mirror of
https://github.com/jedisct1/libsodium.git
synced 2024-12-19 18:15:18 -07:00
Ed25519: verify 0<=s<2^252+27742317777372353535851937790883648493
This reintroduces removed code to match the irtf-cfrg-eddsa draft ED25519_COMPAT can be defined to keep the old behavior
This commit is contained in:
parent
845e3e7cff
commit
62911edb7f
@ -9,6 +9,29 @@
|
||||
#include "utils.h"
|
||||
#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h"
|
||||
|
||||
#ifndef ED25519_COMPAT
|
||||
static int
|
||||
crypto_sign_check_S_lt_l(const unsigned char *S)
|
||||
{
|
||||
static const unsigned char l[32] =
|
||||
{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
|
||||
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };
|
||||
unsigned char c = 0;
|
||||
unsigned char n = 1;
|
||||
unsigned int i = 32;
|
||||
|
||||
do {
|
||||
i--;
|
||||
c |= ((S[i] - l[i]) >> 8) & n;
|
||||
n &= ((S[i] ^ l[i]) - 1) >> 8;
|
||||
} while (i != 0);
|
||||
|
||||
return -(c == 0);
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
crypto_sign_ed25519_verify_detached(const unsigned char *sig,
|
||||
const unsigned char *m,
|
||||
@ -23,9 +46,15 @@ crypto_sign_ed25519_verify_detached(const unsigned char *sig,
|
||||
ge_p3 A;
|
||||
ge_p2 R;
|
||||
|
||||
#ifndef ED25519_COMPAT
|
||||
if (crypto_sign_check_S_lt_l(sig + 32) != 0) {
|
||||
return -1;
|
||||
}
|
||||
#else
|
||||
if (sig[63] & 224) {
|
||||
return -1;
|
||||
}
|
||||
#endif
|
||||
if (ge_frombytes_negate_vartime(&A, pk) != 0) {
|
||||
return -1;
|
||||
}
|
||||
|
@ -1101,10 +1101,17 @@ int main(void)
|
||||
continue;
|
||||
}
|
||||
add_l(sm + 32);
|
||||
#ifndef ED25519_COMPAT
|
||||
if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != -1) {
|
||||
printf("crypto_sign_open(): signature [%u] is malleable\n", i);
|
||||
continue;
|
||||
}
|
||||
#else
|
||||
if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != 0) {
|
||||
printf("crypto_sign_open(): signature [%u] is not malleable\n", i);
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
if (memcmp(test_data[i].m, m, (size_t)mlen) != 0) {
|
||||
printf("message verification failure: [%u]\n", i);
|
||||
continue;
|
||||
|
Loading…
Reference in New Issue
Block a user