From f54c6db9815bb7d6882ad4998cf2953b6905ebe1 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 11 Oct 2017 21:14:18 +0200 Subject: [PATCH] sign_keygen(): don't hash the secret scalar in non-deterministic mode --- src/libsodium/crypto_sign/ed25519/ref10/keypair.c | 14 +++++++++++--- src/libsodium/crypto_sign/ed25519/ref10/sign.c | 5 ++--- test/default/ed25519_convert.c | 10 +++++++++- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index bdc6b017..cad4b974 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -15,7 +15,11 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, { ge_p3 A; - crypto_hash_sha512(sk, seed, 32); +#ifdef ED25519_NONDETERMINISTIC + memcpy(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES); +#else + crypto_hash_sha512(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES); +#endif sk[0] &= 248; sk[31] &= 63; sk[31] |= 64; @@ -23,8 +27,8 @@ crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, ge_scalarmult_base(&A, sk); ge_p3_tobytes(pk, &A); - memmove(sk, seed, 32); - memmove(sk + 32, pk, 32); + memmove(sk, seed, crypto_sign_ed25519_SECRETKEYBYTES); + memmove(sk + 32, pk, crypto_sign_ed25519_PUBLICKEYBYTES); return 0; } @@ -76,9 +80,13 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, { unsigned char h[crypto_hash_sha512_BYTES]; +#ifdef ED25519_NONDETERMINISTIC + memcpy(h, ed25519_sk, crypto_sign_ed25519_SECRETKEYBYTES); +#else crypto_hash_sha512(h, ed25519_sk, crypto_sign_ed25519_SECRETKEYBYTES - crypto_sign_ed25519_PUBLICKEYBYTES); +#endif h[0] &= 248; h[31] &= 127; h[31] |= 64; diff --git a/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/src/libsodium/crypto_sign/ed25519/ref10/sign.c index dc027847..e97ca1bd 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/sign.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/sign.c @@ -76,7 +76,7 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, #ifdef ED25519_NONDETERMINISTIC memcpy(az, sk, 32); - _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, sk); + _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az); #else crypto_hash_sha512(az, sk, 32); crypto_hash_sha512_update(&hs, az + 32, 32); @@ -85,8 +85,6 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, crypto_hash_sha512_update(&hs, m, mlen); crypto_hash_sha512_final(&hs, nonce); - _crypto_sign_ed25519_clamp(az); - memmove(sig + 32, sk + 32, 32); sc_reduce(nonce); @@ -99,6 +97,7 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, crypto_hash_sha512_final(&hs, hram); sc_reduce(hram); + _crypto_sign_ed25519_clamp(az); sc_muladd(sig + 32, hram, az, nonce); sodium_memzero(az, sizeof az); diff --git a/test/default/ed25519_convert.c b/test/default/ed25519_convert.c index 04b3a691..a384c31e 100644 --- a/test/default/ed25519_convert.c +++ b/test/default/ed25519_convert.c @@ -18,9 +18,17 @@ main(void) unsigned char curve25519_sk[crypto_scalarmult_curve25519_BYTES]; char curve25519_pk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1]; char curve25519_sk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1]; + unsigned char hseed[crypto_hash_sha512_BYTES]; unsigned int i; - crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, keypair_seed); + assert(crypto_sign_ed25519_SEEDBYTES <= crypto_hash_sha512_BYTES); +#ifdef ED25519_NONDETERMINISTIC + crypto_hash_sha512(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES); +#else + memcpy(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES); +#endif + crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, hseed); + if (crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) != 0) { printf("conversion failed\n"); }