Fix API for ed25519_ref10_open()

This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.

The unit tests still pass.
This commit is contained in:
Nick Mathewson 2014-08-26 14:55:08 -04:00
parent e0097a8839
commit 9e43ee5b4c
3 changed files with 10 additions and 34 deletions

View File

@ -80,24 +80,8 @@ ed25519_checksig(const ed25519_signature_t *signature,
const uint8_t *msg, size_t len, const uint8_t *msg, size_t len,
const ed25519_public_key_t *pubkey) const ed25519_public_key_t *pubkey)
{ {
uint8_t *smtmp; return
uint8_t *tmp; ed25519_ref10_open(signature->sig, msg, len, pubkey->pubkey) < 0 ? -1 : 0;
uint64_t tmplen;
int r;
tor_assert(len < SIZE_T_CEILING - 64);
tmplen = len + 64;
tmp = tor_malloc(tmplen);
smtmp = tor_malloc(tmplen);
memcpy(smtmp, signature->sig, 64);
memcpy(smtmp+64, msg, len);
r = ed25519_ref10_open(tmp, &tmplen, smtmp, tmplen, pubkey->pubkey);
tor_free(tmp);
tor_free(smtmp);
return r;
} }
/** Validate every signature among those in <b>checkable</b>, which contains /** Validate every signature among those in <b>checkable</b>, which contains

View File

@ -7,8 +7,8 @@ int ed25519_ref10_seckey(unsigned char *sk);
int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk); int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk); int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
int ed25519_ref10_open( int ed25519_ref10_open(
unsigned char *m,uint64_t *mlen, const unsigned char *signature,
const unsigned char *sm,uint64_t smlen, const unsigned char *m,uint64_t mlen,
const unsigned char *pk); const unsigned char *pk);
int ed25519_ref10_sign( int ed25519_ref10_sign(
unsigned char *sig, unsigned char *sig,

View File

@ -6,8 +6,8 @@
#include "sc.h" #include "sc.h"
int crypto_sign_open( int crypto_sign_open(
unsigned char *m,uint64_t *mlen, const unsigned char *signature,
const unsigned char *sm,uint64_t smlen, const unsigned char *m,uint64_t mlen,
const unsigned char *pk const unsigned char *pk
) )
{ {
@ -19,30 +19,22 @@ int crypto_sign_open(
ge_p3 A; ge_p3 A;
ge_p2 R; ge_p2 R;
if (smlen < 64) goto badsig; if (signature[63] & 224) goto badsig;
if (sm[63] & 224) goto badsig;
if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
memmove(pkcopy,pk,32); memmove(pkcopy,pk,32);
memmove(rcopy,sm,32); memmove(rcopy,signature,32);
memmove(scopy,sm + 32,32); memmove(scopy,signature + 32,32);
memmove(m,sm,smlen); crypto_hash_sha512_3(h, rcopy, 32, pkcopy, 32, m, mlen);
memmove(m + 32,pkcopy,32);
crypto_hash_sha512(h,m,smlen);
sc_reduce(h); sc_reduce(h);
ge_double_scalarmult_vartime(&R,h,&A,scopy); ge_double_scalarmult_vartime(&R,h,&A,scopy);
ge_tobytes(rcheck,&R); ge_tobytes(rcheck,&R);
if (crypto_verify_32(rcheck,rcopy) == 0) { if (crypto_verify_32(rcheck,rcopy) == 0) {
memmove(m,m + 64,smlen - 64);
memset(m + smlen - 64,0,64);
*mlen = smlen - 64;
return 0; return 0;
} }
badsig: badsig:
*mlen = -1;
memset(m,0,smlen);
return -1; return -1;
} }