Merge branch 'ed25519_ref10_squashed'

Conflicts:
	src/common/include.am
	src/ext/README

6 files changed, 927 insertions, 1 deletions

diff --git a/src/test/bench.c b/src/test/bench.c
index f6c33626f2..98e45d2e00 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -30,6 +30,7 @@ const char tor_git_revision[] = "";
 #include "crypto_curve25519.h"
 #include "onion_ntor.h"
 #endif
+#include "crypto_ed25519.h"
 
 #if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_PROCESS_CPUTIME_ID)
 static uint64_t nanostart;
@@ -79,6 +80,9 @@ perftime(void)
 #define NANOCOUNT(start,end,iters) \
   ( ((double)((end)-(start))) / (iters) )
 
+#define MICROCOUNT(start,end,iters) \
+  ( NANOCOUNT((start), (end), (iters)) / 1000.0 )
+
 /** Run AES performance benchmarks. */
 static void
 bench_aes(void)
@@ -235,6 +239,63 @@ bench_onion_ntor(void)
 #endif
 
 static void
+bench_ed25519(void)
+{
+  uint64_t start, end;
+  const int iters = 1<<12;
+  int i;
+  const uint8_t msg[] = "but leaving, could not tell what they had heard";
+  ed25519_signature_t sig;
+  ed25519_keypair_t kp;
+  curve25519_keypair_t curve_kp;
+  ed25519_public_key_t pubkey_tmp;
+
+  ed25519_secret_key_generate(&kp.seckey, 0);
+  start = perftime();
+  for (i = 0; i < iters; ++i) {
+    ed25519_public_key_generate(&kp.pubkey, &kp.seckey);
+  }
+  end = perftime();
+  printf("Generate public key: %.2f usec\n",
+         MICROCOUNT(start, end, iters));
+
+  start = perftime();
+  for (i = 0; i < iters; ++i) {
+    ed25519_sign(&sig, msg, sizeof(msg), &kp);
+  }
+  end = perftime();
+  printf("Sign a short message: %.2f usec\n",
+         MICROCOUNT(start, end, iters));
+
+  start = perftime();
+  for (i = 0; i < iters; ++i) {
+    ed25519_checksig(&sig, msg, sizeof(msg), &kp.pubkey);
+  }
+  end = perftime();
+  printf("Verify signature: %.2f usec\n",
+         MICROCOUNT(start, end, iters));
+
+  curve25519_keypair_generate(&curve_kp, 0);
+  start = perftime();
+  for (i = 0; i < iters; ++i) {
+    ed25519_public_key_from_curve25519_public_key(&pubkey_tmp,
+                                                  &curve_kp.pubkey, 1);
+  }
+  end = perftime();
+  printf("Convert public point from curve25519: %.2f usec\n",
+         MICROCOUNT(start, end, iters));
+
+  curve25519_keypair_generate(&curve_kp, 0);
+  start = perftime();
+  for (i = 0; i < iters; ++i) {
+    ed25519_public_blind(&pubkey_tmp, &kp.pubkey, msg);
+  }
+  end = perftime();
+  printf("Blind a public key: %.2f usec\n",
+         MICROCOUNT(start, end, iters));
+}
+
+static void
 bench_cell_aes(void)
 {
   uint64_t start, end;
@@ -515,6 +576,7 @@ static struct benchmark_t benchmarks[] = {
 #ifdef CURVE25519_ENABLED
   ENT(onion_ntor),
 #endif
+  ENT(ed25519),
   ENT(cell_aes),
   ENT(cell_ops),
   ENT(dh),
diff --git a/src/test/ed25519_exts_ref.py b/src/test/ed25519_exts_ref.py
new file mode 100644
index 0000000000..93dc49ee93
--- /dev/null
+++ b/src/test/ed25519_exts_ref.py
@@ -0,0 +1,234 @@
+#!/usr/bin/python
+# Copyright 2014, The Tor Project, Inc
+# See LICENSE for licensing information
+
+"""
+   Reference implementations for the ed25519 tweaks that Tor uses.
+
+   Includes self-tester and test vector generator.
+"""
+
+import slow_ed25519
+from slow_ed25519 import *
+
+import os
+import random
+import slownacl_curve25519
+import unittest
+import binascii
+import textwrap
+
+#define a synonym that doesn't look like 1
+ell = l
+
+# This replaces expmod above and makes it go a lot faster.
+slow_ed25519.expmod = pow
+
+def curve25519ToEd25519(c, sign):
+    u = decodeint(c)
+    y = ((u - 1) * inv(u + 1)) % q
+    x = xrecover(y)
+    if x & 1 != sign: x = q-x
+    return encodepoint([x,y])
+
+def blindESK(esk, param):
+    h = H("Derive temporary signing key" + param)
+    mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
+    s = decodeint(esk[:32])
+    s_prime = (s * mult) % ell
+    k = esk[32:]
+    assert(len(k) == 32)
+    k_prime = H("Derive temporary signing key hash input" + k)[:32]
+    return encodeint(s_prime) + k_prime
+
+def blindPK(pk, param):
+    h = H("Derive temporary signing key" + param)
+    mult = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
+    P = decodepoint(pk)
+    return encodepoint(scalarmult(P, mult))
+
+def expandSK(sk):
+    h = H(sk)
+    a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
+    k = ''.join([h[i] for i in range(b/8,b/4)])
+    assert len(k) == 32
+    return encodeint(a)+k
+
+def publickeyFromESK(h):
+    a = decodeint(h[:32])
+    A = scalarmult(B,a)
+    return encodepoint(A)
+
+def signatureWithESK(m,h,pk):
+    a = decodeint(h[:32])
+    r = Hint(''.join([h[i] for i in range(b/8,b/4)]) + m)
+    R = scalarmult(B,r)
+    S = (r + Hint(encodepoint(R) + pk + m) * a) % l
+    return encodepoint(R) + encodeint(S)
+
+def newSK():
+    return os.urandom(32)
+
+# ------------------------------------------------------------
+
+MSG = "This is extremely silly. But it is also incredibly serious business!"
+
+class SelfTest(unittest.TestCase):
+
+    def _testSignatures(self, esk, pk):
+        sig = signatureWithESK(MSG, esk, pk)
+        checkvalid(sig, MSG, pk)
+        bad = False
+        try:
+            checkvalid(sig, MSG*2, pk)
+            bad = True
+        except Exception:
+            pass
+
+        self.failIf(bad)
+
+    def testExpand(self):
+        sk = newSK()
+        pk = publickey(sk)
+        esk = expandSK(sk)
+        sig1 = signature(MSG, sk, pk)
+        sig2 = signatureWithESK(MSG, esk, pk)
+        self.assertEquals(sig1, sig2)
+
+    def testSignatures(self):
+        sk = newSK()
+        esk = expandSK(sk)
+        pk = publickeyFromESK(esk)
+        pk2 = publickey(sk)
+        self.assertEquals(pk, pk2)
+
+        self._testSignatures(esk, pk)
+
+    def testDerivation(self):
+        priv = slownacl_curve25519.Private()
+        pub = priv.get_public()
+
+        ed_pub0 = publickeyFromESK(priv.private)
+        sign = (ord(ed_pub0[31]) & 255) >> 7
+        ed_pub1 = curve25519ToEd25519(pub.public, sign)
+
+        self.assertEquals(ed_pub0, ed_pub1)
+
+    def testBlinding(self):
+        sk = newSK()
+        esk = expandSK(sk)
+        pk = publickeyFromESK(esk)
+        param = os.urandom(32)
+        besk = blindESK(esk, param)
+        bpk = blindPK(pk, param)
+        bpk2 = publickeyFromESK(besk)
+        self.assertEquals(bpk, bpk2)
+
+        self._testSignatures(besk, bpk)
+
+# ------------------------------------------------------------
+
+# From pprint.pprint([ binascii.b2a_hex(os.urandom(32)) for _ in xrange(8) ])
+RAND_INPUTS = [
+  '26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36',
+  'fba7a5366b5cb98c2667a18783f5cf8f4f8d1a2ce939ad22a6e685edde85128d',
+  '67e3aa7a14fac8445d15e45e38a523481a69ae35513c9e4143eb1c2196729a0e',
+  'd51385942033a76dc17f089a59e6a5a7fe80d9c526ae8ddd8c3a506b99d3d0a6',
+  '5c8eac469bb3f1b85bc7cd893f52dc42a9ab66f1b02b5ce6a68e9b175d3bb433',
+  'eda433d483059b6d1ff8b7cfbd0fe406bfb23722c8f3c8252629284573b61b86',
+  '4377c40431c30883c5fbd9bc92ae48d1ed8a47b81d13806beac5351739b5533d',
+  'c6bbcce615839756aed2cc78b1de13884dd3618f48367a17597a16c1cd7a290b']
+
+# From pprint.pprint([ binascii.b2a_hex(os.urandom(32)) for _ in xrange(8) ])
+BLINDING_PARAMS = [
+  '54a513898b471d1d448a2f3c55c1de2c0ef718c447b04497eeb999ed32027823',
+  '831e9b5325b5d31b7ae6197e9c7a7baf2ec361e08248bce055908971047a2347',
+  'ac78a1d46faf3bfbbdc5af5f053dc6dc9023ed78236bec1760dadfd0b2603760',
+  'f9c84dc0ac31571507993df94da1b3d28684a12ad14e67d0a068aba5c53019fc',
+  'b1fe79d1dec9bc108df69f6612c72812755751f21ecc5af99663b30be8b9081f',
+  '81f1512b63ab5fb5c1711a4ec83d379c420574aedffa8c3368e1c3989a3a0084',
+  '97f45142597c473a4b0e9a12d64561133ad9e1155fe5a9807fe6af8a93557818',
+  '3f44f6a5a92cde816635dfc12ade70539871078d2ff097278be2a555c9859cd0']
+
+PREFIX = "ED25519_"
+
+def writeArray(name, array):
+    print "static const char *{prefix}{name}[] = {{".format(
+        prefix=PREFIX,name=name)
+    for a in array:
+        h = binascii.b2a_hex(a)
+        if len(h) > 70:
+            h1 = h[:70]
+            h2 = h[70:]
+            print '  "{0}"\n      "{1}",'.format(h1,h2)
+        else:
+            print '  "{0}",'.format(h)
+    print "};\n"
+
+def comment(text, initial="/**"):
+    print initial
+    print textwrap.fill(text,initial_indent=" * ",subsequent_indent=" * ")
+    print " */"
+
+def makeTestVectors():
+    comment("""Test vectors for our ed25519 implementation and related
+               functions. These were automatically generated by the
+               ed25519_exts_ref.py script.""", initial="/*")
+
+
+    comment("""Secret key seeds used as inputs for the ed25519 test vectors.
+               Randomly generated. """)
+    secretKeys = [ binascii.a2b_hex(r) for r in RAND_INPUTS ]
+    writeArray("SECRET_KEYS", secretKeys)
+
+    comment("""Secret ed25519 keys after expansion from seeds. This is how Tor
+               represents them internally.""")
+    expandedSecretKeys = [ expandSK(sk) for sk in secretKeys ]
+    writeArray("EXPANDED_SECRET_KEYS", expandedSecretKeys)
+
+    comment("""Public keys derived from the above secret keys""")
+    publicKeys = [ publickey(sk) for sk in secretKeys ]
+    writeArray("PUBLIC_KEYS", publicKeys)
+
+    comment("""The curve25519 public keys from which the ed25519 keys can be
+               derived.  Used to test our 'derive ed25519 from curve25519'
+               code.""")
+    writeArray("CURVE25519_PUBLIC_KEYS",
+               (slownacl_curve25519.smult_curve25519_base(sk[:32])
+                   for sk in expandedSecretKeys))
+
+    comment("""Parameters used for key blinding tests. Randomly generated.""")
+    blindingParams =  [ binascii.a2b_hex(r) for r in BLINDING_PARAMS ]
+    writeArray("BLINDING_PARAMS", blindingParams)
+
+    comment("""Blinded secret keys for testing key blinding.  The nth blinded
+               key corresponds to the nth secret key blidned with the nth
+               blinding parameter.""")
+    writeArray("BLINDED_SECRET_KEYS",
+               (blindESK(expandSK(sk), bp)
+                for sk,bp in zip(secretKeys,blindingParams)))
+
+    comment("""Blinded public keys for testing key blinding.  The nth blinded
+               key corresponds to the nth public key blidned with the nth
+               blinding parameter.""")
+    writeArray("BLINDED_PUBLIC_KEYS",
+               (blindPK(pk, bp) for pk,bp in zip(publicKeys,blindingParams)))
+
+    comment("""Signatures of the public keys, made with their corresponding
+               secret keys.""")
+    writeArray("SELF_SIGNATURES",
+               (signature(pk, sk, pk) for pk,sk in zip(publicKeys,secretKeys)))
+
+
+
+if __name__ == '__main__':
+    import sys
+    if len(sys.argv) == 1 or sys.argv[1] not in ("SelfTest", "MakeVectors"):
+        print "You should specify one of 'SelfTest' or 'MakeVectors'"
+        sys.exit(1)
+    if sys.argv[1] == 'SelfTest':
+        unittest.main()
+    else:
+        makeTestVectors()
+
+
diff --git a/src/test/ed25519_vectors.inc b/src/test/ed25519_vectors.inc
new file mode 100644
index 0000000000..760bafb971
--- /dev/null
+++ b/src/test/ed25519_vectors.inc
@@ -0,0 +1,150 @@
+/*
+ * Test vectors for our ed25519 implementation and related
+ * functions. These were automatically generated by the
+ * ed25519_exts_ref.py script.
+ */
+/**
+ * Secret key seeds used as inputs for the ed25519 test vectors.
+ * Randomly generated.
+ */
+static const char *ED25519_SECRET_KEYS[] = {
+  "26c76712d89d906e6672dafa614c42e5cb1caac8c6568e4d2493087db51f0d36",
+  "fba7a5366b5cb98c2667a18783f5cf8f4f8d1a2ce939ad22a6e685edde85128d",
+  "67e3aa7a14fac8445d15e45e38a523481a69ae35513c9e4143eb1c2196729a0e",
+  "d51385942033a76dc17f089a59e6a5a7fe80d9c526ae8ddd8c3a506b99d3d0a6",
+  "5c8eac469bb3f1b85bc7cd893f52dc42a9ab66f1b02b5ce6a68e9b175d3bb433",
+  "eda433d483059b6d1ff8b7cfbd0fe406bfb23722c8f3c8252629284573b61b86",
+  "4377c40431c30883c5fbd9bc92ae48d1ed8a47b81d13806beac5351739b5533d",
+  "c6bbcce615839756aed2cc78b1de13884dd3618f48367a17597a16c1cd7a290b",
+};
+
+/**
+ * Secret ed25519 keys after expansion from seeds. This is how Tor
+ * represents them internally.
+ */
+static const char *ED25519_EXPANDED_SECRET_KEYS[] = {
+  "c0a4de23cc64392d85aa1da82b3defddbea946d13bb053bf8489fa9296281f495022f1"
+      "f7ec0dcf52f07d4c7965c4eaed121d5d88d0a8ff546b06116a20e97755",
+  "18a8a69a06790dac778e882f7e868baacfa12521a5c058f5194f3a729184514a2a656f"
+      "e7799c3e41f43d756da8d9cd47a061316cfe6147e23ea2f90d1ca45f30",
+  "58d84f8862d2ecfa30eb491a81c36d05b574310ea69dae18ecb57e992a896656b98218"
+      "7ee96c15bf4caeeab2d0b0ae4cd0b8d17470fc7efa98bb26428f4ef36d",
+  "50702d20b3550c6e16033db5ad4fba16436f1ecc7485be6af62b0732ceb5d173c47ccd"
+      "9d044b6ea99dd99256adcc9c62191be194e7cb1a5b58ddcec85d876a2b",
+  "7077464c864c2ed5ed21c9916dc3b3ba6256f8b742fec67658d8d233dadc8d5a7a82c3"
+      "71083cc86892c2c8782dda2a09b6baf016aec51b689183ae59ce932ff2",
+  "8883c1387a6c86fc0bd7b9f157b4e4cd83f6885bf55e2706d2235d4527a2f05311a359"
+      "5953282e436df0349e1bb313a19b3ddbf7a7b91ecce8a2c34abadb38b3",
+  "186791ac8d03a3ac8efed6ac360467edd5a3bed2d02b3be713ddd5be53b3287ee37436"
+      "e5fd7ac43794394507ad440ecfdf59c4c255f19b768a273109e06d7d8e",
+  "b003077c1e52a62308eef7950b2d532e1d4a7eea50ad22d8ac11b892851f1c40ffb9c9"
+      "ff8dcd0c6c233f665a2e176324d92416bfcfcd1f787424c0c667452d86",
+};
+
+/**
+ * Public keys derived from the above secret keys
+ */
+static const char *ED25519_PUBLIC_KEYS[] = {
+  "c2247870536a192d142d056abefca68d6193158e7c1a59c1654c954eccaff894",
+  "1519a3b15816a1aafab0b213892026ebf5c0dc232c58b21088d88cb90e9b940d",
+  "081faa81992e360ea22c06af1aba096e7a73f1c665bc8b3e4e531c46455fd1dd",
+  "73cfa1189a723aad7966137cbffa35140bb40d7e16eae4c40b79b5f0360dd65a",
+  "66c1a77104d86461b6f98f73acf3cd229c80624495d2d74d6fda1e940080a96b",
+  "d21c294db0e64cb2d8976625786ede1d9754186ae8197a64d72f68c792eecc19",
+  "c4d58b4cf85a348ff3d410dd936fa460c4f18da962c01b1963792b9dcc8a6ea6",
+  "95126f14d86494020665face03f2d42ee2b312a85bc729903eb17522954a1c4a",
+};
+
+/**
+ * The curve25519 public keys from which the ed25519 keys can be
+ * derived.  Used to test our 'derive ed25519 from curve25519'
+ * code.
+ */
+static const char *ED25519_CURVE25519_PUBLIC_KEYS[] = {
+  "17ba77846e04c7ee5ca17cade774ac1884408f9701f439d4df32cbd8736c6a1f",
+  "022be2124bc1899a78ba2b4167d191af3b59cadf94f0382bc31ce183a117f161",
+  "bf4fd38ef22f718f03c0a12ba5127bd1e3afd494793753f519728b29cc577571",
+  "56c493e490261cef31633efd2461d2b896908e90459e4eecde950a895aef681d",
+  "089675a3e8ff2a7d8b2844a79269c95b7f97a4b8b5ea0cbeec669c6f2dea9b39",
+  "59e20dcb691c4a345fe86c8a79ac817e5b514d84bbf0512a842a08e43f7f087e",
+  "9e43b820b320eda35f66f122c155b2bf8e2192c468617b7115bf067d19e08369",
+  "861f33296cb57f8f01e4a5e8a7e5d5d7043a6247586ab36dea8a1a3c4403ee30",
+};
+
+/**
+ * Parameters used for key blinding tests. Randomly generated.
+ */
+static const char *ED25519_BLINDING_PARAMS[] = {
+  "54a513898b471d1d448a2f3c55c1de2c0ef718c447b04497eeb999ed32027823",
+  "831e9b5325b5d31b7ae6197e9c7a7baf2ec361e08248bce055908971047a2347",
+  "ac78a1d46faf3bfbbdc5af5f053dc6dc9023ed78236bec1760dadfd0b2603760",
+  "f9c84dc0ac31571507993df94da1b3d28684a12ad14e67d0a068aba5c53019fc",
+  "b1fe79d1dec9bc108df69f6612c72812755751f21ecc5af99663b30be8b9081f",
+  "81f1512b63ab5fb5c1711a4ec83d379c420574aedffa8c3368e1c3989a3a0084",
+  "97f45142597c473a4b0e9a12d64561133ad9e1155fe5a9807fe6af8a93557818",
+  "3f44f6a5a92cde816635dfc12ade70539871078d2ff097278be2a555c9859cd0",
+};
+
+/**
+ * Blinded secret keys for testing key blinding.  The nth blinded
+ * key corresponds to the nth secret key blidned with the nth
+ * blinding parameter.
+ */
+static const char *ED25519_BLINDED_SECRET_KEYS[] = {
+  "014e83abadb2ca9a27e0ffe23920333d817729f48700e97656ec2823d694050e171d43"
+      "f24e3f53e70ec7ac280044ac77d4942dee5d6807118a59bdf3ee647e89",
+  "fad8cca0b4335847795288b1452508752b253e64e6c7c78d4a02dbbd7d46aa0eb8ceff"
+      "20dfcf53eb52b891fc078c934efbf0353af7242e7dc51bb32a093afa29",
+  "116eb0ae0a4a91763365bdf86db427b00862db448487808788cc339ac10e5e089217f5"
+      "2e92797462bd890fc274672e05c98f2c82970d640084781334aae0f940",
+  "bd1fbb0ee5acddc4adbcf5f33e95d9445f40326ce579fdd764a24483a9ccb20f509ece"
+      "e77082ce088f7c19d5a00e955eeef8df6fa41686abc1030c2d76807733",
+  "237f5345cefe8573ce9fa7e216381a1172796c9e3f70668ab503b1352952530fb57b95"
+      "a440570659a440a3e4771465022a8e67af86bdf2d0990c54e7bb87ff9a",
+  "ba8ff23bc4ad2b739e1ccffc9fbc7837053ea81cdfdb15073f56411cfbae1d0ec492fc"
+      "87d5ec2a1b185ca5a40541fdef0b1e128fd5c2380c888bfa924711bcab",
+  "0fa68f969de038c7a90a4a74ee6167c77582006f2dedecc1956501ba6b6fb10391b476"
+      "8f8e556d78f4bdcb9a13b6f6066fe81d3134ae965dc48cd0785b3af2b8",
+  "deaa3456d1c21944d5dcd361a646858c6cf9336b0a6851d925717eb1ae186902053d9c"
+      "00c81e1331c06ab50087be8cfc7dc11691b132614474f1aa9c2503cccd",
+};
+
+/**
+ * Blinded public keys for testing key blinding.  The nth blinded
+ * key corresponds to the nth public key blidned with the nth
+ * blinding parameter.
+ */
+static const char *ED25519_BLINDED_PUBLIC_KEYS[] = {
+  "722d6da6348e618967ef782e71061e27163a8b35f21856475d9d2023f65b6495",
+  "1dffa0586da6cbfcff2024eedf4fc6c818242d9a82dbbe635d6da1b975a1160d",
+  "5ed81f98fed5a6acda4ea6da2c34fab0ab359d950c510c256473f1f33ff438b4",
+  "6e6f92a54fb282120c46d9603df41135f025bc1f58f283809d04be96aeb04040",
+  "cda236f28edc4c7e02d18007b8dab49d669265b0f7aefb1824d7cc8e73a2cd63",
+  "367b03b17b67ca7329b89a520bdab91782402a41cd67264e34b5541a4b3f875b",
+  "8d486b03ac4e3b486b7a1d563706c7fdac75aee789a7cf6f22789eedeff61a31",
+  "9f297ff0aa2ceda91c5ab1b6446f12533d145940de6d850dc323417afde0cb78",
+};
+
+/**
+ * Signatures of the public keys, made with their corresponding
+ * secret keys.
+ */
+static const char *ED25519_SELF_SIGNATURES[] = {
+  "d23188eac3773a316d46006fa59c095060be8b1a23582a0dd99002a82a0662bd246d84"
+      "49e172e04c5f46ac0d1404cebe4aabd8a75a1457aa06cae41f3334f104",
+  "3a785ac1201c97ee5f6f0d99323960d5f264c7825e61aa7cc81262f15bef75eb4fa572"
+      "3add9b9d45b12311b6d403eb3ac79ff8e4e631fc3cd51e4ad2185b200b",
+  "cf431fd0416bfbd20c9d95ef9b723e2acddffb33900edc72195dea95965d52d888d30b"
+      "7b8a677c0bd8ae1417b1e1a0ec6700deadd5d8b54b6689275e04a04509",
+  "2375380cd72d1a6c642aeddff862be8a5804b916acb72c02d9ed052c1561881aa658a5"
+      "af856fcd6d43113e42f698cd6687c99efeef7f2ce045824440d26c5d00",
+  "2385a472f599ca965bbe4d610e391cdeabeba9c336694b0d6249e551458280be122c24"
+      "41dd9746a81bbfb9cd619364bab0df37ff4ceb7aefd24469c39d3bc508",
+  "e500cd0b8cfff35442f88008d894f3a2fa26ef7d3a0ca5714ae0d3e2d40caae58ba7cd"
+      "f69dd126994dad6be536fcda846d89dd8138d1683cc144c8853dce7607",
+  "d187b9e334b0050154de10bf69b3e4208a584e1a65015ec28b14bcc252cf84b8baa9c9"
+      "4867daa60f2a82d09ba9652d41e8dde292b624afc8d2c26441b95e3c0e",
+  "815213640a643d198bd056e02bba74e1c8d2d931643e84497adf3347eb485079c9afe0"
+      "afce9284cdc084946b561abbb214f1304ca11228ff82702185cf28f60d",
+};
+
diff --git a/src/test/include.am b/src/test/include.am
index db9f2d1f1f..5f88189222 100644
--- a/src/test/include.am
+++ b/src/test/include.am
@@ -74,7 +74,8 @@ src_test_bench_LDADD = src/or/libtor.a src/common/libor.a \
 
 noinst_HEADERS+= \
 	src/test/test.h \
-	src/test/test_descriptors.inc
+	src/test/test_descriptors.inc \
+	src/test/ed25519_vectors.inc
 
 if CURVE25519_ENABLED
 noinst_PROGRAMS+= src/test/test-ntor-cl
diff --git a/src/test/slow_ed25519.py b/src/test/slow_ed25519.py
new file mode 100644
index 0000000000..f44708b200
--- /dev/null
+++ b/src/test/slow_ed25519.py
@@ -0,0 +1,115 @@
+# This is the ed25519 implementation from
+#     http://ed25519.cr.yp.to/python/ed25519.py .
+# It is in the public domain.
+#
+# It isn't constant-time.  Don't use it except for testing.  Also, see
+# warnings about how very slow it is.  Only use this for generating
+# test vectors, I'd suggest.
+#
+# Don't edit this file.  Mess with ed25519_ref.py
+
+import hashlib
+
+b = 256
+q = 2**255 - 19
+l = 2**252 + 27742317777372353535851937790883648493
+
+def H(m):
+  return hashlib.sha512(m).digest()
+
+def expmod(b,e,m):
+  if e == 0: return 1
+  t = expmod(b,e/2,m)**2 % m
+  if e & 1: t = (t*b) % m
+  return t
+
+def inv(x):
+  return expmod(x,q-2,q)
+
+d = -121665 * inv(121666)
+I = expmod(2,(q-1)/4,q)
+
+def xrecover(y):
+  xx = (y*y-1) * inv(d*y*y+1)
+  x = expmod(xx,(q+3)/8,q)
+  if (x*x - xx) % q != 0: x = (x*I) % q
+  if x % 2 != 0: x = q-x
+  return x
+
+By = 4 * inv(5)
+Bx = xrecover(By)
+B = [Bx % q,By % q]
+
+def edwards(P,Q):
+  x1 = P[0]
+  y1 = P[1]
+  x2 = Q[0]
+  y2 = Q[1]
+  x3 = (x1*y2+x2*y1) * inv(1+d*x1*x2*y1*y2)
+  y3 = (y1*y2+x1*x2) * inv(1-d*x1*x2*y1*y2)
+  return [x3 % q,y3 % q]
+
+def scalarmult(P,e):
+  if e == 0: return [0,1]
+  Q = scalarmult(P,e/2)
+  Q = edwards(Q,Q)
+  if e & 1: Q = edwards(Q,P)
+  return Q
+
+def encodeint(y):
+  bits = [(y >> i) & 1 for i in range(b)]
+  return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b/8)])
+
+def encodepoint(P):
+  x = P[0]
+  y = P[1]
+  bits = [(y >> i) & 1 for i in range(b - 1)] + [x & 1]
+  return ''.join([chr(sum([bits[i * 8 + j] << j for j in range(8)])) for i in range(b/8)])
+
+def bit(h,i):
+  return (ord(h[i/8]) >> (i%8)) & 1
+
+def publickey(sk):
+  h = H(sk)
+  a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
+  A = scalarmult(B,a)
+  return encodepoint(A)
+
+def Hint(m):
+  h = H(m)
+  return sum(2**i * bit(h,i) for i in range(2*b))
+
+def signature(m,sk,pk):
+  h = H(sk)
+  a = 2**(b-2) + sum(2**i * bit(h,i) for i in range(3,b-2))
+  r = Hint(''.join([h[i] for i in range(b/8,b/4)]) + m)
+  R = scalarmult(B,r)
+  S = (r + Hint(encodepoint(R) + pk + m) * a) % l
+  return encodepoint(R) + encodeint(S)
+
+def isoncurve(P):
+  x = P[0]
+  y = P[1]
+  return (-x*x + y*y - 1 - d*x*x*y*y) % q == 0
+
+def decodeint(s):
+  return sum(2**i * bit(s,i) for i in range(0,b))
+
+def decodepoint(s):
+  y = sum(2**i * bit(s,i) for i in range(0,b-1))
+  x = xrecover(y)
+  if x & 1 != bit(s,b-1): x = q-x
+  P = [x,y]
+  if not isoncurve(P): raise Exception("decoding point that is not on curve")
+  return P
+
+def checkvalid(s,m,pk):
+  if len(s) != b/4: raise Exception("signature length is wrong")
+  if len(pk) != b/8: raise Exception("public-key length is wrong")
+  R = decodepoint(s[0:b/8])
+  A = decodepoint(pk)
+  S = decodeint(s[b/8:b/4])
+  h = Hint(encodepoint(R) + pk + m)
+  if scalarmult(B,S) != edwards(R,scalarmult(A,h)):
+    raise Exception("signature does not pass verification")
+
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index 36af725e7b..0c87c88f56 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -13,6 +13,8 @@
 #include "siphash.h"
 #ifdef CURVE25519_ENABLED
 #include "crypto_curve25519.h"
+#include "crypto_ed25519.h"
+#include "ed25519_vectors.inc"
 #endif
 #include "crypto_s2k.h"
 #include "crypto_pwbox.h"
@@ -1516,9 +1518,365 @@ test_crypto_curve25519_persist(void *arg)
   tor_free(tag);
 }
 
+static void
+test_crypto_ed25519_simple(void *arg)
+{
+  ed25519_keypair_t kp1, kp2;
+  ed25519_public_key_t pub1, pub2;
+  ed25519_secret_key_t sec1, sec2;
+  ed25519_signature_t sig1, sig2;
+  const uint8_t msg[] =
+    "GNU will be able to run Unix programs, "
+    "but will not be identical to Unix.";
+  const uint8_t msg2[] =
+    "Microsoft Windows extends the features of the DOS operating system, "
+    "yet is compatible with most existing applications that run under DOS.";
+  size_t msg_len = strlen((const char*)msg);
+  size_t msg2_len = strlen((const char*)msg2);
+
+  (void)arg;
+
+  tt_int_op(0, ==, ed25519_secret_key_generate(&sec1, 0));
+  tt_int_op(0, ==, ed25519_secret_key_generate(&sec2, 1));
+
+  tt_int_op(0, ==, ed25519_public_key_generate(&pub1, &sec1));
+  tt_int_op(0, ==, ed25519_public_key_generate(&pub2, &sec1));
+
+  tt_mem_op(pub1.pubkey, ==, pub2.pubkey, sizeof(pub1.pubkey));
+
+  memcpy(&kp1.pubkey, &pub1, sizeof(pub1));
+  memcpy(&kp1.seckey, &sec1, sizeof(sec1));
+  tt_int_op(0, ==, ed25519_sign(&sig1, msg, msg_len, &kp1));
+  tt_int_op(0, ==, ed25519_sign(&sig2, msg, msg_len, &kp1));
+
+  /* Ed25519 signatures are deterministic */
+  tt_mem_op(sig1.sig, ==, sig2.sig, sizeof(sig1.sig));
+
+  /* Basic signature is valid. */
+  tt_int_op(0, ==, ed25519_checksig(&sig1, msg, msg_len, &pub1));
+
+  /* Altered signature doesn't work. */
+  sig1.sig[0] ^= 3;
+  tt_int_op(-1, ==, ed25519_checksig(&sig1, msg, msg_len, &pub1));
+
+  /* Wrong public key doesn't work. */
+  tt_int_op(0, ==, ed25519_public_key_generate(&pub2, &sec2));
+  tt_int_op(-1, ==, ed25519_checksig(&sig2, msg, msg_len, &pub2));
+
+  /* Wrong message doesn't work. */
+  tt_int_op(0, ==, ed25519_checksig(&sig2, msg, msg_len, &pub1));
+  tt_int_op(-1, ==, ed25519_checksig(&sig2, msg, msg_len-1, &pub1));
+  tt_int_op(-1, ==, ed25519_checksig(&sig2, msg2, msg2_len, &pub1));
+
+  /* Batch signature checking works with some bad. */
+  tt_int_op(0, ==, ed25519_keypair_generate(&kp2, 0));
+  tt_int_op(0, ==, ed25519_sign(&sig1, msg, msg_len, &kp2));
+  {
+    ed25519_checkable_t ch[] = {
+      { &pub1, sig2, msg, msg_len }, /*ok*/
+      { &pub1, sig2, msg, msg_len-1 }, /*bad*/
+      { &kp2.pubkey, sig2, msg2, msg2_len }, /*bad*/
+      { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
+    };
+    int okay[4];
+    tt_int_op(-2, ==, ed25519_checksig_batch(okay, ch, 4));
+    tt_int_op(okay[0], ==, 1);
+    tt_int_op(okay[1], ==, 0);
+    tt_int_op(okay[2], ==, 0);
+    tt_int_op(okay[3], ==, 1);
+    tt_int_op(-2, ==, ed25519_checksig_batch(NULL, ch, 4));
+  }
+
+  /* Batch signature checking works with all good. */
+  {
+    ed25519_checkable_t ch[] = {
+      { &pub1, sig2, msg, msg_len }, /*ok*/
+      { &kp2.pubkey, sig1, msg, msg_len }, /*ok*/
+    };
+    int okay[2];
+    tt_int_op(0, ==, ed25519_checksig_batch(okay, ch, 2));
+    tt_int_op(okay[0], ==, 1);
+    tt_int_op(okay[1], ==, 1);
+    tt_int_op(0, ==, ed25519_checksig_batch(NULL, ch, 2));
+  }
+
+ done:
+  ;
+}
+
+static void
+test_crypto_ed25519_test_vectors(void *arg)
+{
+  char *mem_op_hex_tmp=NULL;
+  int i;
+  struct {
+    const char *sk;
+    const char *pk;
+    const char *sig;
+    const char *msg;
+  } items[] = {
+    /* These test vectors were generated with the "ref" implementation of
+     * ed25519 from SUPERCOP-20130419 */
+    { "4c6574277320686f706520746865726520617265206e6f206275677320696e20",
+      "f3e0e493b30f56e501aeb868fc912fe0c8b76621efca47a78f6d75875193dd87",
+      "b5d7fd6fd3adf643647ce1fe87a2931dedd1a4e38e6c662bedd35cdd80bfac51"
+        "1b2c7d1ee6bd929ac213014e1a8dc5373854c7b25dbe15ec96bf6c94196fae06",
+      "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
+      "204e554c2d7465726d696e617465642e"
+    },
+
+    { "74686520696d706c656d656e746174696f6e20776869636820617265206e6f74",
+      "407f0025a1e1351a4cb68e92f5c0ebaf66e7aaf93a4006a4d1a66e3ede1cfeac",
+      "02884fde1c3c5944d0ecf2d133726fc820c303aae695adceabf3a1e01e95bf28"
+        "da88c0966f5265e9c6f8edc77b3b96b5c91baec3ca993ccd21a3f64203600601",
+      "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
+      "204e554c2d7465726d696e617465642e"
+    },
+    { "6578706f73656420627920456e676c697368207465787420617320696e707574",
+      "61681cb5fbd69f9bc5a462a21a7ab319011237b940bc781cdc47fcbe327e7706",
+      "6a127d0414de7510125d4bc214994ffb9b8857a46330832d05d1355e882344ad"
+        "f4137e3ca1f13eb9cc75c887ef2309b98c57528b4acd9f6376c6898889603209",
+      "506c6561736520657863757365206d7920667269656e642e2048652069736e2774"
+      "204e554c2d7465726d696e617465642e"
+    },
+
+    /* These come from "sign.input" in ed25519's page */
+    { "5b5a619f8ce1c66d7ce26e5a2ae7b0c04febcd346d286c929e19d0d5973bfef9",
+      "6fe83693d011d111131c4f3fbaaa40a9d3d76b30012ff73bb0e39ec27ab18257",
+      "0f9ad9793033a2fa06614b277d37381e6d94f65ac2a5a94558d09ed6ce922258"
+        "c1a567952e863ac94297aec3c0d0c8ddf71084e504860bb6ba27449b55adc40e",
+      "5a8d9d0a22357e6655f9c785"
+    },
+    { "940c89fe40a81dafbdb2416d14ae469119869744410c3303bfaa0241dac57800",
+      "a2eb8c0501e30bae0cf842d2bde8dec7386f6b7fc3981b8c57c9792bb94cf2dd",
+      "d8bb64aad8c9955a115a793addd24f7f2b077648714f49c4694ec995b330d09d"
+        "640df310f447fd7b6cb5c14f9fe9f490bcf8cfadbfd2169c8ac20d3b8af49a0c",
+      "b87d3813e03f58cf19fd0b6395"
+    },
+    { "9acad959d216212d789a119252ebfe0c96512a23c73bd9f3b202292d6916a738",
+      "cf3af898467a5b7a52d33d53bc037e2642a8da996903fc252217e9c033e2f291",
+      "6ee3fe81e23c60eb2312b2006b3b25e6838e02106623f844c44edb8dafd66ab0"
+        "671087fd195df5b8f58a1d6e52af42908053d55c7321010092748795ef94cf06",
+      "55c7fa434f5ed8cdec2b7aeac173",
+    },
+    { "d5aeee41eeb0e9d1bf8337f939587ebe296161e6bf5209f591ec939e1440c300",
+      "fd2a565723163e29f53c9de3d5e8fbe36a7ab66e1439ec4eae9c0a604af291a5",
+      "f68d04847e5b249737899c014d31c805c5007a62c0a10d50bb1538c5f3550395"
+        "1fbc1e08682f2cc0c92efe8f4985dec61dcbd54d4b94a22547d24451271c8b00",
+      "0a688e79be24f866286d4646b5d81c"
+    },
+
+    { NULL, NULL, NULL, NULL}
+  };
+
+  (void)arg;
+
+  for (i = 0; items[i].pk; ++i) {
+    ed25519_keypair_t kp;
+    ed25519_signature_t sig;
+    uint8_t sk_seed[32];
+    uint8_t *msg;
+    size_t msg_len;
+    base16_decode((char*)sk_seed, sizeof(sk_seed),
+                  items[i].sk, 64);
+    ed25519_secret_key_from_seed(&kp.seckey, sk_seed);
+    tt_int_op(0, ==, ed25519_public_key_generate(&kp.pubkey, &kp.seckey));
+    test_memeq_hex(kp.pubkey.pubkey, items[i].pk);
+
+    msg_len = strlen(items[i].msg) / 2;
+    msg = tor_malloc(msg_len);
+    base16_decode((char*)msg, msg_len, items[i].msg, strlen(items[i].msg));
+
+    tt_int_op(0, ==, ed25519_sign(&sig, msg, msg_len, &kp));
+    test_memeq_hex(sig.sig, items[i].sig);
+
+    tor_free(msg);
+  }
+
+ done:
+  tor_free(mem_op_hex_tmp);
+}
+
 #endif
 
 static void
+test_crypto_ed25519_encode(void *arg)
+{
+  char buf[ED25519_BASE64_LEN+1];
+  ed25519_keypair_t kp;
+  ed25519_public_key_t pk;
+  char *mem_op_hex_tmp = NULL;
+  (void) arg;
+
+  /* Test roundtrip. */
+  tt_int_op(0, ==, ed25519_keypair_generate(&kp, 0));
+  tt_int_op(0, ==, ed25519_public_to_base64(buf, &kp.pubkey));
+  tt_int_op(ED25519_BASE64_LEN, ==, strlen(buf));
+  tt_int_op(0, ==, ed25519_public_from_base64(&pk, buf));
+  tt_mem_op(kp.pubkey.pubkey, ==, pk.pubkey, ED25519_PUBKEY_LEN);
+
+  /* Test known value. */
+  tt_int_op(0, ==, ed25519_public_from_base64(&pk,
+                             "lVIuIctLjbGZGU5wKMNXxXlSE3cW4kaqkqm04u6pxvM"));
+  test_memeq_hex(pk.pubkey,
+         "95522e21cb4b8db199194e7028c357c57952137716e246aa92a9b4e2eea9c6f3");
+
+ done:
+  tor_free(mem_op_hex_tmp);
+}
+
+static void
+test_crypto_ed25519_convert(void *arg)
+{
+  const uint8_t msg[] =
+    "The eyes are not here / There are no eyes here.";
+  const int N = 30;
+  int i;
+  (void)arg;
+
+  for (i = 0; i < N; ++i) {
+    curve25519_keypair_t curve25519_keypair;
+    ed25519_keypair_t ed25519_keypair;
+    ed25519_public_key_t ed25519_pubkey;
+
+    int bit=0;
+    ed25519_signature_t sig;
+
+    tt_int_op(0,==,curve25519_keypair_generate(&curve25519_keypair, i&1));
+    tt_int_op(0,==,ed25519_keypair_from_curve25519_keypair(
+                              &ed25519_keypair, &bit, &curve25519_keypair));
+    tt_int_op(0,==,ed25519_public_key_from_curve25519_public_key(
+                        &ed25519_pubkey, &curve25519_keypair.pubkey, bit));
+    tt_mem_op(ed25519_pubkey.pubkey, ==, ed25519_keypair.pubkey.pubkey, 32);
+
+    tt_int_op(0,==,ed25519_sign(&sig, msg, sizeof(msg), &ed25519_keypair));
+    tt_int_op(0,==,ed25519_checksig(&sig, msg, sizeof(msg),
+                                    &ed25519_pubkey));
+
+    tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg)-1,
+                                     &ed25519_pubkey));
+    sig.sig[0] ^= 15;
+    tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg),
+                                     &ed25519_pubkey));
+  }
+
+ done:
+  ;
+}
+
+static void
+test_crypto_ed25519_blinding(void *arg)
+{
+  const uint8_t msg[] =
+    "Eyes I dare not meet in dreams / In death's dream kingdom";
+
+  const int N = 30;
+  int i;
+  (void)arg;
+
+  for (i = 0; i < N; ++i) {
+    uint8_t blinding[32];
+    ed25519_keypair_t ed25519_keypair;
+    ed25519_keypair_t ed25519_keypair_blinded;
+    ed25519_public_key_t ed25519_pubkey_blinded;
+
+    ed25519_signature_t sig;
+
+    crypto_rand((char*) blinding, sizeof(blinding));
+
+    tt_int_op(0,==,ed25519_keypair_generate(&ed25519_keypair, 0));
+    tt_int_op(0,==,ed25519_keypair_blind(&ed25519_keypair_blinded,
+                                         &ed25519_keypair, blinding));
+
+    tt_int_op(0,==,ed25519_public_blind(&ed25519_pubkey_blinded,
+                                        &ed25519_keypair.pubkey, blinding));
+
+    tt_mem_op(ed25519_pubkey_blinded.pubkey, ==,
+              ed25519_keypair_blinded.pubkey.pubkey, 32);
+
+    tt_int_op(0,==,ed25519_sign(&sig, msg, sizeof(msg),
+                                &ed25519_keypair_blinded));
+
+    tt_int_op(0,==,ed25519_checksig(&sig, msg, sizeof(msg),
+                                    &ed25519_pubkey_blinded));
+
+    tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg)-1,
+                                     &ed25519_pubkey_blinded));
+    sig.sig[0] ^= 15;
+    tt_int_op(-1,==,ed25519_checksig(&sig, msg, sizeof(msg),
+                                     &ed25519_pubkey_blinded));
+  }
+
+ done:
+  ;
+}
+
+static void
+test_crypto_ed25519_testvectors(void *arg)
+{
+  unsigned i;
+  char *mem_op_hex_tmp = NULL;
+  (void)arg;
+
+  for (i = 0; i < ARRAY_LENGTH(ED25519_SECRET_KEYS); ++i) {
+    uint8_t sk[32];
+    ed25519_secret_key_t esk;
+    ed25519_public_key_t pk, blind_pk, pkfromcurve;
+    ed25519_keypair_t keypair, blind_keypair;
+    curve25519_keypair_t curvekp;
+    uint8_t blinding_param[32];
+    ed25519_signature_t sig;
+    int sign;
+
+#define DECODE(p,s) base16_decode((char*)(p),sizeof(p),(s),strlen(s))
+#define EQ(a,h) test_memeq_hex((const char*)(a), (h))
+
+    tt_int_op(0, ==, DECODE(sk, ED25519_SECRET_KEYS[i]));
+    tt_int_op(0, ==, DECODE(blinding_param, ED25519_BLINDING_PARAMS[i]));
+
+    tt_int_op(0, ==, ed25519_secret_key_from_seed(&esk, sk));
+    EQ(esk.seckey, ED25519_EXPANDED_SECRET_KEYS[i]);
+
+    tt_int_op(0, ==, ed25519_public_key_generate(&pk, &esk));
+    EQ(pk.pubkey, ED25519_PUBLIC_KEYS[i]);
+
+    memcpy(&curvekp.seckey.secret_key, esk.seckey, 32);
+    curve25519_public_key_generate(&curvekp.pubkey, &curvekp.seckey);
+
+    tt_int_op(0, ==,
+          ed25519_keypair_from_curve25519_keypair(&keypair, &sign, &curvekp));
+    tt_int_op(0, ==, ed25519_public_key_from_curve25519_public_key(
+                                        &pkfromcurve, &curvekp.pubkey, sign));
+    tt_mem_op(keypair.pubkey.pubkey, ==, pkfromcurve.pubkey, 32);
+    EQ(curvekp.pubkey.public_key, ED25519_CURVE25519_PUBLIC_KEYS[i]);
+
+    /* Self-signing */
+    memcpy(&keypair.seckey, &esk, sizeof(esk));
+    memcpy(&keypair.pubkey, &pk, sizeof(pk));
+
+    tt_int_op(0, ==, ed25519_sign(&sig, pk.pubkey, 32, &keypair));
+
+    EQ(sig.sig, ED25519_SELF_SIGNATURES[i]);
+
+    /* Blinding */
+    tt_int_op(0, ==,
+            ed25519_keypair_blind(&blind_keypair, &keypair, blinding_param));
+    tt_int_op(0, ==,
+            ed25519_public_blind(&blind_pk, &pk, blinding_param));
+
+    EQ(blind_keypair.seckey.seckey, ED25519_BLINDED_SECRET_KEYS[i]);
+    EQ(blind_pk.pubkey, ED25519_BLINDED_PUBLIC_KEYS[i]);
+
+    tt_mem_op(blind_pk.pubkey, ==, blind_keypair.pubkey.pubkey, 32);
+
+#undef DECODE
+#undef EQ
+  }
+ done:
+  tor_free(mem_op_hex_tmp);
+}
+
+static void
 test_crypto_siphash(void *arg)
 {
   /* From the reference implementation, taking
@@ -1671,6 +2029,12 @@ struct testcase_t crypto_tests[] = {
   { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL },
   { "curve25519_encode", test_crypto_curve25519_encode, 0, NULL, NULL },
   { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL },
+  { "ed25519_simple", test_crypto_ed25519_simple, 0, NULL, NULL },
+  { "ed25519_test_vectors", test_crypto_ed25519_test_vectors, 0, NULL, NULL },
+  { "ed25519_encode", test_crypto_ed25519_encode, 0, NULL, NULL },
+  { "ed25519_convert", test_crypto_ed25519_convert, 0, NULL, NULL },
+  { "ed25519_blinding", test_crypto_ed25519_blinding, 0, NULL, NULL },
+  { "ed25519_testvectors", test_crypto_ed25519_testvectors, 0, NULL, NULL },
 #endif
   { "siphash", test_crypto_siphash, 0, NULL, NULL },
   END_OF_TESTCASES