1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-23 20:15:19 -07:00

Force clear the high bit in _noclamp variants

_noclamp variants should always be used with a scalar < L, but
if this is not the case, at least explicitly ignore the high bit.
This commit is contained in:
Frank Denis 2019-01-14 04:02:48 +01:00
parent 3946784883
commit b3725dc2c9

View File

@ -24,7 +24,6 @@ static inline void
_crypto_scalarmult_ed25519_clamp(unsigned char k[32]) _crypto_scalarmult_ed25519_clamp(unsigned char k[32])
{ {
k[0] &= 248; k[0] &= 248;
k[31] &= 127;
k[31] |= 64; k[31] |= 64;
} }
@ -47,6 +46,8 @@ _crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
if (clamp != 0) { if (clamp != 0) {
_crypto_scalarmult_ed25519_clamp(t); _crypto_scalarmult_ed25519_clamp(t);
} }
t[31] &= 127;
ge25519_scalarmult(&Q, t, &P); ge25519_scalarmult(&Q, t, &P);
ge25519_p3_tobytes(q, &Q); ge25519_p3_tobytes(q, &Q);
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) { if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {
@ -83,6 +84,8 @@ _crypto_scalarmult_ed25519_base(unsigned char *q,
if (clamp != 0) { if (clamp != 0) {
_crypto_scalarmult_ed25519_clamp(t); _crypto_scalarmult_ed25519_clamp(t);
} }
t[31] &= 127;
ge25519_scalarmult_base(&Q, t); ge25519_scalarmult_base(&Q, t);
ge25519_p3_tobytes(q, &Q); ge25519_p3_tobytes(q, &Q);
if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) { if (_crypto_scalarmult_ed25519_is_inf(q) != 0 || sodium_is_zero(n, 32)) {