Document that ED25519_sign only fails on allocation failure
Change-Id: I45866c3a4aa98ebac51d4e554a22eb5add45002f
Reviewed-on: https://boringssl-review.googlesource.com/31404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/curve25519.h b/include/openssl/curve25519.h
index 9c841b6..332215b 100644
--- a/include/openssl/curve25519.h
+++ b/include/openssl/curve25519.h
@@ -79,7 +79,7 @@
// ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
// |message| using |private_key|. It returns one on success or zero on
-// error.
+// allocation failure.
OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
size_t message_len,
const uint8_t private_key[64]);
diff --git a/third_party/fiat/curve25519.c b/third_party/fiat/curve25519.c
index 60da1c8..58a5ed0 100644
--- a/third_party/fiat/curve25519.c
+++ b/third_party/fiat/curve25519.c
@@ -2960,6 +2960,11 @@
int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
size_t message_len, const uint8_t private_key[64]) {
+ // NOTE: The documentation on this function says that it returns zero on
+ // allocation failure. While that can't happen with the current
+ // implementation, we want to reserve the ability to allocate in this
+ // implementation in the future.
+
uint8_t az[SHA512_DIGEST_LENGTH];
SHA512(private_key, 32, az);