Integrate ed25519-donna (Not yet used).

Integrate ed25519-donna into the build process, and provide an
interface that matches the `ref10` code.  Apart from the blinding and
Curve25519 key conversion, this functions as a drop-in replacement for
ref10 (verified by modifying crypto_ed25519.c).

Tests pass, and the benchmarks claim it is quite a bit faster, however
actually using the code requires additional integration work.

1 files changed, 32 insertions, 0 deletions

diff --git a/src/ext/ed25519/donna/README.tor b/src/ext/ed25519/donna/README.tor
new file mode 100644
index 0000000000..6053c88f28
--- /dev/null
+++ b/src/ext/ed25519/donna/README.tor
@@ -0,0 +1,32 @@
+
+We've made the following changes to the stock ed25519-donna from
+as of 8757bd4cd209cb032853ece0ce413f122eef212c.
+
+ * Tor uses copies of `ed25519-donna.h` and `ed25519.c`, named
+   `ed25519_donna_tor.h` and `ed25591_tor.c`.
+
+   The main functional differences between the standard ed25519-donna
+   and the Tor specific version are:
+
+    * The external interface has been reworked to match that provided
+       by Tor's copy of the SUPERCOP `ref10` code.
+
+    * The secret (aka private) key is now stored/used in expanded form.
+
+    * The internal math tests from `test-internals.c` have been wrapped
+      in a function and the entire file is included to allow for
+      runtime validation.
+
+ * `ED25519_FN(ed25519_randombytes_unsafe)` is now static.
+
+ * `ed25519-randombytes-custom.h` has the appropriate code to call
+    Tor's `crypto_rand()` routine, instead of directly using OpenSSL's
+    CSPRNG.
+
+ * OSX pollutes the global namespace with an `ALIGN` macro, which is
+   undef-ed right before the donna `ALIGN` macro is defined.
+
+ * If building with Clang's AddressSanitizer, disable inline assembly
+   since the compilation will fail in `ge25519_scalarmult_base_choose_niels`
+   on x86_64 targets due to running out of registers.
+