1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-19 18:15:18 -07:00

Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16.

Spotted by Trevor Perrin. Good catch, thanks!
This commit is contained in:
Frank Denis 2017-11-04 09:53:44 +01:00
parent e52ab67322
commit 9f71f5aade

View File

@ -45,16 +45,16 @@ _crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
};
static const unsigned char zeros[16] = { 0x00 };
static const unsigned char zeros[128] = { 0x00 };
static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
crypto_hash_sha512_update(hs, B, 32);
crypto_hash_sha512_update(hs, empty_labelset, 3);
randombytes_buf(Z, 32);
crypto_hash_sha512_update(hs, Z, 32);
crypto_hash_sha512_update(hs, zeros, 16 - (32 + 3 + 32) % 16);
crypto_hash_sha512_update(hs, zeros, 128 - (32 + 3 + 32) % 128);
crypto_hash_sha512_update(hs, sk, 32);
/* empty pad2 */
crypto_hash_sha512_update(hs, zeros, 128 - 32 % 128);
crypto_hash_sha512_update(hs, empty_labelset, 3);
crypto_hash_sha512_update(hs, sk + 32, 32);
/* empty extra */