signify contains some substantial duplication of existing libc code, picked up via nacl. we can provide a thin api wrapper around our own code to make it smaller.
this only affects signify for now, not ssh. Index: Makefile =================================================================== RCS file: /cvs/src/usr.bin/signify/Makefile,v retrieving revision 1.1 diff -u -p -r1.1 Makefile --- Makefile 31 Dec 2013 03:03:32 -0000 1.1 +++ Makefile 30 Dec 2013 20:44:39 -0000 @@ -5,7 +5,7 @@ CPPFLAGS += -I${.CURDIR}/../ssh SRCS= signify.c SRCS+= ed25519.c fe25519.c ge25519.c sc25519.c smult_curve25519_ref.c -SRCS+= blocks.c hash.c verify.c +SRCS+= crypto_api.c PROG= signify Index: crypto_api.c =================================================================== RCS file: crypto_api.c diff -N crypto_api.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ crypto_api.c 30 Dec 2013 20:45:31 -0000 @@ -0,0 +1,26 @@ +/* + * Public domain. Author: Ted Unangst <t...@openbsd.org> + * API compatible reimplementation of functions from nacl + */ +#include <sys/types.h> + +#include <string.h> +#include <sha2.h> + +int +crypto_hash_sha512(unsigned char *out, const unsigned char *in, + unsigned long long inlen) +{ + SHA2_CTX ctx; + + SHA512Init(&ctx); + SHA512Update(&ctx, in, inlen); + SHA512Final(out, &ctx); + return 0; +} + +int +crypto_verify_32(const unsigned char *x, const unsigned char *y) +{ + return timingsafe_bcmp(x, y, 32) ? -1 : 0; +}