ed25519_pk_to_curve25519: check that the input is in the right subgroup

2017-07-23 13:17:51 +02:00 · 2017-07-23 13:17:51 +02:00 · 6de26b59d7
commit 6de26b59d7
parent 571915ea2c
1 changed files with 15 additions and 1 deletions
--- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c
@ -4,6 +4,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_scalarmult_curve25519.h"
 #include "crypto_sign_ed25519.h"
+#include "ed25519_ref10.h"
 #include "private/curve25519_ref10.h"
 #include "randombytes.h"
 #include "utils.h"
@ -41,15 +42,28 @@ crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk)
    return ret;
 }

+/* 2^252+27742317777372353535851937790883648493 */
+static const unsigned char L[32] = {
+    0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
+    0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
+};
+
 int
 crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
                                     const unsigned char *ed25519_pk)
 {
    ge_p3 A;
+    ge_p3 pl;
    fe    x;
    fe    one_minus_y;

-    if (ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+    if (_crypto_sign_ed25519_small_order(ed25519_pk) ||
+        ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+        return -1;
+    }
+    ge_scalarmult_vartime(&pl, L, &A);
+    if (fe_isnonzero(pl.X)) {
        return -1;
    }
    fe_1(one_minus_y);