ed25519: un-static the check for low-order points

2017-07-23 13:15:50 +02:00 · 2017-07-23 13:15:50 +02:00 · 571915ea2c
commit 571915ea2c
parent b57f9668fc
2 changed files with 8 additions and 4 deletions
--- a/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h
+++ b/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h
@ -15,4 +15,7 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                         unsigned long long   mlen,
                                         const unsigned char *pk,
                                         int prehashed);
+
+int _crypto_sign_ed25519_small_order(const unsigned char p[32]);
+
 #endif
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@ -33,8 +33,8 @@ crypto_sign_check_S_lt_L(const unsigned char *S)
    return -(c == 0);
 }

-static int
-small_order(const unsigned char R[32])
+int
+_crypto_sign_ed25519_small_order(const unsigned char p[32])
 {
    CRYPTO_ALIGN(16)
    static const unsigned char blacklist[][32] = {
@ -97,7 +97,7 @@ small_order(const unsigned char R[32])
    for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
        c = 0;
        for (j = 0; j < 32; j++) {
-            c |= R[j] ^ blacklist[i][j];
+            c |= p[j] ^ blacklist[i][j];
        }
        if (c == 0) {
            return 1;
@ -123,7 +123,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
    ge_p2                    R;

 #ifndef ED25519_COMPAT
-    if (crypto_sign_check_S_lt_L(sig + 32) != 0 || small_order(sig) != 0) {
+    if (crypto_sign_check_S_lt_L(sig + 32) != 0 ||
+        _crypto_sign_ed25519_small_order(sig) != 0) {
        return -1;
    }
 #else