From 59bd82edab3b118caf871ec59ac7a5c6ff5dcdb4 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 24 Dec 2018 17:26:38 +0100 Subject: [PATCH] Add a crypto_core_ed25519_NONREDUCEDSCALARBYTES constant and reject 0 in crypto_core_ed25519_random() --- src/libsodium/crypto_core/ed25519/core_ed25519.c | 14 +++++++++++--- src/libsodium/include/sodium/crypto_core_ed25519.h | 4 ++++ test/default/core_ed25519.c | 4 +++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/src/libsodium/crypto_core/ed25519/core_ed25519.c b/src/libsodium/crypto_core/ed25519/core_ed25519.c index e9fce5bb..666f0fc0 100644 --- a/src/libsodium/crypto_core/ed25519/core_ed25519.c +++ b/src/libsodium/crypto_core/ed25519/core_ed25519.c @@ -74,7 +74,8 @@ crypto_core_ed25519_scalar_random(unsigned char *r) do { randombytes_buf(r, crypto_core_ed25519_SCALARBYTES); r[crypto_core_ed25519_SCALARBYTES - 1] &= 0x1f; - } while (sc25519_is_canonical(r) == 0); + } while (sc25519_is_canonical(r) == 0 || + sodium_is_zero(r, crypto_core_ed25519_SCALARBYTES)); } int @@ -86,9 +87,10 @@ crypto_core_ed25519_scalar_invert(unsigned char *recip, const unsigned char *s) } void -crypto_core_ed25519_scalar_reduce(unsigned char *r, const unsigned char s[64]) +crypto_core_ed25519_scalar_reduce(unsigned char *r, + const unsigned char s[crypto_core_ed25519_NONREDUCEDSCALARBYTES]) { - unsigned char t[64]; + unsigned char t[crypto_core_ed25519_NONREDUCEDSCALARBYTES]; memcpy(t, s, sizeof t); sc25519_reduce(t); @@ -102,6 +104,12 @@ crypto_core_ed25519_bytes(void) return crypto_core_ed25519_BYTES; } +size_t +crypto_core_ed25519_nonreducedscalarbytes(void) +{ + return crypto_core_ed25519_NONREDUCEDSCALARBYTES; +} + size_t crypto_core_ed25519_uniformbytes(void) { diff --git a/src/libsodium/include/sodium/crypto_core_ed25519.h b/src/libsodium/include/sodium/crypto_core_ed25519.h index 7e731b74..9513f58b 100644 --- a/src/libsodium/include/sodium/crypto_core_ed25519.h +++ b/src/libsodium/include/sodium/crypto_core_ed25519.h @@ -20,6 +20,10 @@ size_t crypto_core_ed25519_uniformbytes(void); SODIUM_EXPORT size_t crypto_core_ed25519_scalarbytes(void); +#define crypto_core_ed25519_NONREDUCEDSCALARBYTES 64 +SODIUM_EXPORT +size_t crypto_core_ed25519_nonreducedscalarbytes(void); + SODIUM_EXPORT int crypto_core_ed25519_is_valid_point(const unsigned char *p) __attribute__ ((nonnull)); diff --git a/test/default/core_ed25519.c b/test/default/core_ed25519.c index f031e364..cbebeadb 100644 --- a/test/default/core_ed25519.c +++ b/test/default/core_ed25519.c @@ -30,7 +30,7 @@ add_P(unsigned char * const S) static void add_l64(unsigned char * const S) { - static const unsigned char l[64] = + static const unsigned char l[crypto_core_ed25519_NONREDUCEDSCALARBYTES] = { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -182,6 +182,8 @@ main(void) assert(crypto_core_ed25519_BYTES == crypto_core_ed25519_bytes()); assert(crypto_core_ed25519_SCALARBYTES == crypto_core_ed25519_scalarbytes()); + assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES == crypto_core_ed25519_nonreducedscalarbytes()); + assert(crypto_core_ed25519_NONREDUCEDSCALARBYTES >= crypto_core_ed25519_SCALARBYTES); assert(crypto_core_ed25519_UNIFORMBYTES == crypto_core_ed25519_uniformbytes()); assert(crypto_core_ed25519_UNIFORMBYTES >= crypto_core_ed25519_BYTES);