mirror of
https://github.com/jedisct1/libsodium.git
synced 2024-12-24 20:45:17 -07:00
Force clear the high bit in _noclamp variants
_noclamp variants should always be used with a scalar < L, but if this is not the case, at least explicitly ignore the high bit.
This commit is contained in:
parent
c2a98a170f
commit
59f55cd420
@ -24,7 +24,6 @@ static inline void
|
|||||||
_crypto_scalarmult_ed25519_clamp(unsigned char k[32])
|
_crypto_scalarmult_ed25519_clamp(unsigned char k[32])
|
||||||
{
|
{
|
||||||
k[0] &= 248;
|
k[0] &= 248;
|
||||||
k[31] &= 127;
|
|
||||||
k[31] |= 64;
|
k[31] |= 64;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -47,6 +46,8 @@ _crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
|
|||||||
if (clamp != 0) {
|
if (clamp != 0) {
|
||||||
_crypto_scalarmult_ed25519_clamp(t);
|
_crypto_scalarmult_ed25519_clamp(t);
|
||||||
}
|
}
|
||||||
|
t[31] &= 127;
|
||||||
|
|
||||||
ge25519_scalarmult(&Q, t, &P);
|
ge25519_scalarmult(&Q, t, &P);
|
||||||
ge25519_p3_tobytes(q, &Q);
|
ge25519_p3_tobytes(q, &Q);
|
||||||
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
|
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
|
||||||
@ -83,6 +84,8 @@ _crypto_scalarmult_ed25519_base(unsigned char *q,
|
|||||||
if (clamp != 0) {
|
if (clamp != 0) {
|
||||||
_crypto_scalarmult_ed25519_clamp(t);
|
_crypto_scalarmult_ed25519_clamp(t);
|
||||||
}
|
}
|
||||||
|
t[31] &= 127;
|
||||||
|
|
||||||
ge25519_scalarmult_base(&Q, t);
|
ge25519_scalarmult_base(&Q, t);
|
||||||
ge25519_p3_tobytes(q, &Q);
|
ge25519_p3_tobytes(q, &Q);
|
||||||
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
|
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
|
||||||
|
Loading…
Reference in New Issue
Block a user