edwards25519sha512batch: reuse ge_scalarmult()

Check public key and R order by the way.
2017-10-31 15:56:31 +01:00 · 2017-10-31 15:56:31 +01:00 · ce56bb596f
commit ce56bb596f
parent 52fce922f4
1 changed files with 3 additions and 3 deletions
--- a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c
+++ b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c
@ -90,14 +90,14 @@ crypto_sign_edwards25519sha512batch_open(unsigned char       *m,
    if (sm[smlen - 1] & 224) {
        return -1;
    }
-    if (ge_frombytes_negate_vartime(&A, pk) != 0 ||
-        ge_frombytes_negate_vartime(&R, sm) != 0) {
+    if (ge_frombytes_negate_vartime(&A, pk) != 0 || ge_has_small_order(pk) != 0 ||
+        ge_frombytes_negate_vartime(&R, sm) != 0 || ge_has_small_order(sm) != 0) {
        return -1;
    }
    ge_p3_to_cached(&Ai, &A);
    crypto_hash_sha512(h, sm, mlen + 32);
    sc_reduce(h);
-    ge_scalarmult_vartime(&cs3, h, &R);
+    ge_scalarmult(&cs3, h, &R);
    ge_add(&csa, &cs3, &Ai);
    ge_p1p1_to_p2(&cs, &csa);
    ge_tobytes(t1, &cs);