Enable Ed25519 when building with OPENSSL_SMALL. OPENSSL_SMALL will still cause the smaller base-point table to be used and so won't be as fast at signing as the full version, but Ed25519 will now work in those builds. Without OPENSSL_SMALL: Did 20000 Ed25519 key generation operations in 1008347us (19834.4 ops/sec) Did 20000 Ed25519 signing operations in 1025594us (19500.9 ops/sec) Did 6138 Ed25519 verify operations in 1001712us (6127.5 ops/sec) Did 21000 Curve25519 base-point multiplication operations in 1019237us (20603.6 ops/sec) Did 7095 Curve25519 arbitrary point multiplication operations in 1065986us (6655.8 ops/sec) With (on the same machine): Did 8415 Ed25519 key generation operations in 1020958us (8242.3 ops/sec) Did 8952 Ed25519 signing operations in 1077635us (8307.1 ops/sec) Did 6358 Ed25519 verify operations in 1047533us (6069.5 ops/sec) Did 6620 Curve25519 base-point multiplication operations in 1008922us (6561.5 ops/sec) Did 7183 Curve25519 arbitrary point multiplication operations in 1096285us (6552.1 ops/sec) Change-Id: Ib443c0e2bdfd11e044087e66efd55b651a5667e7 Reviewed-on: https://boringssl-review.googlesource.com/6772 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>

commit: 77c3c0b025fc51b0bf66eb7f04eb6da9828f8954 [log] [tgz]
author: Adam Langley <agl@chromium.org> Fri Dec 18 14:58:40 2015 -0800
committer: Adam Langley <agl@google.com> Fri Dec 18 23:15:33 2015 +0000
tree: c43cc033e88f671c6216947c5fd5ee537febf014
parent: 9f897b25800d2f54f5c442ef01a60721aeca6d87 [diff]
diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
index 7bb3cab..d9c58cb 100644
--- a/crypto/curve25519/curve25519.c
+++ b/crypto/curve25519/curve25519.c

@@ -17,8 +17,7 @@
  * public domain but this file has the ISC license just to keep licencing
  * simple.
  *
- * The field functions are shared by Ed25519 and X25519, although Ed25519 is
- * disabled when |OPENSSL_SMALL| is defined. */
+ * The field functions are shared by Ed25519 and X25519 where possible. */
 
 #include <openssl/curve25519.h>
 
@@ -785,9 +784,6 @@
   h[9] = h9;
 }
 
-/* Ed25519 support is disabled when built with |OPENSSL_SMALL|. */
-#if !defined(OPENSSL_SMALL)
-
 /* h = -f
  *
  * Preconditions:
@@ -1329,13 +1325,10 @@
   fe_cmov(t->xy2d, u->xy2d, b);
 }
 
-#if 0
+#if defined(OPENSSL_SMALL)
 
-/* At the moment, building with |OPENSSL_SMALL| causes Ed25519 to be disabled.
- * In the future we might enable it but, in that case, we'll still probably
- * want to keep the size down. This block of code replaces the standard
- * base-point table with a much smaller one. The standard table is 30,720 bytes
- * while this one is just 960.
+/* This block of code replaces the standard base-point table with a much smaller
+ * one. The standard table is 30,720 bytes while this one is just 960.
  *
  * This table contains 15 pairs of group elements, (x, y), where each field
  * element is serialised with |fe_tobytes|. If |i| is the index of the group
@@ -4768,8 +4761,6 @@
   return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
 
-#endif
-
 static void x25519_scalar_mult_generic(uint8_t out[32],
                                        const uint8_t scalar[32],
                                        const uint8_t point[32]) {
@@ -4852,19 +4843,6 @@
   return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
 }
 
-#if defined(OPENSSL_SMALL)
-
-/* When |OPENSSL_SMALL| is set, base point multiplication is done with the
- * Montgomery ladder because the Ed25519 code isn't included. */
-
-void X25519_public_from_private(uint8_t out_public_value[32],
-                                const uint8_t private_key[32]) {
-  static const uint8_t kMongomeryBasePoint[32] = {9};
-  x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint);
-}
-
-#else
-
 void X25519_public_from_private(uint8_t out_public_value[32],
                                 const uint8_t private_key[32]) {
 #if defined(OPENSSL_ARM)
@@ -4893,5 +4871,3 @@
   fe_mul(zplusy, zplusy, zminusy_inv);
   fe_tobytes(out_public_value, zplusy);
 }
-
-#endif

diff --git a/crypto/curve25519/ed25519_test.cc b/crypto/curve25519/ed25519_test.cc
index 38010aa..1b6a0b6 100644
--- a/crypto/curve25519/ed25519_test.cc
+++ b/crypto/curve25519/ed25519_test.cc

@@ -20,15 +20,6 @@
 #include "../test/file_test.h"
 
 
-#if defined(OPENSSL_SMALL)
-
-int main(int argc, char **argv) {
-  printf("PASS\n");
-  return 0;
-}
-
-#else
-
 static bool TestSignature(FileTest *t, void *arg) {
   std::vector<uint8_t> private_key, public_key, message, expected_signature;
   if (!t->GetBytes(&private_key, "PRIV") ||
@@ -70,5 +61,3 @@
 
   return FileTestMain(TestSignature, nullptr, argv[1]);
 }
-
-#endif  /* OPENSSL_SMALL */

diff --git a/tool/speed.cc b/tool/speed.cc
index 6f14478..db7c5fa 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc

@@ -405,7 +405,6 @@
 
   TimeResults results;
 
-#if !defined(OPENSSL_SMALL)
   uint8_t public_key[32], private_key[64];
 
   if (!TimeFunction(&results, [&public_key, &private_key]() -> bool {
@@ -438,7 +437,6 @@
   }
 
   results.Print("Ed25519 verify");
-#endif
 
   if (!TimeFunction(&results, []() -> bool {
         uint8_t out[32], in[32];
commit	77c3c0b025fc51b0bf66eb7f04eb6da9828f8954	[log] [tgz]
author	Adam Langley <agl@chromium.org>	Fri Dec 18 14:58:40 2015 -0800
committer	Adam Langley <agl@google.com>	Fri Dec 18 23:15:33 2015 +0000
tree	c43cc033e88f671c6216947c5fd5ee537febf014
parent	9f897b25800d2f54f5c442ef01a60721aeca6d87 [diff]