cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ed25519_pk_to_curve25519: check that the input is in the right subgroup

Browse Source
This commit is contained in:
Frank Denis 2017-07-23 13:17:51 +02:00
parent 571915ea2c
commit 6de26b59d7
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/libsodium/crypto_sign/ed25519/ref10/keypair.c
View File

@ -4,6 +4,7 @@
#include "crypto_hash_sha512.h" #include "crypto_hash_sha512.h"
#include "crypto_scalarmult_curve25519.h" #include "crypto_scalarmult_curve25519.h"
#include "crypto_sign_ed25519.h" #include "crypto_sign_ed25519.h"
#include "ed25519_ref10.h"
#include "private/curve25519_ref10.h" #include "private/curve25519_ref10.h"
#include "randombytes.h" #include "randombytes.h"
#include "utils.h" #include "utils.h"
@ -41,15 +42,28 @@ crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk)
return ret; return ret;
} }
/* 2^252+27742317777372353535851937790883648493 */
static const unsigned char L[32] = {
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7,
0xa2, 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
int int
crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
const unsigned char *ed25519_pk) const unsigned char *ed25519_pk)
{ {
ge_p3 A; ge_p3 A;
ge_p3 pl;
fe x; fe x;
fe one_minus_y; fe one_minus_y;
if (ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) { if (_crypto_sign_ed25519_small_order(ed25519_pk) ||
ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
return -1;
}
ge_scalarmult_vartime(&pl, L, &A);
if (fe_isnonzero(pl.X)) {
return -1; return -1;
} }
fe_1(one_minus_y); fe_1(one_minus_y);