_import.o \
+src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o src/pk/rsa/rsa_make_key.o \
+src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
+src/pk/rsa/rsa_verify_hash.o src/pk/x25519/x25519_export.o src/pk/x25519/x25519_import.o \
+src/pk/x25519/x25519_import_x509.o src/pk/x25519/x25519_make_key.o src/pk/x25519/x25519_set_ku.o \
+src/pk/x25519/x25519_shared_secret.o src/prngs/chacha20.o src/prngs/fortuna.o src/prngs/rc4.o \
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
+src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
 src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
@@ -227,11 +232,11 @@ src/stream/sosemanuk/sosemanuk_memory.o src/stream/sosemanuk/sosemanuk_test.o
 
 #List of test objects to compile (all goes to libtomcrypt_prof.a)
 TOBJECTS=tests/base16_test.o tests/base32_test.o tests/base64_test.o tests/cipher_hash_test.o \
-tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/file_test.o \
-tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o tests/multi_test.o tests/no_prng.o \
-tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o tests/pkcs_1_oaep_test.o \
-tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o tests/rotate_test.o tests/rsa_test.o \
-tests/ssh_test.o tests/store_test.o tests/test.o
+tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/ed25519_test.o \
+tests/file_test.o tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o \
+tests/multi_test.o tests/no_prng.o tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o \
+tests/pkcs_1_oaep_test.o tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o \
+tests/rotate_test.o tests/rsa_test.o tests/ssh_test.o tests/store_test.o tests/test.o tests/x25519_test.o
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

makefile_include.mk

@@ -349,29 +349,34 @@ src/pk/dsa/dsa_decrypt_key.o src/pk/dsa/dsa_encrypt_key.o src/pk/dsa/dsa_export.
 src/pk/dsa/dsa_generate_key.o src/pk/dsa/dsa_generate_pqg.o src/pk/dsa/dsa_import.o \
 src/pk/dsa/dsa_make_key.o src/pk/dsa/dsa_set.o src/pk/dsa/dsa_set_pqg_dsaparam.o \
 src/pk/dsa/dsa_shared_secret.o src/pk/dsa/dsa_sign_hash.o src/pk/dsa/dsa_verify_hash.o \
-src/pk/dsa/dsa_verify_key.o src/pk/ecc/ecc.o src/pk/ecc/ecc_ansi_x963_export.o \
-src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o src/pk/ecc/ecc_encrypt_key.o \
-src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o src/pk/ecc/ecc_find_curve.o \
-src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o src/pk/ecc/ecc_get_size.o \
-src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o src/pk/ecc/ecc_import_pkcs8.o \
-src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o src/pk/ecc/ecc_recover_key.o \
-src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o \
-src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sizes.o \
-src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ltc_ecc_export_point.o \
-src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
+src/pk/dsa/dsa_verify_key.o src/pk/ec25519/tweetnacl.o src/pk/ecc/ecc.o \
+src/pk/ecc/ecc_ansi_x963_export.o src/pk/ecc/ecc_ansi_x963_import.o src/pk/ecc/ecc_decrypt_key.o \
+src/pk/ecc/ecc_encrypt_key.o src/pk/ecc/ecc_export.o src/pk/ecc/ecc_export_openssl.o \
+src/pk/ecc/ecc_find_curve.o src/pk/ecc/ecc_free.o src/pk/ecc/ecc_get_key.o src/pk/ecc/ecc_get_oid_str.o \
+src/pk/ecc/ecc_get_size.o src/pk/ecc/ecc_import.o src/pk/ecc/ecc_import_openssl.o \
+src/pk/ecc/ecc_import_pkcs8.o src/pk/ecc/ecc_import_x509.o src/pk/ecc/ecc_make_key.o \
+src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_set_curve.o src/pk/ecc/ecc_set_curve_internal.o \
+src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o src/pk/ecc/ecc_sign_hash.o \
+src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o \
+src/pk/ecc/ltc_ecc_export_point.o src/pk/ecc/ltc_ecc_import_point.o src/pk/ecc/ltc_ecc_is_point.o \
 src/pk/ecc/ltc_ecc_is_point_at_infinity.o src/pk/ecc/ltc_ecc_map.o src/pk/ecc/ltc_ecc_mul2add.o \
 src/pk/ecc/ltc_ecc_mulmod.o src/pk/ecc/ltc_ecc_mulmod_timing.o src/pk/ecc/ltc_ecc_points.o \
 src/pk/ecc/ltc_ecc_projective_add_point.o src/pk/ecc/ltc_ecc_projective_dbl_point.o \
-src/pk/ecc/ltc_ecc_verify_key.o src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o \
-src/pk/pkcs1/pkcs_1_oaep_decode.o src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o \
-src/pk/pkcs1/pkcs_1_pss_decode.o src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o \
-src/pk/pkcs1/pkcs_1_v1_5_encode.o src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o \
-src/pk/rsa/rsa_export.o src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o \
-src/pk/rsa/rsa_import.o src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o \
-src/pk/rsa/rsa_make_key.o src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o \
-src/pk/rsa/rsa_sign_saltlen_get.o src/pk/rsa/rsa_verify_hash.o src/prngs/chacha20.o src/prngs/fortuna.o \
-src/prngs/rc4.o src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o \
-src/prngs/sprng.o src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
+src/pk/ecc/ltc_ecc_verify_key.o src/pk/ed25519/ed25519_export.o src/pk/ed25519/ed25519_import.o \
+src/pk/ed25519/ed25519_import_x509.o src/pk/ed25519/ed25519_make_key.o \
+src/pk/ed25519/ed25519_set_key.o src/pk/ed25519/ed25519_sign.o src/pk/ed25519/ed25519_verify.o \
+src/pk/pkcs1/pkcs_1_i2osp.o src/pk/pkcs1/pkcs_1_mgf1.o src/pk/pkcs1/pkcs_1_oaep_decode.o \
+src/pk/pkcs1/pkcs_1_oaep_encode.o src/pk/pkcs1/pkcs_1_os2ip.o src/pk/pkcs1/pkcs_1_pss_decode.o \
+src/pk/pkcs1/pkcs_1_pss_encode.o src/pk/pkcs1/pkcs_1_v1_5_decode.o src/pk/pkcs1/pkcs_1_v1_5_encode.o \
+src/pk/rsa/rsa_decrypt_key.o src/pk/rsa/rsa_encrypt_key.o src/pk/rsa/rsa_export.o \
+src/pk/rsa/rsa_exptmod.o src/pk/rsa/rsa_free.o src/pk/rsa/rsa_get_size.o src/pk/rsa/rsa_import.o \
+src/pk/rsa/rsa_import_pkcs8.o src/pk/rsa/rsa_import_x509.o src/pk/rsa/rsa_make_key.o \
+src/pk/rsa/rsa_set.o src/pk/rsa/rsa_sign_hash.o src/pk/rsa/rsa_sign_saltlen_get.o \
+src/pk/rsa/rsa_verify_hash.o src/pk/x25519/x25519_export.o src/pk/x25519/x25519_import.o \
+src/pk/x25519/x25519_import_x509.o src/pk/x25519/x25519_make_key.o src/pk/x25519/x25519_set_ku.o \
+src/pk/x25519/x25519_shared_secret.o src/prngs/chacha20.o src/prngs/fortuna.o src/prngs/rc4.o \
+src/prngs/rng_get_bytes.o src/prngs/rng_make_prng.o src/prngs/sober128.o src/prngs/sprng.o \
+src/prngs/yarrow.o src/stream/chacha/chacha_crypt.o src/stream/chacha/chacha_done.o \
 src/stream/chacha/chacha_ivctr32.o src/stream/chacha/chacha_ivctr64.o \
 src/stream/chacha/chacha_keystream.o src/stream/chacha/chacha_memory.o \
 src/stream/chacha/chacha_setup.o src/stream/chacha/chacha_test.o src/stream/rabbit/rabbit.o \
@@ -387,11 +392,11 @@ src/stream/sosemanuk/sosemanuk_memory.o src/stream/sosemanuk/sosemanuk_test.o
 
 # List of test objects to compile (all goes to libtomcrypt_prof.a)
 TOBJECTS=tests/base16_test.o tests/base32_test.o tests/base64_test.o tests/cipher_hash_test.o \
-tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/file_test.o \
-tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o tests/multi_test.o tests/no_prng.o \
-tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o tests/pkcs_1_oaep_test.o \
-tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o tests/rotate_test.o tests/rsa_test.o \
-tests/ssh_test.o tests/store_test.o tests/test.o
+tests/common.o tests/der_test.o tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/ed25519_test.o \
+tests/file_test.o tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o \
+tests/multi_test.o tests/no_prng.o tests/padding_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o \
+tests/pkcs_1_oaep_test.o tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o \
+tests/rotate_test.o tests/rsa_test.o tests/ssh_test.o tests/store_test.o tests/test.o tests/x25519_test.o
 
 # The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

src/headers/tomcrypt_cfg.h

@@ -206,9 +206,11 @@ LTC_EXPORT int   LTC_CALL XSTRCMP(const char *s1, const char *s2);
 #ifdef _MSC_VER
    #define CONST64(n) n ## ui64
    typedef unsigned __int64 ulong64;
+   typedef __int64 long64;
 #else
    #define CONST64(n) n ## ULL
    typedef unsigned long long ulong64;
+   typedef long long long64;
 #endif
 
 /* ulong32: "32-bit at least" data type */

src/headers/tomcrypt_custom.h

@@ -431,6 +431,9 @@
 /* Digital Signature Algorithm */
 #define LTC_MDSA
 
+/* Ed25519 & X25519 */
+#define LTC_CURVE25519
+
 /* ECC */
 #define LTC_MECC
 

src/headers/tomcrypt_pk.h

@@ -325,6 +325,71 @@ int  ecc_recover_key(const unsigned char *sig,  unsigned long siglen,
 
 #endif
 
+#ifdef LTC_CURVE25519
+
+typedef struct {
+   /** The key type, PK_PRIVATE or PK_PUBLIC */
+   enum public_key_type type;
+
+   /** The PK-algorithm, PKA_ED25519 or PKA_X25519 */
+   /** This was supposed to be:
+    * enum public_key_algorithms algo;
+    * but that enum is now in tomcrypt_private.h
+    */
+   int algo;
+
+   /** The private key */
+   unsigned char priv[32];
+
+   /** The public key */
+   unsigned char pub[32];
+} curve25519_key;
+
+
+/* Ed25519 Signature API */
+int ed25519_make_key(prng_state *prng, int wprng, curve25519_key *key);
+
+int ed25519_export(       unsigned char *out, unsigned long *outlen,
+                                    int  which,
+                   const curve25519_key *key);
+
+int ed25519_import(const unsigned char *in, unsigned long inlen, curve25519_key *key);
+
+int ed25519_import_x509(const unsigned char *in, unsigned long inlen, curve25519_key *key);
+
+int ed25519_set_key(const unsigned char *sk, unsigned long sklen,
+                    const unsigned char *pk, unsigned long pklen,
+                         curve25519_key *key);
+
+int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
+                       unsigned char  *sig, unsigned long *siglen,
+                 const curve25519_key *private_key);
+
+int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
+                   const  unsigned char *sig, unsigned long siglen,
+                   int *stat, const curve25519_key *public_key);
+
+/* X25519 Key-Exchange API */
+int x25519_make_key(prng_state *prng, int wprng, curve25519_key *key);
+
+int x25519_export(       unsigned char *out, unsigned long *outlen,
+                                   int  which,
+                  const curve25519_key *key);
+
+int x25519_import(const unsigned char *in, unsigned long inlen, curve25519_key *key);
+
+int x25519_import_x509(const unsigned char *in, unsigned long inlen, curve25519_key *key);
+
+int x25519_set_ku(const unsigned char *k,  unsigned long klen,
+                  const unsigned char *u,  unsigned long ulen,
+                       curve25519_key *key);
+
+int x25519_shared_secret(const curve25519_key *private_key,
+                         const curve25519_key *public_key,
+                                unsigned char *out, unsigned long *outlen);
+
+#endif /* LTC_CURVE25519 */
+
 #ifdef LTC_MDSA
 
 /* Max diff between group and modulus size in bytes */

src/headers/tomcrypt_private.h

@@ -23,7 +23,9 @@ enum ltc_oid_id {
    PKA_RSA,
    PKA_DSA,
    PKA_EC,
-   PKA_EC_PRIMEF
+   PKA_EC_PRIMEF,
+   PKA_X25519,
+   PKA_ED25519,
 };
 
 /*
@@ -297,6 +299,24 @@ int dsa_int_validate_pqg(const dsa_key *key, int *stat);
 int dsa_int_validate_primes(const dsa_key *key, int *stat);
 #endif /* LTC_MDSA */
 
+
+#ifdef LTC_CURVE25519
+
+int crypto_sign(
+  unsigned char *sm,unsigned long long *smlen,
+  const unsigned char *m,unsigned long long mlen,
+  const unsigned char *sk, const unsigned char *pk);
+int crypto_sign_open(
+  unsigned char *m,unsigned long long *mlen,
+  const unsigned char *sm,unsigned long long smlen,
+  const unsigned char *pk);
+int crypto_sign_keypair(prng_state *prng, int wprng, unsigned char *pk,unsigned char *sk);
+int crypto_sk_to_pk(unsigned char *pk, const unsigned char *sk);
+int crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p);
+int crypto_scalarmult_base(unsigned char *q,const unsigned char *n);
+
+#endif /* LTC_CURVE25519 */
+
 #ifdef LTC_DER
 
 #define LTC_ASN1_IS_TYPE(e, t) (((e) != NULL) && ((e)->type == (t)))

src/misc/crypt/crypt.c

@@ -353,6 +353,14 @@ const char *crypt_build_settings =
 #if defined(LTC_MDSA)
     "   DSA\n"
 #endif
+#if defined(LTC_CURVE25519)
+#if defined(LTC_CURVE25519)
+    "   Ed25519\n"
+#endif
+#if defined(LTC_CURVE25519)
+    "   X25519\n"
+#endif
+#endif
 #if defined(LTC_PK_MAX_RETRIES)
     "   "NAME_VALUE(LTC_PK_MAX_RETRIES)"\n"
 #endif

src/pk/asn1/oid/pk_get_oid.c

@@ -20,6 +20,8 @@ static const oid_table_entry pka_oids[] = {
                                               { PKA_DSA,       "1.2.840.10040.4.1" },
                                               { PKA_EC,        "1.2.840.10045.2.1" },
                                               { PKA_EC_PRIMEF, "1.2.840.10045.1.1" },
+                                              { PKA_X25519,    "1.3.101.110" },
+                                              { PKA_ED25519,   "1.3.101.112" },
 };
 
 /*

src/pk/ec25519/tweetnacl.c

@@ -0,0 +1,611 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/* automatically generated file, do not edit */
+
+#define FOR(i,n) for (i = 0;i < n;++i)
+#define sv static void
+
+typedef unsigned char u8;
+typedef ulong32 u32;
+typedef ulong64 u64;
+typedef long64 i64;
+typedef i64 gf[16];
+
+static const u8
+  _9[32] = {9};
+static const gf
+  gf0,
+  gf1 = {1},
+  _121665 = {0xDB41,1},
+  D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
+  D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
+  X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
+  Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
+  I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
+
+static u32 L32(u32 x,int c) { return (x << c) | ((x&0xffffffff) >> (32 - c)); }
+
+static u32 ld32(const u8 *x)
+{
+  u32 u = x[3];
+  u = (u<<8)|x[2];
+  u = (u<<8)|x[1];
+  return (u<<8)|x[0];
+}
+
+sv st32(u8 *x,u32 u)
+{
+  int i;
+  FOR(i,4) { x[i] = u; u >>= 8; }
+}
+
+static int vn(const u8 *x,const u8 *y,int n)
+{
+  int i;
+  u32 d = 0;
+  FOR(i,n) d |= x[i]^y[i];
+  return (1 & ((d - 1) >> 8)) - 1;
+}
+
+int crypto_verify_16(const u8 *x,const u8 *y)
+{
+  return vn(x,y,16);
+}
+
+int crypto_verify_32(const u8 *x,const u8 *y)
+{
+  return vn(x,y,32);
+}
+
+sv core(u8 *out,const u8 *in,const u8 *k,const u8 *c,int h)
+{
+  u32 w[16],x[16],y[16],t[4];
+  int i,j,m;
+
+  FOR(i,4) {
+    x[5*i] = ld32(c+4*i);
+    x[1+i] = ld32(k+4*i);
+    x[6+i] = ld32(in+4*i);
+    x[11+i] = ld32(k+16+4*i);
+  }
+
+  FOR(i,16) y[i] = x[i];
+
+  FOR(i,20) {
+    FOR(j,4) {
+      FOR(m,4) t[m] = x[(5*j+4*m)%16];
+      t[1] ^= L32(t[0]+t[3], 7);
+      t[2] ^= L32(t[1]+t[0], 9);
+      t[3] ^= L32(t[2]+t[1],13);
+      t[0] ^= L32(t[3]+t[2],18);
+      FOR(m,4) w[4*j+(j+m)%4] = t[m];
+    }
+    FOR(m,16) x[m] = w[m];
+  }
+
+  if (h) {
+    FOR(i,16) x[i] += y[i];
+    FOR(i,4) {
+      x[5*i] -= ld32(c+4*i);
+      x[6+i] -= ld32(in+4*i);
+    }
+    FOR(i,4) {
+      st32(out+4*i,x[5*i]);
+      st32(out+16+4*i,x[6+i]);
+    }
+  } else
+    FOR(i,16) st32(out + 4 * i,x[i] + y[i]);
+}
+
+int crypto_core_salsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c)
+{
+  core(out,in,k,c,0);
+  return 0;
+}
+
+int crypto_core_hsalsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c)
+{
+  core(out,in,k,c,1);
+  return 0;
+}
+
+static const u8 sigma[16] = "expand 32-byte k";
+
+int crypto_stream_salsa20_xor(u8 *c,const u8 *m,u64 b,const u8 *n,const u8 *k)
+{
+  u8 z[16],x[64];
+  u32 u,i;
+  if (!b) return 0;
+  FOR(i,16) z[i] = 0;
+  FOR(i,8) z[i] = n[i];
+  while (b >= 64) {
+    crypto_core_salsa20(x,z,k,sigma);
+    FOR(i,64) c[i] = (m?m[i]:0) ^ x[i];
+    u = 1;
+    for (i = 8;i < 16;++i) {
+      u += (u32) z[i];
+      z[i] = u;
+      u >>= 8;
+    }
+    b -= 64;
+    c += 64;
+    if (m) m += 64;
+  }
+  if (b) {
+    crypto_core_salsa20(x,z,k,sigma);
+    FOR(i,b) c[i] = (m?m[i]:0) ^ x[i];
+  }
+  return 0;
+}
+
+int crypto_stream_salsa20(u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  return crypto_stream_salsa20_xor(c,0,d,n,k);
+}
+
+int crypto_stream(u8 *c,u64 d,const u8 *n,const u8 *k)
+{
+  u8 s[32];
+  crypto_core_hsalsa20(s,n,k,sigma);
+  return crypto_stream_salsa20(c,d,n+16,s);
+}
+
+int crypto_stream_xor(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k)
+{
+  u8 s[32];
+  crypto_core_hsalsa20(s,n,k,sigma);
+  return crypto_stream_salsa20_xor(c,m,d,n+16,s);
+}
+
+sv set25519(gf r, const gf a)
+{
+  int i;
+  FOR(i,16) r[i]=a[i];
+}
+
+sv car25519(gf o)
+{
+  int i;
+  i64 c;
+  FOR(i,16) {
+    o[i]+=(1LL<<16);
+    c=o[i]>>16;
+    o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15);
+    o[i]-=c<<16;
+  }
+}
+
+sv sel25519(gf p,gf q,int b)
+{
+  i64 t,i,c=~(b-1);
+  FOR(i,16) {
+    t= c&(p[i]^q[i]);
+    p[i]^=t;
+    q[i]^=t;
+  }
+}
+
+sv pack25519(u8 *o,const gf n)
+{
+  int i,j,b;
+  gf m,t;
+  FOR(i,16) t[i]=n[i];
+  car25519(t);
+  car25519(t);
+  car25519(t);
+  FOR(j,2) {
+    m[0]=t[0]-0xffed;
+    for(i=1;i<15;i++) {
+      m[i]=t[i]-0xffff-((m[i-1]>>16)&1);
+      m[i-1]&=0xffff;
+    }
+    m[15]=t[15]-0x7fff-((m[14]>>16)&1);
+    b=(m[15]>>16)&1;
+    m[14]&=0xffff;
+    sel25519(t,m,1-b);
+  }
+  FOR(i,16) {
+    o[2*i]=t[i]&0xff;
+    o[2*i+1]=t[i]>>8;
+  }
+}
+
+static int neq25519(const gf a, const gf b)
+{
+  u8 c[32],d[32];
+  pack25519(c,a);
+  pack25519(d,b);
+  return crypto_verify_32(c,d);
+}
+
+static u8 par25519(const gf a)
+{
+  u8 d[32];
+  pack25519(d,a);
+  return d[0]&1;
+}
+
+sv unpack25519(gf o, const u8 *n)
+{
+  int i;
+  FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8);
+  o[15]&=0x7fff;
+}
+
+sv A(gf o,const gf a,const gf b)
+{
+  int i;
+  FOR(i,16) o[i]=a[i]+b[i];
+}
+
+sv Z(gf o,const gf a,const gf b)
+{
+  int i;
+  FOR(i,16) o[i]=a[i]-b[i];
+}
+
+sv M(gf o,const gf a,const gf b)
+{
+  i64 i,j,t[31];
+  FOR(i,31) t[i]=0;
+  FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j];
+  FOR(i,15) t[i]+=38*t[i+16];
+  FOR(i,16) o[i]=t[i];
+  car25519(o);
+  car25519(o);
+}
+
+sv S(gf o,const gf a)
+{
+  M(o,a,a);
+}
+
+sv inv25519(gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR(a,16) c[a]=i[a];
+  for(a=253;a>=0;a--) {
+    S(c,c);
+    if(a!=2&&a!=4) M(c,c,i);
+  }
+  FOR(a,16) o[a]=c[a];
+}
+
+sv pow2523(gf o,const gf i)
+{
+  gf c;
+  int a;
+  FOR(a,16) c[a]=i[a];
+  for(a=250;a>=0;a--) {
+    S(c,c);
+    if(a!=1) M(c,c,i);
+  }
+  FOR(a,16) o[a]=c[a];
+}
+
+int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p)
+{
+  u8 z[32];
+  i64 x[80],r,i;
+  gf a,b,c,d,e,f;
+  FOR(i,31) z[i]=n[i];
+  z[31]=(n[31]&127)|64;
+  z[0]&=248;
+  unpack25519(x,p);
+  FOR(i,16) {
+    b[i]=x[i];
+    d[i]=a[i]=c[i]=0;
+  }
+  a[0]=d[0]=1;
+  for(i=254;i>=0;--i) {
+    r=(z[i>>3]>>(i&7))&1;
+    sel25519(a,b,r);
+    sel25519(c,d,r);
+    A(e,a,c);
+    Z(a,a,c);
+    A(c,b,d);
+    Z(b,b,d);
+    S(d,e);
+    S(f,a);
+    M(a,c,a);
+    M(c,b,e);
+    A(e,a,c);
+    Z(a,a,c);
+    S(b,a);
+    Z(c,d,f);
+    M(a,c,_121665);
+    A(a,a,d);
+    M(c,c,a);
+    M(a,d,f);
+    M(d,b,x);
+    S(b,e);
+    sel25519(a,b,r);
+    sel25519(c,d,r);
+  }
+  FOR(i,16) {
+    x[i+16]=a[i];
+    x[i+32]=c[i];
+    x[i+48]=b[i];
+    x[i+64]=d[i];
+  }
+  inv25519(x+32,x+32);
+  M(x+16,x+16,x+32);
+  pack25519(q,x+16);
+  return 0;
+}
+
+int crypto_scalarmult_base(u8 *q,const u8 *n)
+{
+  return crypto_scalarmult(q,n,_9);
+}
+
+static int crypto_hash(u8 *out,const u8 *m,u64 n)
+{
+  unsigned long len;
+  int err, hash_idx;
+
+  if (n > ULONG_MAX) return CRYPT_OVERFLOW;
+
+  hash_idx = find_hash("sha512");
+  len = 64;
+  if ((err = hash_memory(hash_idx, m, n, out, &len)) != CRYPT_OK) return err;
+
+  return 0;
+}
+
+sv add(gf p[4],gf q[4])
+{
+  gf a,b,c,d,t,e,f,g,h;
+
+  Z(a, p[1], p[0]);
+  Z(t, q[1], q[0]);
+  M(a, a, t);
+  A(b, p[0], p[1]);
+  A(t, q[0], q[1]);
+  M(b, b, t);
+  M(c, p[3], q[3]);
+  M(c, c, D2);
+  M(d, p[2], q[2]);
+  A(d, d, d);
+  Z(e, b, a);
+  Z(f, d, c);
+  A(g, d, c);
+  A(h, b, a);
+
+  M(p[0], e, f);
+  M(p[1], h, g);
+  M(p[2], g, f);
+  M(p[3], e, h);
+}
+
+sv cswap(gf p[4],gf q[4],u8 b)
+{
+  int i;
+  FOR(i,4)
+    sel25519(p[i],q[i],b);
+}
+
+sv pack(u8 *r,gf p[4])
+{
+  gf tx, ty, zi;
+  inv25519(zi, p[2]);
+  M(tx, p[0], zi);
+  M(ty, p[1], zi);
+  pack25519(r, ty);
+  r[31] ^= par25519(tx) << 7;
+}
+
+sv scalarmult(gf p[4],gf q[4],const u8 *s)
+{
+  int i;
+  set25519(p[0],gf0);
+  set25519(p[1],gf1);
+  set25519(p[2],gf1);
+  set25519(p[3],gf0);
+  for (i = 255;i >= 0;--i) {
+    u8 b = (s[i/8]>>(i&7))&1;
+    cswap(p,q,b);
+    add(q,p);
+    add(p,p);
+    cswap(p,q,b);
+  }
+}
+
+sv scalarbase(gf p[4],const u8 *s)
+{
+  gf q[4];
+  set25519(q[0],X);
+  set25519(q[1],Y);
+  set25519(q[2],gf1);
+  M(q[3],X,Y);
+  scalarmult(p,q,s);
+}
+
+int crypto_sk_to_pk(u8 *pk, const u8 *sk)
+{
+  u8 d[64];
+  gf p[4];
+  crypto_hash(d, sk, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+
+  scalarbase(p,d);
+  pack(pk,p);
+
+  return 0;
+}
+
+int crypto_sign_keypair(prng_state *prng, int wprng, u8 *pk, u8 *sk)
+{
+  int err;
+
+  /* randombytes(sk,32); */
+  if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
+     return err;
+  }
+
+  if (prng_descriptor[wprng].read(sk,32, prng) != 32) {
+     return CRYPT_ERROR_READPRNG;
+  }
+
+  if ((err = crypto_sk_to_pk(pk, sk)) != CRYPT_OK) {
+     return err;
+  }
+
+  /* FOR(i,32) sk[32 + i] = pk[i];
+   * we don't copy the pk in the sk */
+  return CRYPT_OK;
+}
+
+static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10};
+
+sv modL(u8 *r,i64 x[64])
+{
+  i64 carry,i,j;
+  for (i = 63;i >= 32;--i) {
+    carry = 0;
+    for (j = i - 32;j < i - 12;++j) {
+      x[j] += carry - 16 * x[i] * L[j - (i - 32)];
+      carry = (x[j] + 128) >> 8;
+      x[j] -= carry << 8;
+    }
+    x[j] += carry;
+    x[i] = 0;
+  }
+  carry = 0;
+  FOR(j,32) {
+    x[j] += carry - (x[31] >> 4) * L[j];
+    carry = x[j] >> 8;
+    x[j] &= 255;
+  }
+  FOR(j,32) x[j] -= carry * L[j];
+  FOR(i,32) {
+    x[i+1] += x[i] >> 8;
+    r[i] = x[i] & 255;
+  }
+}
+
+sv reduce(u8 *r)
+{
+  i64 x[64],i;
+  FOR(i,64) x[i] = (u64) r[i];
+  FOR(i,64) r[i] = 0;
+  modL(r,x);
+}
+
+int crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 n,const u8 *sk,const u8 *pk)
+{
+  u8 d[64],h[64],r[64];
+  i64 i,j,x[64];
+  gf p[4];
+
+  crypto_hash(d, sk, 32);
+  d[0] &= 248;
+  d[31] &= 127;
+  d[31] |= 64;
+
+  *smlen = n+64;
+  FOR(i,(i64)n) sm[64 + i] = m[i];
+  FOR(i,32) sm[32 + i] = d[32 + i];
+
+  crypto_hash(r, sm+32, n+32);
+  reduce(r);
+  scalarbase(p,r);
+  pack(sm,p);
+
+  FOR(i,32) sm[i+32] = pk[i];
+  crypto_hash(h,sm,n + 64);
+  reduce(h);
+
+  FOR(i,64) x[i] = 0;
+  FOR(i,32) x[i] = (u64) r[i];
+  FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j];
+  modL(sm + 32,x);
+
+  return 0;
+}
+
+static int unpackneg(gf r[4],const u8 p[32])
+{
+  gf t, chk, num, den, den2, den4, den6;
+  set25519(r[2],gf1);
+  unpack25519(r[1],p);
+  S(num,r[1]);
+  M(den,num,D);
+  Z(num,num,r[2]);
+  A(den,r[2],den);
+
+  S(den2,den);
+  S(den4,den2);
+  M(den6,den4,den2);
+  M(t,den6,num);
+  M(t,t,den);
+
+  pow2523(t,t);
+  M(t,t,num);
+  M(t,t,den);
+  M(t,t,den);
+  M(r[0],t,den);
+
+  S(chk,r[0]);
+  M(chk,chk,den);
+  if (neq25519(chk, num)) M(r[0],r[0],I);
+
+  S(chk,r[0]);
+  M(chk,chk,den);
+  if (neq25519(chk, num)) return -1;
+
+  if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]);
+
+  M(r[3],r[0],r[1]);
+  return 0;
+}
+
+int crypto_sign_open(u8 *m,u64 *mlen,const u8 *sm,u64 n,const u8 *pk)
+{
+  u64 i;
+  u8 s[32],t[32],h[64];
+  gf p[4],q[4];
+
+  if (*mlen < n) return CRYPT_BUFFER_OVERFLOW;
+  *mlen = -1;
+  if (n < 64) return CRYPT_INVALID_ARG;
+
+  if (unpackneg(q,pk)) return CRYPT_ERROR;
+
+  XMEMMOVE(m,sm,n);
+  XMEMMOVE(s,m + 32,32);
+  XMEMMOVE(m + 32,pk,32);
+  crypto_hash(h,m,n);
+  reduce(h);
+  scalarmult(p,q,h);
+
+  scalarbase(q,s);
+  add(p,q);
+  pack(t,p);
+
+  n -= 64;
+  if (crypto_verify_32(sm, t)) {
+    FOR(i,n) m[i] = 0;
+    zeromem(m, n);
+    return CRYPT_INVALID_PACKET;
+  }
+
+  XMEMMOVE(m,m + 64,n);
+  *mlen = n;
+  return CRYPT_OK;
+}
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_export.c

@@ -0,0 +1,92 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_export.c
+  Export a Ed25519 key to a binary packet, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Export a Ed25519 key to a binary packet
+   @param out    [out] The destination for the key
+   @param outlen [in/out] The max size and resulting size of the Ed25519 key
+   @param type   Which type of key (PK_PRIVATE, PK_PUBLIC|PK_STD or PK_PUBLIC)
+   @param key    The key you wish to export
+   @return CRYPT_OK if successful
+*/
+int ed25519_export(       unsigned char *out, unsigned long *outlen,
+                                    int  which,
+                   const curve25519_key *key)
+{
+   int err, std;
+   const char* OID;
+   unsigned long oid[16], oidlen;
+   ltc_asn1_list alg_id[1];
+   unsigned char private_key[34];
+   unsigned long version, private_key_len = sizeof(private_key);
+
+   LTC_ARGCHK(out       != NULL);
+   LTC_ARGCHK(outlen    != NULL);
+   LTC_ARGCHK(key       != NULL);
+
+   if (key->algo != PKA_ED25519) return CRYPT_PK_INVALID_TYPE;
+
+   std = which & PK_STD;
+   which &= ~PK_STD;
+
+   if (which == PK_PRIVATE) {
+      if(key->type != PK_PRIVATE) return CRYPT_PK_INVALID_TYPE;
+
+      if ((err = pk_get_oid(PKA_ED25519, &OID)) != CRYPT_OK) {
+         return err;
+      }
+      oidlen = sizeof(oid)/sizeof(oid[0]);
+      if ((err = pk_oid_str_to_num(OID, oid, &oidlen)) != CRYPT_OK) {
+         return err;
+      }
+
+      LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, oid, oidlen);
+
+      /* encode private key as PKCS#8 */
+      if ((err = der_encode_octet_string(key->priv, 32uL, private_key, &private_key_len)) != CRYPT_OK) {
+         return err;
+      }
+
+      version = 0;
+      err = der_encode_sequence_multi(out, outlen,
+                                LTC_ASN1_SHORT_INTEGER,            1uL, &version,
+                                LTC_ASN1_SEQUENCE,                 1uL, alg_id,
+                                LTC_ASN1_OCTET_STRING, private_key_len, private_key,
+                                LTC_ASN1_EOL,                      0uL, NULL);
+   } else {
+      if (std == PK_STD) {
+         /* encode public key as SubjectPublicKeyInfo */
+         err = x509_encode_subject_public_key_info(out, outlen, PKA_ED25519, key->pub, 32uL, LTC_ASN1_EOL, NULL, 0);
+      } else {
+         if (*outlen < sizeof(key->pub)) {
+            err = CRYPT_BUFFER_OVERFLOW;
+         } else {
+            XMEMCPY(out, key->pub, sizeof(key->pub));
+            err = CRYPT_OK;
+         }
+         *outlen = sizeof(key->pub);
+      }
+   }
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_import.c

@@ -0,0 +1,100 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_import.c
+  Import a Ed25519 key from a binary packet, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+  Import a Ed25519 key from a binary packet
+  @param in     The packet to read
+  @param inlen  The length of the input packet
+  @param key    [out] Where to import the key to
+  @return CRYPT_OK if successful, on error all allocated memory is freed automatically
+*/
+int ed25519_import(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   int err;
+   const char* oid;
+   ltc_asn1_list alg_id[1];
+   unsigned char private_key[34];
+   unsigned long version, key_len;
+   unsigned long tmpoid[16];
+
+   LTC_ARGCHK(in  != NULL);
+   LTC_ARGCHK(key != NULL);
+
+   /* There's only one case where the inlen is equal to the pubkey-size
+    * and that's a raw pubkey, so let's just do a raw import.
+    */
+   if (inlen == sizeof(key->pub)) {
+      XMEMCPY(key->pub, in, sizeof(key->pub));
+      key->type = PK_PUBLIC;
+      key->algo = PKA_ED25519;
+      return CRYPT_OK;
+   }
+
+   key_len = sizeof(key->pub);
+   if ((err = x509_decode_subject_public_key_info(in, inlen, PKA_ED25519, key->pub, &key_len, LTC_ASN1_EOL, NULL, 0uL)) == CRYPT_OK) {
+      key->type = PK_PUBLIC;
+      key->algo = PKA_ED25519;
+      return CRYPT_OK;
+   }
+
+   LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, tmpoid, sizeof(tmpoid)/sizeof(tmpoid[0]));
+
+   key_len = sizeof(private_key);
+   err = der_decode_sequence_multi(in, inlen,
+                                LTC_ASN1_SHORT_INTEGER,    1uL, &version,
+                                LTC_ASN1_SEQUENCE,         1uL, alg_id,
+                                LTC_ASN1_OCTET_STRING, key_len, private_key,
+                                LTC_ASN1_EOL,              0uL, NULL);
+   if (err != CRYPT_OK) {
+      if ((err == CRYPT_INPUT_TOO_LONG) && (version == 1)) {
+         version = 0;
+      } else {
+         goto out;
+      }
+   }
+
+   if ((err = pk_get_oid(PKA_ED25519, &oid)) != CRYPT_OK) {
+      goto out;
+   }
+   if ((err = pk_oid_cmp_with_asn1(oid, &alg_id[0])) != CRYPT_OK) {
+      goto out;
+   }
+
+   if (version == 0) {
+      key_len = sizeof(key->priv);
+      if ((err = der_decode_octet_string(private_key, sizeof(private_key), key->priv, &key_len)) == CRYPT_OK) {
+         crypto_sk_to_pk(key->pub, key->priv);
+         key->type = PK_PRIVATE;
+         key->algo = PKA_ED25519;
+      }
+   } else {
+      err = CRYPT_PK_INVALID_TYPE;
+   }
+
+out:
+#ifdef LTC_CLEAN_STACK
+   zeromem(private_key, sizeof(private_key));
+#endif
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_import_x509.c

@@ -0,0 +1,55 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_import_x509.c
+  Import a Ed25519 key from a X.509 certificate, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+static int _ed25519_decode(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   if (inlen != sizeof(key->pub)) return CRYPT_PK_INVALID_SIZE;
+   XMEMCPY(key->pub, in, sizeof(key->pub));
+   return CRYPT_OK;
+}
+
+/**
+  Import a Ed25519 public key from a X.509 certificate
+  @param in     The DER encoded X.509 certificate
+  @param inlen  The length of the certificate
+  @param key    [out] Where to import the key to
+  @return CRYPT_OK if successful, on error all allocated memory is freed automatically
+*/
+int ed25519_import_x509(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   int err = CRYPT_INVALID_ARG;
+
+   LTC_ARGCHK(in  != NULL);
+   LTC_ARGCHK(key != NULL);
+
+   if ((err = x509_decode_public_key_from_certificate(in, inlen,
+                                                      PKA_ED25519,
+                                                      LTC_ASN1_EOL, NULL, NULL,
+                                                      (public_key_decode_cb)_ed25519_decode, key)) != CRYPT_OK) {
+      return err;
+   }
+   key->type = PK_PUBLIC;
+   key->algo = PKA_ED25519;
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_make_key.c

@@ -0,0 +1,46 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_make_key.c
+  Create a Ed25519 key, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Create a Ed25519 key
+   @param prng     An active PRNG state
+   @param wprng    The index of the PRNG desired
+   @param key      [out] Destination of a newly created private key pair
+   @return CRYPT_OK if successful
+*/
+int ed25519_make_key(prng_state *prng, int wprng, curve25519_key *key)
+{
+   int err;
+
+   LTC_ARGCHK(prng != NULL);
+   LTC_ARGCHK(key  != NULL);
+
+   if ((err = crypto_sign_keypair(prng, wprng, key->pub, key->priv)) != CRYPT_OK) {
+      return err;
+   }
+
+   key->type = PK_PRIVATE;
+   key->algo = PKA_ED25519;
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_set_key.c

@@ -0,0 +1,65 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_set_ku.c
+  Set the parameters of a Ed25519 key, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Set the parameters of a Ed25519 key
+
+   In case sk and pk are given it is validated that pk is really the
+   corresponding public part of the key pair.
+
+   @param sk       The secret key
+   @param sklen    The length of sk
+   @param pk       The public key
+   @param pklen    The length of pk
+   @param key      [out] Destination of the key
+   @return CRYPT_OK if successful
+*/
+int ed25519_set_key(const unsigned char *sk, unsigned long sklen,
+                    const unsigned char *pk, unsigned long pklen,
+                         curve25519_key *key)
+{
+   LTC_ARGCHK(key != NULL);
+
+   if (sk != NULL) {
+      LTC_ARGCHK(sklen == 32uL);
+      XMEMCPY(key->priv, sk, sizeof(key->priv));
+      crypto_sk_to_pk(key->pub, key->priv);
+      if (pk != NULL) {
+         LTC_ARGCHK(pklen == 32uL);
+         if (XMEM_NEQ(pk, key->pub, sizeof(key->pub)) != 0) {
+            zeromem(key, sizeof(*key));
+            return CRYPT_INVALID_ARG;
+         }
+      }
+      key->type = PK_PRIVATE;
+   } else if (pk != NULL) {
+      LTC_ARGCHK(pklen == 32uL);
+      XMEMCPY(key->pub, pk, sizeof(key->pub));
+      key->type = PK_PUBLIC;
+   } else {
+      return CRYPT_INVALID_ARG;
+   }
+   key->algo = PKA_ED25519;
+
+   return CRYPT_OK;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_sign.c

@@ -0,0 +1,70 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_shared_secret.c
+  Create a Ed25519 signature, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Create a Ed25519 signature.
+   @param private_key     The private ed25519 key in the pair
+   @param public_key      The public ed25519 key in the pair
+   @param out             [out] The destination of the shared data
+   @param outlen          [in/out] The max size and resulting size of the shared data.
+   @return CRYPT_OK if successful
+*/
+int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
+                       unsigned char  *sig, unsigned long *siglen,
+                 const curve25519_key *private_key)
+{
+   unsigned char *s;
+   unsigned long long smlen;
+   int err;
+
+   LTC_ARGCHK(msg         != NULL);
+   LTC_ARGCHK(sig         != NULL);
+   LTC_ARGCHK(siglen      != NULL);
+   LTC_ARGCHK(private_key != NULL);
+
+   if (private_key->algo != PKA_ED25519) return CRYPT_PK_INVALID_TYPE;
+   if (private_key->type != PK_PRIVATE) return CRYPT_PK_INVALID_TYPE;
+
+   if (*siglen < 64uL) {
+      *siglen = 64uL;
+      return CRYPT_BUFFER_OVERFLOW;
+   }
+
+   smlen = msglen + 64;
+   s = XMALLOC(smlen);
+   if (s == NULL) return CRYPT_MEM;
+
+   err = crypto_sign(s, &smlen,
+                     msg, msglen,
+                     private_key->priv, private_key->pub);
+
+   XMEMCPY(sig, s, 64uL);
+   *siglen = 64uL;
+
+#ifdef LTC_CLEAN_STACK
+   zeromem(s, smlen);
+#endif
+   XFREE(s);
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ed25519/ed25519_verify.c

@@ -0,0 +1,74 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file ed25519_verify.c
+  Verify a Ed25519 signature, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Verify a Ed25519 signature.
+   @param private_key     The private curve25519 key in the pair
+   @param public_key      The public curve25519 key in the pair
+   @param out             [out] The destination of the shared data
+   @param outlen          [in/out] The max size and resulting size of the shared data.
+   @param stat            [out] The result of the signature verification, 1==valid, 0==invalid
+   @return CRYPT_OK if successful
+*/
+int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
+                   const  unsigned char *sig, unsigned long siglen,
+                   int *stat, const curve25519_key *public_key)
+{
+   unsigned char* m;
+   unsigned long long mlen;
+   int err;
+
+   LTC_ARGCHK(msg        != NULL);
+   LTC_ARGCHK(sig        != NULL);
+   LTC_ARGCHK(stat       != NULL);
+   LTC_ARGCHK(public_key != NULL);
+
+   *stat = 0;
+
+   if (siglen != 64uL) return CRYPT_INVALID_ARG;
+   if (public_key->algo != PKA_ED25519) return CRYPT_PK_INVALID_TYPE;
+
+   mlen = msglen + siglen;
+   if ((mlen < msglen) || (mlen < siglen)) return CRYPT_OVERFLOW;
+
+   m = XMALLOC(mlen);
+   if (m == NULL) return CRYPT_MEM;
+
+   XMEMCPY(m, sig, siglen);
+   XMEMCPY(m + siglen, msg, msglen);
+
+   err = crypto_sign_open(m, &mlen,
+                          m, mlen,
+                          public_key->pub);
+
+#ifdef LTC_CLEAN_STACK
+   zeromem(m, mlen);
+#endif
+   XFREE(m);
+
+   if (err == CRYPT_OK) {
+      *stat = 1;
+   }
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_export.c

@@ -0,0 +1,92 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_export.c
+  Export a X25519 key to a binary packet, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Export a X25519 key to a binary packet
+   @param out    [out] The destination for the key
+   @param outlen [in/out] The max size and resulting size of the X25519 key
+   @param type   Which type of key (PK_PRIVATE, PK_PUBLIC|PK_STD or PK_PUBLIC)
+   @param key    The key you wish to export
+   @return CRYPT_OK if successful
+*/
+int x25519_export(      unsigned char *out, unsigned long *outlen,
+                                  int  which,
+                  const    curve25519_key *key)
+{
+   int err, std;
+   const char* OID;
+   unsigned long oid[16], oidlen;
+   ltc_asn1_list alg_id[1];
+   unsigned char private_key[34];
+   unsigned long version, private_key_len = sizeof(private_key);
+
+   LTC_ARGCHK(out       != NULL);
+   LTC_ARGCHK(outlen    != NULL);
+   LTC_ARGCHK(key       != NULL);
+
+   if (key->algo != PKA_X25519) return CRYPT_PK_INVALID_TYPE;
+
+   std = which & PK_STD;
+   which &= ~PK_STD;
+
+   if (which == PK_PRIVATE) {
+      if(key->type != PK_PRIVATE) return CRYPT_PK_INVALID_TYPE;
+
+      if ((err = pk_get_oid(PKA_X25519, &OID)) != CRYPT_OK) {
+         return err;
+      }
+      oidlen = sizeof(oid)/sizeof(oid[0]);
+      if ((err = pk_oid_str_to_num(OID, oid, &oidlen)) != CRYPT_OK) {
+         return err;
+      }
+
+      LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, oid, oidlen);
+
+      /* encode private key as PKCS#8 */
+      if ((err = der_encode_octet_string(key->priv, 32uL, private_key, &private_key_len)) != CRYPT_OK) {
+         return err;
+      }
+
+      version = 0;
+      err = der_encode_sequence_multi(out, outlen,
+                                LTC_ASN1_SHORT_INTEGER,            1uL, &version,
+                                LTC_ASN1_SEQUENCE,                 1uL, alg_id,
+                                LTC_ASN1_OCTET_STRING, private_key_len, private_key,
+                                LTC_ASN1_EOL,                      0uL, NULL);
+   } else {
+      if (std == PK_STD) {
+         /* encode public key as SubjectPublicKeyInfo */
+         err = x509_encode_subject_public_key_info(out, outlen, PKA_X25519, key->pub, 32uL, LTC_ASN1_EOL, NULL, 0uL);
+      } else {
+         if (*outlen < sizeof(key->pub)) {
+            err = CRYPT_BUFFER_OVERFLOW;
+         } else {
+            XMEMCPY(out, key->pub, sizeof(key->pub));
+            err = CRYPT_OK;
+         }
+         *outlen = sizeof(key->pub);
+      }
+   }
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_import.c

@@ -0,0 +1,95 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_import.c
+  Import a X25519 key from a binary packet, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+  Import a X25519 key from a binary packet
+  @param in     The packet to read
+  @param inlen  The length of the input packet
+  @param key    [out] Where to import the key to
+  @return CRYPT_OK if successful, on error all allocated memory is freed automatically
+*/
+int x25519_import(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   int err;
+   const char *oid;
+   ltc_asn1_list alg_id[1];
+   unsigned char private_key[34];
+   unsigned long version, key_len;
+   unsigned long tmpoid[16];
+
+   LTC_ARGCHK(in  != NULL);
+   LTC_ARGCHK(key != NULL);
+
+   /* There's only one case where the inlen is equal to the pubkey-size
+    * and that's a raw pubkey, so let's just do a raw import.
+    */
+   if (inlen == sizeof(key->pub)) {
+      XMEMCPY(key->pub, in, sizeof(key->pub));
+      key->type = PK_PUBLIC;
+      key->algo = PKA_X25519;
+      return CRYPT_OK;
+   }
+
+   key_len = sizeof(key->pub);
+   if ((err = x509_decode_subject_public_key_info(in, inlen, PKA_X25519, key->pub, &key_len, LTC_ASN1_EOL, NULL, 0uL)) == CRYPT_OK) {
+      key->type = PK_PUBLIC;
+      key->algo = PKA_X25519;
+      return CRYPT_OK;
+   }
+
+   LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, tmpoid, sizeof(tmpoid)/sizeof(tmpoid[0]));
+
+   key_len = sizeof(private_key);
+   if ((err = der_decode_sequence_multi(in, inlen,
+                             LTC_ASN1_SHORT_INTEGER,    1uL, &version,
+                             LTC_ASN1_SEQUENCE,         1uL, alg_id,
+                             LTC_ASN1_OCTET_STRING, key_len, private_key,
+                             LTC_ASN1_EOL,              0uL, NULL)) != CRYPT_OK) {
+      goto out;
+   }
+
+   if ((err = pk_get_oid(PKA_X25519, &oid)) != CRYPT_OK) {
+      goto out;
+   }
+   if ((err = pk_oid_cmp_with_asn1(oid, &alg_id[0])) != CRYPT_OK) {
+      goto out;
+   }
+
+   if (version == 0) {
+      key_len = sizeof(key->priv);
+      if ((err = der_decode_octet_string(private_key, sizeof(private_key), key->priv, &key_len)) == CRYPT_OK) {
+         crypto_scalarmult_base(key->pub, key->priv);
+         key->type = PK_PRIVATE;
+         key->algo = PKA_X25519;
+      }
+   } else {
+      err = CRYPT_PK_INVALID_TYPE;
+   }
+
+out:
+#ifdef LTC_CLEAN_STACK
+   zeromem(private_key, sizeof(private_key));
+#endif
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_import_x509.c

@@ -0,0 +1,55 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_import_x509.c
+  Import a X25519 key from a X.509 certificate, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+static int _x25519_decode(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   if (inlen != sizeof(key->pub)) return CRYPT_PK_INVALID_SIZE;
+   XMEMCPY(key->pub, in, sizeof(key->pub));
+   return CRYPT_OK;
+}
+
+/**
+  Import a X25519 public key from a X.509 certificate
+  @param in     The DER encoded X.509 certificate
+  @param inlen  The length of the certificate
+  @param key    [out] Where to import the key to
+  @return CRYPT_OK if successful, on error all allocated memory is freed automatically
+*/
+int x25519_import_x509(const unsigned char *in, unsigned long inlen, curve25519_key *key)
+{
+   int err = CRYPT_INVALID_ARG;
+
+   LTC_ARGCHK(in  != NULL);
+   LTC_ARGCHK(key != NULL);
+
+   if ((err = x509_decode_public_key_from_certificate(in, inlen,
+                                                      PKA_X25519,
+                                                      LTC_ASN1_EOL, NULL, NULL,
+                                                      (public_key_decode_cb)_x25519_decode, key)) != CRYPT_OK) {
+      return err;
+   }
+   key->type = PK_PUBLIC;
+   key->algo = PKA_X25519;
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_make_key.c

@@ -0,0 +1,52 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_make_key.c
+  Create a X25519 key, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Create a X25519 key
+   @param prng     An active PRNG state
+   @param wprng    The index of the PRNG desired
+   @param key      [out] Destination of a newly created private key pair
+   @return CRYPT_OK if successful
+*/
+int x25519_make_key(prng_state *prng, int wprng, curve25519_key *key)
+{
+   int err;
+
+   LTC_ARGCHK(prng != NULL);
+   LTC_ARGCHK(key  != NULL);
+
+   if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
+      return err;
+   }
+
+   if (prng_descriptor[wprng].read(key->priv, sizeof(key->priv), prng) != sizeof(key->priv)) {
+      return CRYPT_ERROR_READPRNG;
+   }
+
+   crypto_scalarmult_base(key->pub, key->priv);
+
+   key->type = PK_PRIVATE;
+   key->algo = PKA_X25519;
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_set_ku.c

@@ -0,0 +1,65 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_set_ku.c
+  Set the parameters of a X25519 key, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Set the parameters of a X25519 key
+
+   In case k and u are given it is validated that u is really the
+   corresponding public part of the key pair
+
+   @param k        The k value (a.k.a scalar or private part)
+   @param klen     The length of k
+   @param u        The u-coordinate (a.k.a public part)
+   @param ulen     The length of u
+   @param key      [out] Destination of the key
+   @return CRYPT_OK if successful
+*/
+int x25519_set_ku(const unsigned char *k, unsigned long klen,
+                  const unsigned char *u, unsigned long ulen,
+                           curve25519_key *key)
+{
+   LTC_ARGCHK(key != NULL);
+
+   if (k != NULL) {
+      LTC_ARGCHK(klen == 32uL);
+      XMEMCPY(key->priv, k, sizeof(key->priv));
+      crypto_scalarmult_base(key->pub, key->priv);
+      if (u != NULL) {
+         LTC_ARGCHK(ulen == 32uL);
+         if (XMEM_NEQ(u, key->pub, sizeof(key->pub)) != 0) {
+            zeromem(key, sizeof(*key));
+            return CRYPT_INVALID_ARG;
+         }
+      }
+      key->type = PK_PRIVATE;
+   } else if (u != NULL) {
+      LTC_ARGCHK(ulen == 32uL);
+      XMEMCPY(key->pub, u, sizeof(key->pub));
+      key->type = PK_PUBLIC;
+   } else {
+      return CRYPT_INVALID_ARG;
+   }
+   key->algo = PKA_X25519;
+
+   return CRYPT_OK;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/x25519/x25519_shared_secret.c

@@ -0,0 +1,52 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x25519_shared_secret.c
+  Create a X25519 shared secret, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+/**
+   Create a X25519 shared secret.
+   @param private_key     The private Curve25519 key in the pair
+   @param public_key      The public Curve25519 key in the pair
+   @param out             [out] The destination of the shared data
+   @param outlen          [in/out] The max size and resulting size of the shared data.
+   @return CRYPT_OK if successful
+*/
+int x25519_shared_secret(const    curve25519_key *private_key,
+                         const    curve25519_key *public_key,
+                               unsigned char *out, unsigned long *outlen)
+{
+   LTC_ARGCHK(private_key        != NULL);
+   LTC_ARGCHK(public_key         != NULL);
+   LTC_ARGCHK(out                != NULL);
+   LTC_ARGCHK(outlen             != NULL);
+
+   if(private_key->type != PK_PRIVATE) return CRYPT_PK_INVALID_TYPE;
+
+   if(*outlen < 32uL) {
+      *outlen = 32uL;
+      return CRYPT_BUFFER_OVERFLOW;
+   }
+
+   crypto_scalarmult(out, private_key->priv, public_key->pub);
+   *outlen = 32uL;
+
+   return CRYPT_OK;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

tests/ed25519_test.c

@@ -0,0 +1,239 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_test.h"
+
+/**
+  @file ed25519_test.c
+  Ed25519 tests, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+static int _rfc_8410_10_test(void)
+{
+   const struct {
+      const char* b64;
+      int type;
+   } rfc_8410_10[] = {
+                         /* RFC 8410 - 10.1.  Example Ed25519 Public Key */
+                       { "MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=", PK_PUBLIC | PK_STD },
+                         /* Okay this is not from RFC 8410, but a custom generated certificate with Ed25519 Public Key.
+                          * Since RFC 8410 has no testvector for that case, one had to be created.
+                          * ( openssl req -verbose -new -x509 -subj "/CN=Public domain ed25519 self-signed certificate" -days 36525 -key <( openssl genpkey -algorithm ed25519 2>/dev/null | tee /dev/fd/3) | openssl x509  ) 3>&1
+                          * Thx @vdukhovni
+                          */
+                       { "MIIBhDCCATagAwIBAgIUHDa8kJUZeCuIhknPJ/wDeBW6gZgwBQYDK2VwMDgxNjA0"
+                         "BgNVBAMMLVB1YmxpYyBkb21haW4gZWQyNTUxOSBzZWxmLXNpZ25lZCBjZXJ0aWZp"
+                         "Y2F0ZTAgFw0xOTA1MjMyMTAxMTZaGA8yMTE5MDUyNDIxMDExNlowODE2MDQGA1UE"
+                         "AwwtUHVibGljIGRvbWFpbiBlZDI1NTE5IHNlbGYtc2lnbmVkIGNlcnRpZmljYXRl"
+                         "MCowBQYDK2VwAyEAUEiKvHT0KHXOtNjIhaImokxbiog+Ki6lcgce05tf9UKjUDBO"
+                         "MB0GA1UdDgQWBBS3fmpWaPK2fNpblEmg4tG4ZHO2BDAfBgNVHSMEGDAWgBS3fmpW"
+                         "aPK2fNpblEmg4tG4ZHO2BDAMBgNVHRMEBTADAQH/MAUGAytlcANBADOnwkj8etmx"
+                         "mTaXUP29RaenxpN8dQoQ4wnnIJwxQxTcVWOt2PlUxCFoB9gs0+YZOzhXnQg4hfqk"
+                         "t/HPExwoZQg=", -2 },
+                         /* RFC 8410 - 10.3.  Examples of Ed25519 Private Key */
+                       { "MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC", PK_PRIVATE | PK_STD },
+                         /* RFC 8410 - 10.3.  Examples of Ed25519 Private Key with attribute */
+                       { "MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC"
+                         "oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB"
+                         "Z9w7lshQhqowtrbLDFw4rXAxZuE=", -1 },
+   };
+   unsigned n;
+   curve25519_key key;
+   unsigned char buf[1024];
+   char tmp[512];
+   unsigned long buflen, tmplen;
+   for (n = 0; n < sizeof(rfc_8410_10)/sizeof(rfc_8410_10[0]); ++n) {
+      buflen = sizeof(buf);
+      DO(base64_decode(rfc_8410_10[n].b64, strlen(rfc_8410_10[n].b64), buf, &buflen));
+      if (rfc_8410_10[n].type == -2) {
+         DO(ed25519_import_x509(buf, buflen, &key));
+      } else {
+         DO(ed25519_import(buf, buflen, &key));
+      }
+      zeromem(buf, sizeof(buf));
+      if (rfc_8410_10[n].type > 0) {
+         buflen = sizeof(buf);
+         DO(ed25519_export(buf, &buflen, rfc_8410_10[n].type, &key));
+         tmplen = sizeof(tmp);
+         DO(base64_encode(buf, buflen, tmp, &tmplen));
+         DO(do_compare_testvector(tmp, tmplen, rfc_8410_10[n].b64, strlen(rfc_8410_10[n].b64), "Ed25519 export-import", n));
+      }
+   }
+   return CRYPT_OK;
+}
+
+typedef struct {
+   const char* secret_key;
+   const char* public_key;
+   const char* message;
+   const char* signature;
+} rfc_8032_7_1_t;
+
+static int _rfc_8032_7_1_test(void)
+{
+   const rfc_8032_7_1_t rfc_8032_7_1[] = {
+      {
+         /* SECRET KEY */
+         "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
+         /* PUBLIC KEY */
+         "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+         /* MESSAGE (length 0 bytes) */
+         "",
+         /* SIGNATURE */
+         "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155"
+         "5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b"
+      },
+      {
+         /* SECRET KEY */
+         "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+         /* PUBLIC KEY */
+         "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+         /* MESSAGE (length 1 byte) */
+         "72",
+         /* SIGNATURE */
+         "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da"
+         "085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00"
+      },
+      {
+         /* SECRET KEY */
+         "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7",
+         /* PUBLIC KEY */
+         "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+         /* MESSAGE (length 2 bytes) */
+         "af82",
+         /* SIGNATURE */
+         "6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac"
+         "18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a"
+      },
+      {
+         /* SECRET KEY */
+         "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
+         /* PUBLIC KEY */
+         "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+         /* MESSAGE (length 1023 bytes) */
+         "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98"
+         "fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8"
+         "79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d"
+         "658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc"
+         "1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe"
+         "ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e"
+         "06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef"
+         "efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7"
+         "aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
+         "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2"
+         "d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24"
+         "554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270"
+         "88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc"
+         "2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07"
+         "07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba"
+         "b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a"
+         "ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e"
+         "c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
+         "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c"
+         "42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8"
+         "ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df"
+         "f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08"
+         "d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649"
+         "de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4"
+         "88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3"
+         "2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e"
+         "6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
+         "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5"
+         "0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1"
+         "369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d"
+         "b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c"
+         "0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0",
+         /* SIGNATURE */
+         "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350"
+         "aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03"
+      },
+      {
+         /* SECRET KEY */
+         "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
+         /* PUBLIC KEY */
+         "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
+         /* MESSAGE (length 64 bytes) */
+         "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
+         "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
+         /* SIGNATURE */
+         "dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589"
+         "09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704"
+      }
+   };
+   unsigned int n;
+   unsigned long mlen, slen, plen, siglen, buflen;
+   unsigned char msg[1024], sec[32], pub[32], sig[64], buf[64];
+   curve25519_key key, key2;
+   int ret;
+   const int should = 1;
+   for (n = 0; n < sizeof(rfc_8032_7_1)/sizeof(rfc_8032_7_1[0]); ++n) {
+      slen = sizeof(sec);
+      DO(base16_decode(rfc_8032_7_1[n].secret_key, strlen(rfc_8032_7_1[n].secret_key), sec, &slen));
+      plen = sizeof(pub);
+      DO(base16_decode(rfc_8032_7_1[n].public_key, strlen(rfc_8032_7_1[n].public_key), pub, &plen));
+      mlen = sizeof(msg);
+      DO(base16_decode(rfc_8032_7_1[n].message, strlen(rfc_8032_7_1[n].message), msg, &mlen));
+      siglen = sizeof(sig);
+      DO(base16_decode(rfc_8032_7_1[n].signature, strlen(rfc_8032_7_1[n].signature), sig, &siglen));
+      DO(ed25519_set_key(sec, slen, pub, plen, &key));
+      buflen = sizeof(buf);
+      DO(ed25519_sign(msg, mlen, buf, &buflen, &key));
+      DO(do_compare_testvector(buf, buflen, sig, siglen, "Ed25519 RFC8032 7.1 - sign", n));
+      DO(ed25519_verify(msg, mlen, sig, siglen, &ret, &key));
+      DO(do_compare_testvector(&ret, sizeof(ret), &should, sizeof(should), "Ed25519 RFC8032 7.1 - verify w/ privkey", n));
+
+      plen = sizeof(pub);
+      DO(base16_decode(rfc_8032_7_1[n].public_key, strlen(rfc_8032_7_1[n].public_key), pub, &plen));
+      mlen = sizeof(msg);
+      DO(base16_decode(rfc_8032_7_1[n].message, strlen(rfc_8032_7_1[n].message), msg, &mlen));
+      siglen = sizeof(sig);
+      DO(base16_decode(rfc_8032_7_1[n].signature, strlen(rfc_8032_7_1[n].signature), sig, &siglen));
+      DO(ed25519_set_key(NULL, 0, pub, plen, &key2));
+      DO(ed25519_verify(msg, mlen, sig, siglen, &ret, &key2));
+      DO(do_compare_testvector(&ret, sizeof(ret), &should, sizeof(should), "Ed25519 RFC8032 7.1 - verify w/ pubkey", n));
+
+      zeromem(&key, sizeof(key));
+      zeromem(&key2, sizeof(key2));
+   }
+   return CRYPT_OK;
+}
+
+/**
+  Test the ed25519 system
+  @return CRYPT_OK if successful
+*/
+int ed25519_test(void)
+{
+   int ret;
+
+   if (ltc_mp.name == NULL) return CRYPT_NOP;
+
+   if ((ret = _rfc_8410_10_test()) != CRYPT_OK) {
+      return ret;
+   }
+   if ((ret = _rfc_8032_7_1_test()) != CRYPT_OK) {
+      return ret;
+   }
+
+   return ret;
+}
+
+#else
+
+int ed25519_test(void)
+{
+   return CRYPT_NOP;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

tests/test.c

@@ -38,6 +38,8 @@ static const test_function test_functions[] =
       LTC_TEST_FN(dh_test),
       LTC_TEST_FN(ecc_test),
       LTC_TEST_FN(dsa_test),
+      LTC_TEST_FN(ed25519_test),
+      LTC_TEST_FN(x25519_test),
       LTC_TEST_FN(file_test),
       LTC_TEST_FN(multi_test),
       /* keep the prng_test always at the end as

tests/tomcrypt_test.h

@@ -44,6 +44,8 @@ int multi_test(void);
 int prng_test(void);
 int mpi_test(void);
 int padding_test(void);
+int x25519_test(void);
+int ed25519_test(void);
 int ssh_test(void);
 
 #ifdef LTC_PKCS_1

tests/x25519_test.c

@@ -0,0 +1,222 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_test.h"
+
+/**
+  @file x25519_test.c
+  x25519 tests, Steffen Jaeckel
+*/
+
+#ifdef LTC_CURVE25519
+
+static int _rfc_7748_5_2_test(void)
+{
+   /* RFC 7748 Ch. 5.2 */
+   const struct {
+      unsigned char scalar[32];
+      unsigned char u_in[32];
+      unsigned char u_out[32];
+   } rfc_7748_5_2[] = {
+        {
+           {  0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
+              0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
+              0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
+              0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 },
+           {  0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
+              0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
+              0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
+              0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
+           {  0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
+              0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
+              0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
+              0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 }
+        },
+        {
+           {  0x4b, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c,
+              0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5,
+              0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4,
+              0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x0d },
+           {  0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3,
+              0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c,
+              0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e,
+              0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x93 },
+           {  0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d,
+              0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8,
+              0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52,
+              0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 }
+        }
+   };
+   unsigned char out[32];
+   unsigned long n;
+
+   for (n = 0; n < sizeof(rfc_7748_5_2)/sizeof(rfc_7748_5_2[0]); ++n) {
+      crypto_scalarmult(out, rfc_7748_5_2[n].scalar, rfc_7748_5_2[n].u_in);
+      if (compare_testvector(out, sizeof(out), rfc_7748_5_2[n].u_out, sizeof(rfc_7748_5_2[n].u_out), "x25519 RFC 7748 Ch. 5.2", n) != 0) {
+         return CRYPT_FAIL_TESTVECTOR;
+      }
+   }
+   return CRYPT_OK;
+}
+
+static int _rfc_7748_6_test(void)
+{
+   /* RFC 7748 Ch. 6 */
+   const unsigned char alice_private[] = {
+      0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d,
+      0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45,
+      0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a,
+      0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a
+   };
+   const unsigned char alice_public[] = {
+      0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
+      0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
+      0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
+      0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a
+   };
+   const unsigned char bob_private[] = {
+      0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b,
+      0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6,
+      0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd,
+      0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb
+   };
+   const unsigned char bob_public[] = {
+      0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4,
+      0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37,
+      0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d,
+      0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f
+   };
+   const unsigned char shared_secret[] = {
+      0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
+      0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
+      0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
+      0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42
+   };
+   curve25519_key alice_priv, alice_pub, bob_priv, bob_pub;
+   unsigned char buf[32];
+   unsigned long buflen = sizeof(buf);
+
+   DO(x25519_set_ku(alice_private, sizeof(alice_private), alice_public, sizeof(alice_public), &alice_priv));
+   DO(x25519_set_ku(bob_private, sizeof(bob_private), bob_public, sizeof(bob_public), &bob_priv));
+   DO(x25519_set_ku(NULL, 0, alice_public, sizeof(alice_public), &alice_pub));
+   DO(x25519_set_ku(NULL, 0, bob_public, sizeof(bob_public), &bob_pub));
+
+   DO(x25519_shared_secret(&alice_priv, &bob_pub, buf, &buflen));
+   DO(compare_testvector(buf, buflen, shared_secret, sizeof(shared_secret), "x25519 - RFC 7748 Ch. 6", 0));
+
+   XMEMSET(buf, 0, sizeof(buf));
+
+   DO(x25519_shared_secret(&bob_priv, &alice_pub, buf, &buflen));
+   DO(compare_testvector(buf, buflen, shared_secret, sizeof(shared_secret), "x25519 - RFC 7748 Ch. 6", 1));
+
+   return CRYPT_OK;
+}
+
+static int _rfc_8410_10_test(void)
+{
+   const struct {
+      const char* b64;
+   } rfc_8410_10[] = {
+                         /* RFC 8410 - 10.2.  Example X25519 Certificate */
+                       { "MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX"
+                         "N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD"
+                         "DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj"
+                         "ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg"
+                         "BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v"
+                         "/BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg"
+                         "w1AH9efZBw==" },
+   };
+   unsigned n;
+   curve25519_key key;
+   unsigned char buf[1024];
+   unsigned long buflen;
+   for (n = 0; n < sizeof(rfc_8410_10)/sizeof(rfc_8410_10[0]); ++n) {
+      buflen = sizeof(buf);
+      DO(base64_decode(rfc_8410_10[n].b64, strlen(rfc_8410_10[n].b64), buf, &buflen));
+      DO(x25519_import_x509(buf, buflen, &key));
+      zeromem(buf, sizeof(buf));
+   }
+   return CRYPT_OK;
+}
+
+static int _x25519_compat_test(void)
+{
+   curve25519_key priv, pub, imported;
+   unsigned char buf[1024];
+   unsigned long buflen = sizeof(buf);
+   int prng_idx = find_prng("yarrow");
+
+   XMEMSET(&priv, 0, sizeof(priv));
+   XMEMSET(&pub, 0, sizeof(pub));
+   XMEMSET(&imported, 0, sizeof(imported));
+
+   DO(x25519_make_key(&yarrow_prng, prng_idx, &priv));
+
+   DO(x25519_export(buf, &buflen, PK_PRIVATE, &priv));
+   DO(x25519_import(buf, buflen, &imported));
+   DO(do_compare_testvector(&priv, sizeof(priv), &imported, sizeof(imported), "priv after ex-&import", __LINE__));
+   XMEMSET(&imported, 0, sizeof(imported));
+
+   buflen = sizeof(buf);
+   DO(x25519_export(buf, &buflen, PK_PUBLIC, &priv));
+   DO(x25519_import(buf, buflen, &pub));
+
+   buflen = sizeof(buf);
+   DO(x25519_export(buf, &buflen, PK_PUBLIC | PK_STD, &priv));
+   DO(x25519_import(buf, buflen, &imported));
+
+   DO(do_compare_testvector(&pub, sizeof(pub), &imported, sizeof(imported), "pub after private ex-&import", __LINE__));
+   XMEMSET(&imported, 0, sizeof(imported));
+
+   buflen = sizeof(buf);
+   DO(x25519_export(buf, &buflen, PK_PUBLIC | PK_STD, &pub));
+   DO(x25519_import(buf, buflen, &imported));
+
+   DO(do_compare_testvector(&pub, sizeof(pub), &imported, sizeof(imported), "pub after public ex-&import", __LINE__));
+
+   return CRYPT_OK;
+}
+
+/**
+  Test the x25519 system
+  @return CRYPT_OK if successful
+*/
+int x25519_test(void)
+{
+   int ret;
+
+   if (ltc_mp.name == NULL) return CRYPT_NOP;
+
+   if ((ret = _rfc_7748_5_2_test()) != CRYPT_OK) {
+      return ret;
+   }
+   if ((ret = _rfc_7748_6_test()) != CRYPT_OK) {
+      return ret;
+   }
+   if ((ret = _rfc_8410_10_test()) != CRYPT_OK) {
+      return ret;
+   }
+   if ((ret = _x25519_compat_test()) != CRYPT_OK) {
+      return ret;
+   }
+
+   return ret;
+}
+
+#else
+
+int x25519_test(void)
+{
+   return CRYPT_NOP;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */