1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-19 18:15:18 -07:00

Ed25519: verify 0<=s<2^252+27742317777372353535851937790883648493

This reintroduces removed code to match the irtf-cfrg-eddsa draft

ED25519_COMPAT can be defined to keep the old behavior
This commit is contained in:
Frank Denis 2016-03-08 20:32:05 +01:00
parent 845e3e7cff
commit 62911edb7f
2 changed files with 36 additions and 0 deletions

View File

@ -9,6 +9,29 @@
#include "utils.h"
#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h"
#ifndef ED25519_COMPAT
static int
crypto_sign_check_S_lt_l(const unsigned char *S)
{
static const unsigned char l[32] =
{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };
unsigned char c = 0;
unsigned char n = 1;
unsigned int i = 32;
do {
i--;
c |= ((S[i] - l[i]) >> 8) & n;
n &= ((S[i] ^ l[i]) - 1) >> 8;
} while (i != 0);
return -(c == 0);
}
#endif
int
crypto_sign_ed25519_verify_detached(const unsigned char *sig,
const unsigned char *m,
@ -23,9 +46,15 @@ crypto_sign_ed25519_verify_detached(const unsigned char *sig,
ge_p3 A;
ge_p2 R;
#ifndef ED25519_COMPAT
if (crypto_sign_check_S_lt_l(sig + 32) != 0) {
return -1;
}
#else
if (sig[63] & 224) {
return -1;
}
#endif
if (ge_frombytes_negate_vartime(&A, pk) != 0) {
return -1;
}

View File

@ -1101,10 +1101,17 @@ int main(void)
continue;
}
add_l(sm + 32);
#ifndef ED25519_COMPAT
if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != -1) {
printf("crypto_sign_open(): signature [%u] is malleable\n", i);
continue;
}
#else
if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != 0) {
printf("crypto_sign_open(): signature [%u] is not malleable\n", i);
continue;
}
#endif
if (memcmp(test_data[i].m, m, (size_t)mlen) != 0) {
printf("message verification failure: [%u]\n", i);
continue;