Add ed25519ctx and ed25519ph support

Signed-off-by: Valerii Chubar <[email protected]>
Signed-off-by: Sergiy Kibrik <[email protected]>

src/headers/tomcrypt_pk.h

@@ -358,10 +358,23 @@ int ed25519_import_pkcs8(const unsigned char *in, unsigned long inlen,
 int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
                        unsigned char  *sig, unsigned long *siglen,
                  const curve25519_key *private_key);
-
+int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
+                    unsigned char *sig, unsigned long *siglen,
+                    const char* ctx, const curve25519_key *private_key);
+int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
+                   unsigned char *sig, unsigned long *siglen,
+                   const char *ctx, const curve25519_key *private_key);
 int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
                    const  unsigned char *sig, unsigned long siglen,
                    int *stat, const curve25519_key *public_key);
+int ed25519ctx_verify(const  unsigned char *msg, unsigned long msglen,
+                      const  unsigned char *sig, unsigned long siglen,
+                      int *stat, const char* ctx,
+                      const curve25519_key *public_key);
+int ed25519ph_verify(const  unsigned char *msg, unsigned long msglen,
+                     const  unsigned char *sig, unsigned long siglen,
+                     int *stat, const char* ctx,
+                     const curve25519_key *public_key);
 
 /** X25519 Key-Exchange API */
 int x25519_make_key(prng_state *prng, int wprng, curve25519_key *key);

src/headers/tomcrypt_private.h

@@ -9,6 +9,8 @@
 
 #define LTC_PAD_MASK       (0xF000U)
 
+#define ED25519_CONTEXT_PREFIX "SigEd25519 no Ed25519 collisions"
+
 /*
  * Internal Enums
  */
@@ -331,16 +333,21 @@ int dsa_int_validate_primes(const dsa_key *key, int *stat);
 int tweetnacl_crypto_sign(
   unsigned char *sm,unsigned long long *smlen,
   const unsigned char *m,unsigned long long mlen,
-  const unsigned char *sk, const unsigned char *pk);
+  const unsigned char *sk,const unsigned char *pk,
+  const unsigned char *ctx,unsigned long long cs);
 int tweetnacl_crypto_sign_open(
   int *stat,
   unsigned char *m,unsigned long long *mlen,
   const unsigned char *sm,unsigned long long smlen,
+  const unsigned char *ctx, unsigned long cs,
   const unsigned char *pk);
 int tweetnacl_crypto_sign_keypair(prng_state *prng, int wprng, unsigned char *pk,unsigned char *sk);
 int tweetnacl_crypto_sk_to_pk(unsigned char *pk, const unsigned char *sk);
 int tweetnacl_crypto_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p);
 int tweetnacl_crypto_scalarmult_base(unsigned char *q,const unsigned char *n);
+int tweetnacl_crypto_ph(unsigned char *out, const unsigned char *msg, unsigned long msglen);
+int tweetnacl_crypto_ctx(unsigned char *out, unsigned long *outlen,
+                       unsigned char flag, const char *pr, const char* ctx);
 
 typedef int (*sk_to_pk)(unsigned char *pk ,const unsigned char *sk);
 int ec25519_import_pkcs8(const unsigned char *in, unsigned long inlen,

src/pk/ec25519/tweetnacl.c

@@ -235,6 +235,27 @@ static int tweetnacl_crypto_hash(u8 *out,const u8 *m,u64 n)
   return 0;
 }
 
+static int tweetnacl_crypto_hash_ctx(u8 *out,const u8 *m,u64 n,const u8 *ctx,u32 cs)
+{
+  unsigned long len;
+  int err;
+  u8 buf[512];
+
+  if(cs == 0)
+    return tweetnacl_crypto_hash(out,m,n);
+
+  len = n + cs;
+  if (len > 512) return CRYPT_HASH_OVERFLOW;
+
+  XMEMCPY(buf,ctx,cs);
+  XMEMCPY(buf+cs,m,n);
+
+  err = tweetnacl_crypto_hash(out,buf,len);
+  zeromem(buf, len);
+
+  return err;
+}
+
 sv add(gf p[4],gf q[4])
 {
   gf a,b,c,d,t,e,f,g,h;
@@ -376,7 +397,7 @@ sv reduce(u8 *r)
   modL(r,x);
 }
 
-int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,const u8 *pk)
+int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,const u8 *pk, const u8 *ctx, u64 cs)
 {
   u8 d[64],h[64],r[64];
   i64 i,j,x[64];
@@ -391,13 +412,13 @@ int tweetnacl_crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 mlen,const u8 *sk,co
   FOR(i,(i64)mlen) sm[64 + i] = m[i];
   FOR(i,32) sm[32 + i] = d[32 + i];
 
-  tweetnacl_crypto_hash(r, sm+32, mlen+32);
+  tweetnacl_crypto_hash_ctx(r, sm+32, mlen+32,ctx,cs);
   reduce(r);
   scalarbase(p,r);
   pack(sm,p);
 
   FOR(i,32) sm[i+32] = pk[i];
-  tweetnacl_crypto_hash(h,sm,mlen + 64);
+  tweetnacl_crypto_hash_ctx(h,sm,mlen + 64,ctx,cs);
   reduce(h);
 
   FOR(i,64) x[i] = 0;
@@ -444,7 +465,7 @@ static int unpackneg(gf r[4],const u8 p[32])
   return 0;
 }
 
-int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *pk)
+int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen,const u8 *ctx,size_t cs,const u8 *pk)
 {
   u64 i;
   u8 s[32],t[32],h[64];
@@ -460,7 +481,7 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
   XMEMMOVE(m,sm,smlen);
   XMEMMOVE(s,m + 32,32);
   XMEMMOVE(m + 32,pk,32);
-  tweetnacl_crypto_hash(h,m,smlen);
+  tweetnacl_crypto_hash_ctx(h,m,smlen,ctx,cs);
   reduce(h);
   scalarmult(p,q,h);
 
@@ -480,3 +501,43 @@ int tweetnacl_crypto_sign_open(int *stat, u8 *m,u64 *mlen,const u8 *sm,u64 smlen
   *mlen = smlen;
   return CRYPT_OK;
 }
+
+int tweetnacl_crypto_ph(u8 *out,const u8 *msg,size_t msglen)
+{
+  hash_state md;
+
+  sha512_init(&md);
+
+  if(sha512_process(&md, msg, msglen) != CRYPT_OK)
+    return CRYPT_INVALID_ARG;
+
+  if(sha512_done(&md, out) != CRYPT_OK)
+    return CRYPT_INVALID_ARG;
+
+  return CRYPT_OK;
+}
+
+int tweetnacl_crypto_ctx(u8 *out,size_t *outlen,u8 flag,const char *pr, const char *ctx)
+{
+  u8 *buf = out;
+  const int ctx_prefix_len = strlen(pr);
+  const int ctxlen = ctx ? strlen(ctx) : 0;
+
+  if(ctxlen > 255) return CRYPT_INPUT_TOO_LONG;
+
+  XMEMCPY(buf, pr, ctx_prefix_len);
+  buf += ctx_prefix_len;
+  XMEMCPY(buf, &flag, 1);
+  buf++;
+  XMEMCPY(buf, &ctxlen, 1);
+  buf++;
+
+  if(ctxlen > 0) {
+    XMEMCPY(buf, ctx, ctxlen);
+    buf += ctxlen;
+  }
+
+  *outlen = buf-out;
+
+  return CRYPT_OK;
+}

src/pk/ed25519/ed25519_sign.c

@@ -9,17 +9,10 @@
 
 #ifdef LTC_CURVE25519
 
-/**
-   Create an Ed25519 signature.
-   @param private_key     The private Ed25519 key in the pair
-   @param public_key      The public Ed25519 key in the pair
-   @param out             [out] The destination of the shared data
-   @param outlen          [in/out] The max size and resulting size of the shared data.
-   @return CRYPT_OK if successful
-*/
-int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
-                       unsigned char  *sig, unsigned long *siglen,
-                 const curve25519_key *private_key)
+static int ed25519_sign_private(const unsigned char *msg, unsigned long msglen,
+                       unsigned char *sig, unsigned long *siglen,
+                          const char* ctx, unsigned long ctxlen,
+                          const curve25519_key *private_key)
 {
    unsigned char *s;
    unsigned long long smlen;
@@ -44,7 +37,8 @@ int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
 
    err = tweetnacl_crypto_sign(s, &smlen,
                                msg, msglen,
-                               private_key->priv, private_key->pub);
+                               private_key->priv, private_key->pub,
+                               ctx, ctxlen);
 
    XMEMCPY(sig, s, 64uL);
    *siglen = 64uL;
@@ -57,4 +51,79 @@ int ed25519_sign(const unsigned char  *msg, unsigned long msglen,
    return err;
 }
 
+/**
+   Create an Ed25519ctx signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param ctx             [in] The context is a constant null terminated string
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ctx_sign(const unsigned char *msg, unsigned long msglen,
+                          unsigned char *sig, unsigned long *siglen,
+                    const char* ctx, const curve25519_key *private_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   LTC_ARGCHK(ctx != NULL);
+
+   if(tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 0,
+                           ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
+                               ctx_prefix_size, private_key);
+}
+
+/**
+   Create an Ed25519ph signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param ctx             [in] The context is a constant null terminated string
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ph_sign(const unsigned char *msg, unsigned long msglen,
+                         unsigned char *sig, unsigned long *siglen,
+                   const char *ctx, const curve25519_key *private_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned char msg_hash[64] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   if (tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1,
+                            ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   if (tweetnacl_crypto_ph(msg_hash, msg, msglen) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   msg = msg_hash;
+   msglen = 64;
+
+   return ed25519_sign_private(msg, msglen, sig, siglen, ctx_prefix,
+                               ctx_prefix_size, private_key);
+}
+
+/**
+   Create an Ed25519 signature.
+   @param msg             The data to be signed
+   @param msglen          [in] The size of the date to be signed
+   @param sig             [out] The destination of the shared data
+   @param siglen          [in/out] The max size and resulting size of the shared data.
+   @param private_key     The private Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519_sign(const unsigned char *msg, unsigned long msglen,
+                       unsigned char *sig, unsigned long *siglen,
+                 const curve25519_key *private_key)
+{
+   return ed25519_sign_private(msg, msglen, sig, siglen, 0, 0, private_key);
+}
+
 #endif

src/pk/ed25519/ed25519_verify.c

@@ -9,18 +9,12 @@
 
 #ifdef LTC_CURVE25519
 
-/**
-   Verify an Ed25519 signature.
-   @param private_key     The private Ed25519 key in the pair
-   @param public_key      The public Ed25519 key in the pair
-   @param out             [out] The destination of the shared data
-   @param outlen          [in/out] The max size and resulting size of the shared data.
-   @param stat            [out] The result of the signature verification, 1==valid, 0==invalid
-   @return CRYPT_OK if successful
-*/
-int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
-                   const  unsigned char *sig, unsigned long siglen,
-                   int *stat, const curve25519_key *public_key)
+static int ed25519_verify_private(
+                   const unsigned char *msg, unsigned long msglen,
+                   const unsigned char *sig, unsigned long siglen,
+                   int *stat,
+                   const char *ctx, unsigned long ctxlen,
+                   const curve25519_key *public_key)
 {
    unsigned char* m;
    unsigned long long mlen;
@@ -48,6 +42,7 @@ int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
    err = tweetnacl_crypto_sign_open(stat,
                                     m, &mlen,
                                     m, mlen,
+                                    ctx, ctxlen,
                                     public_key->pub);
 
 #ifdef LTC_CLEAN_STACK
@@ -58,4 +53,83 @@ int ed25519_verify(const  unsigned char *msg, unsigned long msglen,
    return err;
 }
 
+/**
+   Verify an Ed25519 signature.
+   @param sig             [in] The signature to be verified
+   @param siglen          [in] The size of the signature to be verified
+   @param stat            [out] The result of the signature verification, 1==valid, 0==invalid
+   @param ctx             [in] The context is a constant null terminated string
+   @param public_key      [in] The public Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ctx_verify(const unsigned char *msg, unsigned long msglen,
+                      const unsigned char *sig, unsigned long siglen,
+                      int *stat, const char *ctx,
+                      const curve25519_key *public_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   LTC_ARGCHK(ctx != NULL);
+
+   if(tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 0,
+                           ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   return ed25519_verify_private(msg, msglen, sig, siglen, stat,
+                                 ctx_prefix, ctx_prefix_size, public_key);
+}
+
+/**
+   Verify an Ed25519 signature.
+   @param msg             [in] The data to be signed
+   @param msglen          [in] The size of the data to be signed
+   @param sig             [in] The signature to be verified
+   @param siglen          [in] The size of the signature to be verified
+   @param stat            [out] The result of the signature verification, 1==valid, 0==invalid
+   @param ctx             [in] The context is a constant null terminated string
+   @param public_key      [in] The public Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519ph_verify(const unsigned char *msg, unsigned long msglen,
+                     const unsigned char *sig, unsigned long siglen,
+                     int *stat, const char *ctx,
+                     const curve25519_key *public_key)
+{
+   unsigned char ctx_prefix[512] = {0};
+   unsigned char msg_hash[64] = {0};
+   unsigned long ctx_prefix_size = 0;
+
+   if(tweetnacl_crypto_ctx(ctx_prefix, &ctx_prefix_size, 1,
+                           ED25519_CONTEXT_PREFIX, ctx) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   if (tweetnacl_crypto_ph(msg_hash, msg, msglen) != CRYPT_OK)
+      return CRYPT_INVALID_ARG;
+
+   msg = msg_hash;
+   msglen = 64;
+
+   return ed25519_verify_private(msg, msglen, sig, siglen, stat,
+                                 ctx_prefix, ctx_prefix_size, public_key);
+}
+
+/**
+   Verify an Ed25519 signature.
+   @param msg             [in] The data to be signed
+   @param msglen          [in] The size of the data to be signed
+   @param sig             [in] The signature to be verified
+   @param siglen          [in] The size of the signature to be verified
+   @param stat            [out] The result of the signature verification, 1==valid, 0==invalid
+   @param public_key      [in] The public Ed25519 key in the pair
+   @return CRYPT_OK if successful
+*/
+int ed25519_verify(const unsigned char *msg, unsigned long msglen,
+                   const unsigned char *sig, unsigned long siglen,
+                   int *stat, const curve25519_key *public_key)
+{
+   return ed25519_verify_private(msg, msglen, sig, siglen,
+                                 stat, 0, 0, public_key);
+}
+
 #endif

tests/ed25519_test.c

@@ -93,11 +93,12 @@ typedef struct {
    const char* public_key;
    const char* message;
    const char* signature;
-} rfc_8032_7_1_t;
+   const char* context;
+} rfc_8032_7_t;
 
 static int s_rfc_8032_7_1_test(void)
 {
-   const rfc_8032_7_1_t rfc_8032_7_1[] = {
+   const rfc_8032_7_t rfc_8032_7_1[] = {
       {
          /* SECRET KEY */
          "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
@@ -231,6 +232,147 @@ static int s_rfc_8032_7_1_test(void)
    return CRYPT_OK;
 }
 
+static int s_rfc_8032_7_2_test(void)
+{
+   const rfc_8032_7_t rfc_8032_7_2[] = {
+       {
+         /* SECRET KEY */
+         "0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6",
+         /* PUBLIC KEY */
+         "dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292",
+         /* MESSAGE (length 16 bytes) */
+         "f726936d19c800494e3fdaff20b276a8",
+         /* SIGNATURE */
+         "55a4cc2f70a54e04288c5f4cd1e45a7bb520b36292911876cada7323198dd87a"
+         "8b36950b95130022907a7fb7c4e9b2d5f6cca685a587b4b21f4b888e4e7edb0d",
+         /* CONTEXT */
+         "666f6f",
+      },
+      {
+         /* SECRET KEY */
+         "0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6",
+         /* PUBLIC KEY */
+         "dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292",
+         /* MESSAGE (length 16 bytes) */
+         "f726936d19c800494e3fdaff20b276a8",
+         /* SIGNATURE */
+         "fc60d5872fc46b3aa69f8b5b4351d5808f92bcc044606db097abab6dbcb1aee3"
+         "216c48e8b3b66431b5b186d1d28f8ee15a5ca2df6668346291c2043d4eb3e90d",
+         /* CONTEXT */
+         "626172",
+      },
+      {
+         /* SECRET KEY */
+         "0305334e381af78f141cb666f6199f57bc3495335a256a95bd2a55bf546663f6",
+         /* PUBLIC KEY */
+         "dfc9425e4f968f7f0c29f0259cf5f9aed6851c2bb4ad8bfb860cfee0ab248292",
+         /* MESSAGE (length 16 bytes) */
+         "508e9e6882b979fea900f62adceaca35",
+         /* SIGNATURE */
+         "8b70c1cc8310e1de20ac53ce28ae6e7207f33c3295e03bb5c0732a1d20dc6490"
+         "8922a8b052cf99b7c4fe107a5abb5b2c4085ae75890d02df26269d8945f84b0b",
+         /* CONTEXT */
+         "666f6f",
+      },
+      {
+         /* SECRET KEY */
+         "ab9c2853ce297ddab85c993b3ae14bcad39b2c682beabc27d6d4eb20711d6560",
+         /* PUBLIC KEY */
+         "0f1d1274943b91415889152e893d80e93275a1fc0b65fd71b4b0dda10ad7d772",
+         /* MESSAGE (length 16 bytes) */
+         "f726936d19c800494e3fdaff20b276a8",
+         /* SIGNATURE */
+         "21655b5f1aa965996b3f97b3c849eafba922a0a62992f73b3d1b73106a84ad85"
+         "e9b86a7b6005ea868337ff2d20a7f5fbd4cd10b0be49a68da2b2e0dc0ad8960f",
+         /* CONTEXT */
+         "666f6f",
+      }
+   };
+
+   unsigned int n;
+   unsigned long mlen, slen, plen, siglen, buflen, ctxlen;
+   unsigned char msg[1024], sec[32], pub[32], sig[64], buf[64], ctx[64];
+   curve25519_key key, key2;
+   int ret;
+   const int should = 1;
+
+   for (n = 0; n < sizeof(rfc_8032_7_2)/sizeof(rfc_8032_7_2[0]); ++n) {
+      slen = sizeof(sec);
+      DO(base16_decode(rfc_8032_7_2[n].secret_key, XSTRLEN(rfc_8032_7_2[n].secret_key), sec, &slen));
+      plen = sizeof(pub);
+      DO(base16_decode(rfc_8032_7_2[n].public_key, XSTRLEN(rfc_8032_7_2[n].public_key), pub, &plen));
+      mlen = sizeof(msg);
+      DO(base16_decode(rfc_8032_7_2[n].message, XSTRLEN(rfc_8032_7_2[n].message), msg, &mlen));
+      siglen = sizeof(sig);
+      DO(base16_decode(rfc_8032_7_2[n].signature, XSTRLEN(rfc_8032_7_2[n].signature), sig, &siglen));
+      DO(base16_decode(rfc_8032_7_2[n].context, XSTRLEN(rfc_8032_7_2[n].context), ctx, &ctxlen));
+      ctx[ctxlen] = 0;
+      buflen = sizeof(buf);
+
+      DO(ed25519_import_raw(sec, slen, PK_PRIVATE, &key));
+      DO(ed25519ctx_sign(msg, mlen, buf, &buflen, ctx, &key));
+      DO(do_compare_testvector(buf, buflen, sig, siglen, "Ed25519 RFC8032 7.2 - sign", n));
+      DO(ed25519ctx_verify(msg, mlen, buf, buflen, &ret, ctx, &key));
+      ENSUREX(ret == should, "Ed25519 RFC8032 7.2 - verify w/ privkey");
+
+      DO(ed25519_import_raw(pub, plen, PK_PUBLIC, &key2));
+      DO(ed25519ctx_verify(msg, mlen, sig, siglen, &ret, ctx, &key2));
+      ENSUREX(ret == should, "Ed25519 RFC8032 7.2 - verify w/ pubkey");
+
+      xor_shuffle(buf, buflen, 0x4);
+      DO( ed25519ctx_verify(msg, mlen, buf, buflen, &ret, ctx, &key));
+      ENSUREX(ret != 1, "ed25519_verify is expected to fail on the modified signature");
+      xor_shuffle(msg, mlen, 0x8);
+      DO( ed25519ctx_verify(msg, mlen, buf, buflen, &ret, ctx, &key));
+      ENSUREX(ret != 1, "ed25519_verify is expected to fail on the modified message");
+
+      zeromem(&key, sizeof(key));
+      zeromem(&key2, sizeof(key2));
+   }
+
+   return CRYPT_OK;
+}
+
+static int s_rfc_8032_7_3_test(void)
+{
+   const rfc_8032_7_t rfc_8032_7_3[] = {
+      {
+         /* SECRET KEY */
+         "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
+         /* PUBLIC KEY */
+         "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
+         /* MESSAGE (length 16 bytes) */
+         "616263",
+         /* SIGNATURE */
+         "98a70222f0b8121aa9d30f813d683f809e462b469c7ff87639499bb94e6dae41"
+         "31f85042463c2a355a2003d062adf5aaa10b8c61e636062aaad11c2a26083406",
+      },
+   };
+
+   unsigned long mlen, slen, plen, siglen, buflen, ctxlen;
+   unsigned char msg[1024], sec[32], pub[32], sig[64], buf[64];
+   curve25519_key key, key2;
+   int ret;
+   const int should = 1;
+
+   slen = sizeof(sec);
+   DO(base16_decode(rfc_8032_7_3[0].secret_key, XSTRLEN(rfc_8032_7_3[0].secret_key), sec, &slen));
+   plen = sizeof(pub);
+   DO(base16_decode(rfc_8032_7_3[0].public_key, XSTRLEN(rfc_8032_7_3[0].public_key), pub, &plen));
+   mlen = sizeof(msg);
+   DO(base16_decode(rfc_8032_7_3[0].message, XSTRLEN(rfc_8032_7_3[0].message), msg, &mlen));
+   siglen = sizeof(sig);
+   DO(base16_decode(rfc_8032_7_3[0].signature, XSTRLEN(rfc_8032_7_3[0].signature), sig, &siglen));
+
+   DO(ed25519_import_raw(sec, slen, PK_PRIVATE, &key));
+   DO(ed25519ph_sign(msg, mlen, buf, &buflen, 0, &key));
+   DO(do_compare_testvector(buf, buflen, sig, siglen, "Ed25519 RFC8032 7.3 - sign", 0));
+   DO(ed25519ph_verify(msg, mlen, buf, buflen, &ret, 0, &key));
+   ENSUREX(ret == should, "Ed25519 RFC8032 7.3 - verify w/ privkey");
+
+   return CRYPT_OK;
+}
+
 /**
   Test the ed25519 system
   @return CRYPT_OK if successful
@@ -252,6 +394,12 @@ int ed25519_test(void)
    if ((ret = s_rfc_8032_7_1_test()) != CRYPT_OK) {
       return ret;
    }
+   if ((ret = s_rfc_8032_7_2_test()) != CRYPT_OK) {
+      return ret;
+   }
+   if ((ret = s_rfc_8032_7_3_test()) != CRYPT_OK) {
+      return ret;
+   }
 
    return ret;
 }