cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ed25519: un-static the check for low-order points

Browse Source
This commit is contained in:
Frank Denis 2017-07-23 13:15:50 +02:00
parent b57f9668fc
commit 571915ea2c
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h
View File

@ -15,4 +15,7 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
unsigned long long mlen,
const unsigned char *pk,
int prehashed);
int _crypto_sign_ed25519_small_order(const unsigned char p[32]);
#endif

9
src/libsodium/crypto_sign/ed25519/ref10/open.c
View File

@ -33,8 +33,8 @@ crypto_sign_check_S_lt_L(const unsigned char *S)
return -(c == 0);
}
static int
small_order(const unsigned char R[32])
int
_crypto_sign_ed25519_small_order(const unsigned char p[32])
{
CRYPTO_ALIGN(16)
static const unsigned char blacklist[][32] = {
@ -97,7 +97,7 @@ small_order(const unsigned char R[32])
for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
c = 0;
for (j = 0; j < 32; j++) {
c |= R[j] ^ blacklist[i][j];
c |= p[j] ^ blacklist[i][j];
}
if (c == 0) {
return 1;
@ -123,7 +123,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
ge_p2 R;
#ifndef ED25519_COMPAT
if (crypto_sign_check_S_lt_L(sig + 32) != 0 || small_order(sig) != 0) {
if (crypto_sign_check_S_lt_L(sig + 32) != 0 ||
_crypto_sign_ed25519_small_order(sig) != 0) {
return -1;
}
#else