From 5808b830924b137d6332314edb2f654da7702f2b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 31 Oct 2017 16:07:01 +0100 Subject: [PATCH] ed25519_open(): reject all small order public keys and non-canonical representations --- src/libsodium/crypto_sign/ed25519/ref10/open.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c index 0e9543f6..d66f73a9 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -21,7 +21,6 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, unsigned char h[64]; unsigned char rcheck[32]; unsigned int i; - unsigned char d = 0; ge_p3 A; ge_p2 R; @@ -34,13 +33,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, return -1; } #endif - if (ge_frombytes_negate_vartime(&A, pk) != 0) { - return -1; - } - for (i = 0; i < 32; ++i) { - d |= pk[i]; - } - if (d == 0) { + if (ge_is_canonical(pk) == 0 || ge_has_small_order(pk) != 0 || + ge_frombytes_negate_vartime(&A, pk) != 0) { return -1; } _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);