Ed25519: verify 0<=s<2^252+27742317777372353535851937790883648493

This reintroduces removed code to match the irtf-cfrg-eddsa draft ED25519_COMPAT can be defined to keep the old behavior
2016-03-08 20:32:05 +01:00 · 2016-03-08 20:32:05 +01:00 · 62911edb7f
commit 62911edb7f
parent 845e3e7cff
2 changed files with 36 additions and 0 deletions
--- a/src/libsodium/crypto_sign/ed25519/ref10/open.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c
@ -9,6 +9,29 @@
 #include "utils.h"
 #include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h"

+#ifndef ED25519_COMPAT
+static int
+crypto_sign_check_S_lt_l(const unsigned char *S)
+{
+    static const unsigned char l[32] =
+      { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+        0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };
+    unsigned char c = 0;
+    unsigned char n = 1;
+    unsigned int  i = 32;
+
+    do {
+        i--;
+        c |= ((S[i] - l[i]) >> 8) & n;
+        n &= ((S[i] ^ l[i]) - 1) >> 8;
+    } while (i != 0);
+
+    return -(c == 0);
+}
+#endif
+
 int
 crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                    const unsigned char *m,
@ -23,9 +46,15 @@ crypto_sign_ed25519_verify_detached(const unsigned char *sig,
    ge_p3 A;
    ge_p2 R;

+#ifndef ED25519_COMPAT
+    if (crypto_sign_check_S_lt_l(sig + 32) != 0) {
+        return -1;
+    }
+#else
    if (sig[63] & 224) {
        return -1;
    }
+#endif
    if (ge_frombytes_negate_vartime(&A, pk) != 0) {
        return -1;
    }
--- a/test/default/sign.c
+++ b/test/default/sign.c
@ -1101,10 +1101,17 @@ int main(void)
            continue;
        }
        add_l(sm + 32);
+#ifndef ED25519_COMPAT
+        if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != -1) {
+            printf("crypto_sign_open(): signature [%u] is malleable\n", i);
+            continue;
+        }
+#else
        if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != 0) {
            printf("crypto_sign_open(): signature [%u] is not malleable\n", i);
            continue;
        }
+#endif
        if (memcmp(test_data[i].m, m, (size_t)mlen) != 0) {
            printf("message verification failure: [%u]\n", i);
            continue;