grpc 1.24.0 → 1.25.0.pre1

data/third_party/boringssl/crypto/evp/p_ed25519_asn1.c

@@ -28,51 +28,107 @@ static void ed25519_free(EVP_PKEY *pkey) {
   pkey->pkey.ptr = NULL;
 }
 
-static int set_pubkey(EVP_PKEY *pkey, const uint8_t pubkey[32]) {
+static int ed25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {
+  if (len != 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   ED25519_KEY *key = OPENSSL_malloc(sizeof(ED25519_KEY));
   if (key == NULL) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
     return 0;
   }
-  key->has_private = 0;
-  OPENSSL_memcpy(key->key.pub.value, pubkey, 32);
+
+  // The RFC 8032 encoding stores only the 32-byte seed, so we must recover the
+  // full representation which we use from it.
+  uint8_t pubkey_unused[32];
+  ED25519_keypair_from_seed(pubkey_unused, key->key.priv, in);
+  key->has_private = 1;
 
   ed25519_free(pkey);
   pkey->pkey.ptr = key;
   return 1;
 }
 
-static int set_privkey(EVP_PKEY *pkey, const uint8_t privkey[64]) {
+static int ed25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {
+  if (len != 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
   ED25519_KEY *key = OPENSSL_malloc(sizeof(ED25519_KEY));
   if (key == NULL) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
     return 0;
   }
-  key->has_private = 1;
-  OPENSSL_memcpy(key->key.priv, privkey, 64);
+
+  OPENSSL_memcpy(key->key.pub.value, in, 32);
+  key->has_private = 0;
 
   ed25519_free(pkey);
   pkey->pkey.ptr = key;
   return 1;
 }
 
+static int ed25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out,
+                                size_t *out_len) {
+  const ED25519_KEY *key = pkey->pkey.ptr;
+  if (!key->has_private) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
+    return 0;
+  }
+
+  if (out == NULL) {
+    *out_len = 32;
+    return 1;
+  }
+
+  if (*out_len < 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  // The raw private key format is the first 32 bytes of the private key.
+  OPENSSL_memcpy(out, key->key.priv, 32);
+  *out_len = 32;
+  return 1;
+}
+
+static int ed25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,
+                               size_t *out_len) {
+  const ED25519_KEY *key = pkey->pkey.ptr;
+  if (out == NULL) {
+    *out_len = 32;
+    return 1;
+  }
+
+  if (*out_len < 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  OPENSSL_memcpy(out, key->key.pub.value, 32);
+  *out_len = 32;
+  return 1;
+}
+
 static int ed25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
-  // See draft-ietf-curdle-pkix-04, section 4.
+  // See RFC 8410, section 4.
 
   // The parameters must be omitted. Public keys have length 32.
-  if (CBS_len(params) != 0 ||
-      CBS_len(key) != 32) {
+  if (CBS_len(params) != 0) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
 
-  return set_pubkey(out, CBS_data(key));
+  return ed25519_set_pub_raw(out, CBS_data(key), CBS_len(key));
 }
 
 static int ed25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {
   const ED25519_KEY *key = pkey->pkey.ptr;
 
-  // See draft-ietf-curdle-pkix-04, section 4.
+  // See RFC 8410, section 4.
   CBB spki, algorithm, oid, key_bitstring;
   if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -96,24 +152,19 @@ static int ed25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
 }
 
 static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
-  // See draft-ietf-curdle-pkix-04, section 7.
+  // See RFC 8410, section 7.
 
   // Parameters must be empty. The key is a 32-byte value wrapped in an extra
   // OCTET STRING layer.
   CBS inner;
   if (CBS_len(params) != 0 ||
       !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(key) != 0 ||
-      CBS_len(&inner) != 32) {
+      CBS_len(key) != 0) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
     return 0;
   }
 
-  // The PKCS#8 encoding stores only the 32-byte seed, so we must recover the
-  // full representation which we use from it.
-  uint8_t pubkey[32], privkey[64];
-  ED25519_keypair_from_seed(pubkey, privkey, CBS_data(&inner));
-  return set_privkey(out, privkey);
+  return ed25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner));
 }
 
 static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {
@@ -123,7 +174,7 @@ static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {
     return 0;
   }
 
-  // See draft-ietf-curdle-pkix-04, section 7.
+  // See RFC 8410, section 7.
   CBB pkcs8, algorithm, oid, private_key, inner;
   if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
       !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -145,7 +196,7 @@ static int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {
 
 static int ed25519_size(const EVP_PKEY *pkey) { return 64; }
 
-static int ed25519_bits(const EVP_PKEY *pkey) { return 256; }
+static int ed25519_bits(const EVP_PKEY *pkey) { return 253; }
 
 const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     EVP_PKEY_ED25519,
@@ -156,6 +207,10 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     ed25519_pub_cmp,
     ed25519_priv_decode,
     ed25519_priv_encode,
+    ed25519_set_priv_raw,
+    ed25519_set_pub_raw,
+    ed25519_get_priv_raw,
+    ed25519_get_pub_raw,
     NULL /* pkey_opaque */,
     ed25519_size,
     ed25519_bits,
@@ -164,27 +219,3 @@ const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {
     NULL /* param_cmp */,
     ed25519_free,
 };
-
-EVP_PKEY *EVP_PKEY_new_ed25519_public(const uint8_t public_key[32]) {
-  EVP_PKEY *ret = EVP_PKEY_new();
-  if (ret == NULL ||
-      !EVP_PKEY_set_type(ret, EVP_PKEY_ED25519) ||
-      !set_pubkey(ret, public_key)) {
-    EVP_PKEY_free(ret);
-    return NULL;
-  }
-
-  return ret;
-}
-
-EVP_PKEY *EVP_PKEY_new_ed25519_private(const uint8_t private_key[64]) {
-  EVP_PKEY *ret = EVP_PKEY_new();
-  if (ret == NULL ||
-      !EVP_PKEY_set_type(ret, EVP_PKEY_ED25519) ||
-      !set_privkey(ret, private_key)) {
-    EVP_PKEY_free(ret);
-    return NULL;
-  }
-
-  return ret;
-}

data/third_party/boringssl/crypto/evp/p_rsa.c

@@ -132,6 +132,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
   dctx->pad_mode = sctx->pad_mode;
   dctx->md = sctx->md;
   dctx->mgf1md = sctx->mgf1md;
+  dctx->saltlen = sctx->saltlen;
   if (sctx->oaep_label) {
     OPENSSL_free(dctx->oaep_label);
     dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
@@ -553,7 +554,8 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
     pkey_rsa_verify_recover,
     pkey_rsa_encrypt,
     pkey_rsa_decrypt,
-    0 /* derive */,
+    NULL /* derive */,
+    NULL /* paramgen */,
     pkey_rsa_ctrl,
 };
 

data/third_party/boringssl/crypto/evp/p_rsa_asn1.c

@@ -178,6 +178,11 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
   rsa_priv_decode,
   rsa_priv_encode,
 
+  NULL /* set_priv_raw */,
+  NULL /* set_pub_raw */,
+  NULL /* get_priv_raw */,
+  NULL /* get_pub_raw */,
+
   rsa_opaque,
 
   int_rsa_size,

data/third_party/boringssl/crypto/evp/p_x25519.c

@@ -0,0 +1,110 @@
+/* Copyright (c) 2019, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/evp.h>
+
+#include <openssl/curve25519.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+
+
+// X25519 has no parameters to copy.
+static int pkey_x25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }
+
+static int pkey_x25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
+  X25519_KEY *key = OPENSSL_malloc(sizeof(X25519_KEY));
+  if (key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  if (!EVP_PKEY_set_type(pkey, EVP_PKEY_X25519)) {
+    OPENSSL_free(key);
+    return 0;
+  }
+
+  X25519_keypair(key->pub, key->priv);
+  key->has_private = 1;
+
+  OPENSSL_free(pkey->pkey.ptr);
+  pkey->pkey.ptr = key;
+  return 1;
+}
+
+static int pkey_x25519_derive(EVP_PKEY_CTX *ctx, uint8_t *out,
+                              size_t *out_len) {
+  if (ctx->pkey == NULL || ctx->peerkey == NULL) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);
+    return 0;
+  }
+
+  const X25519_KEY *our_key = ctx->pkey->pkey.ptr;
+  const X25519_KEY *peer_key = ctx->peerkey->pkey.ptr;
+  if (our_key == NULL || peer_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);
+    return 0;
+  }
+
+  if (!our_key->has_private) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
+    return 0;
+  }
+
+  if (out != NULL) {
+    if (*out_len < 32) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
+      return 0;
+    }
+    if (!X25519(out, our_key->priv, peer_key->pub)) {
+      OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);
+      return 0;
+    }
+  }
+
+  *out_len = 32;
+  return 1;
+}
+
+static int pkey_x25519_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
+  switch (type) {
+    case EVP_PKEY_CTRL_PEER_KEY:
+      // |EVP_PKEY_derive_set_peer| requires the key implement this command,
+      // even if it is a no-op.
+      return 1;
+
+    default:
+      OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+      return 0;
+  }
+}
+
+const EVP_PKEY_METHOD x25519_pkey_meth = {
+    EVP_PKEY_X25519,
+    NULL /* init */,
+    pkey_x25519_copy,
+    NULL /* cleanup */,
+    pkey_x25519_keygen,
+    NULL /* sign */,
+    NULL /* sign_message */,
+    NULL /* verify */,
+    NULL /* verify_message */,
+    NULL /* verify_recover */,
+    NULL /* encrypt */,
+    NULL /* decrypt */,
+    pkey_x25519_derive,
+    NULL /* paramgen */,
+    pkey_x25519_ctrl,
+};

data/third_party/boringssl/crypto/evp/p_x25519_asn1.c

@@ -0,0 +1,249 @@
+/* Copyright (c) 2019, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/evp.h>
+
+#include <openssl/buf.h>
+#include <openssl/bytestring.h>
+#include <openssl/curve25519.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../internal.h"
+
+
+static void x25519_free(EVP_PKEY *pkey) {
+  OPENSSL_free(pkey->pkey.ptr);
+  pkey->pkey.ptr = NULL;
+}
+
+static int x25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {
+  if (len != 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  X25519_KEY *key = OPENSSL_malloc(sizeof(X25519_KEY));
+  if (key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  OPENSSL_memcpy(key->priv, in, 32);
+  X25519_public_from_private(key->pub, key->priv);
+  key->has_private = 1;
+
+  x25519_free(pkey);
+  pkey->pkey.ptr = key;
+  return 1;
+}
+
+static int x25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {
+  if (len != 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  X25519_KEY *key = OPENSSL_malloc(sizeof(X25519_KEY));
+  if (key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  OPENSSL_memcpy(key->pub, in, 32);
+  key->has_private = 0;
+
+  x25519_free(pkey);
+  pkey->pkey.ptr = key;
+  return 1;
+}
+
+static int x25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out,
+                                size_t *out_len) {
+  const X25519_KEY *key = pkey->pkey.ptr;
+  if (!key->has_private) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
+    return 0;
+  }
+
+  if (out == NULL) {
+    *out_len = 32;
+    return 1;
+  }
+
+  if (*out_len < 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  OPENSSL_memcpy(out, key->priv, 32);
+  *out_len = 32;
+  return 1;
+}
+
+static int x25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,
+                               size_t *out_len) {
+  const X25519_KEY *key = pkey->pkey.ptr;
+  if (out == NULL) {
+    *out_len = 32;
+    return 1;
+  }
+
+  if (*out_len < 32) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  OPENSSL_memcpy(out, key->pub, 32);
+  *out_len = 32;
+  return 1;
+}
+
+static int x25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
+  // See RFC 8410, section 4.
+
+  // The parameters must be omitted. Public keys have length 32.
+  if (CBS_len(params) != 0) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  return x25519_set_pub_raw(out, CBS_data(key), CBS_len(key));
+}
+
+static int x25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {
+  const X25519_KEY *key = pkey->pkey.ptr;
+
+  // See RFC 8410, section 4.
+  CBB spki, algorithm, oid, key_bitstring;
+  if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&oid, x25519_asn1_meth.oid, x25519_asn1_meth.oid_len) ||
+      !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||
+      !CBB_add_u8(&key_bitstring, 0 /* padding */) ||
+      !CBB_add_bytes(&key_bitstring, key->pub, 32) ||
+      !CBB_flush(out)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);
+    return 0;
+  }
+
+  return 1;
+}
+
+static int x25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
+  const X25519_KEY *a_key = a->pkey.ptr;
+  const X25519_KEY *b_key = b->pkey.ptr;
+  return OPENSSL_memcmp(a_key->pub, b_key->pub, 32) == 0;
+}
+
+static int x25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
+  // See RFC 8410, section 7.
+
+  // Parameters must be empty. The key is a 32-byte value wrapped in an extra
+  // OCTET STRING layer.
+  CBS inner;
+  if (CBS_len(params) != 0 ||
+      !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) ||
+      CBS_len(key) != 0) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
+    return 0;
+  }
+
+  return x25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner));
+}
+
+static int x25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {
+  X25519_KEY *key = pkey->pkey.ptr;
+  if (!key->has_private) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
+    return 0;
+  }
+
+  // See RFC 8410, section 7.
+  CBB pkcs8, algorithm, oid, private_key, inner;
+  if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
+      !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||
+      !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
+      !CBB_add_bytes(&oid, x25519_asn1_meth.oid, x25519_asn1_meth.oid_len) ||
+      !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||
+      !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) ||
+      // The PKCS#8 encoding stores only the 32-byte seed which is the first 32
+      // bytes of the private key.
+      !CBB_add_bytes(&inner, key->priv, 32) ||
+      !CBB_flush(out)) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);
+    return 0;
+  }
+
+  return 1;
+}
+
+static int x25519_size(const EVP_PKEY *pkey) { return 32; }
+
+static int x25519_bits(const EVP_PKEY *pkey) { return 253; }
+
+const EVP_PKEY_ASN1_METHOD x25519_asn1_meth = {
+    EVP_PKEY_X25519,
+    {0x2b, 0x65, 0x6e},
+    3,
+    x25519_pub_decode,
+    x25519_pub_encode,
+    x25519_pub_cmp,
+    x25519_priv_decode,
+    x25519_priv_encode,
+    x25519_set_priv_raw,
+    x25519_set_pub_raw,
+    x25519_get_priv_raw,
+    x25519_get_pub_raw,
+    NULL /* pkey_opaque */,
+    x25519_size,
+    x25519_bits,
+    NULL /* param_missing */,
+    NULL /* param_copy */,
+    NULL /* param_cmp */,
+    x25519_free,
+};
+
+int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in,
+                                   size_t len) {
+  // TODO(davidben): In OpenSSL, this function also works for |EVP_PKEY_EC|
+  // keys. Add support if it ever comes up.
+  if (pkey->type != EVP_PKEY_X25519) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+    return 0;
+  }
+
+  return x25519_set_pub_raw(pkey, in, len);
+}
+
+size_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey, uint8_t **out_ptr) {
+  // TODO(davidben): In OpenSSL, this function also works for |EVP_PKEY_EC|
+  // keys. Add support if it ever comes up.
+  if (pkey->type != EVP_PKEY_X25519) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+    return 0;
+  }
+
+  const X25519_KEY *key = pkey->pkey.ptr;
+  if (key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);
+    return 0;
+  }
+
+  *out_ptr = BUF_memdup(key->pub, 32);
+  return *out_ptr == NULL ? 0 : 32;
+}