ed25519_open(): reject all small order public keys and non-canonical representations

2017-10-31 16:07:01 +01:00 · 2017-10-31 16:07:01 +01:00 · 5808b83092
commit 5808b83092
parent ce56bb596f
1 changed files with 2 additions and 8 deletions
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@ -21,7 +21,6 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
    unsigned char            h[64];
    unsigned char            rcheck[32];
    unsigned int             i;
-    unsigned char            d = 0;
    ge_p3                    A;
    ge_p2                    R;

@ -34,13 +33,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
        return -1;
    }
 #endif
-    if (ge_frombytes_negate_vartime(&A, pk) != 0) {
-        return -1;
-    }
-    for (i = 0; i < 32; ++i) {
-        d |= pk[i];
-    }
-    if (d == 0) {
+    if (ge_is_canonical(pk) == 0 || ge_has_small_order(pk) != 0 ||
+        ge_frombytes_negate_vartime(&A, pk) != 0) {
        return -1;
    }
    _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);