nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-11 05:33:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix API for ed25519_ref10_open()

Browse Source 
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.

The unit tests still pass.
This commit is contained in:
Nick Mathewson 2014-08-26 14:55:08 -04:00
parent e0097a8839
commit 9e43ee5b4c
3 changed files with 10 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/common/crypto_ed25519.c
View File

@ -80,24 +80,8 @@ ed25519_checksig(const ed25519_signature_t *signature,
const uint8_t *msg, size_t len,
const ed25519_public_key_t *pubkey)
{
uint8_t *smtmp;
uint8_t *tmp;
uint64_t tmplen;
int r;
tor_assert(len < SIZE_T_CEILING - 64);
tmplen = len + 64;
tmp = tor_malloc(tmplen);
smtmp = tor_malloc(tmplen);
memcpy(smtmp, signature->sig, 64);
memcpy(smtmp+64, msg, len);
r = ed25519_ref10_open(tmp, &tmplen, smtmp, tmplen, pubkey->pubkey);
tor_free(tmp);
tor_free(smtmp);
return r;
return
ed25519_ref10_open(signature->sig, msg, len, pubkey->pubkey) < 0 ? -1 : 0;
}
/** Validate every signature among those in <b>checkable</b>, which contains

4
src/ext/ed25519/ref10/ed25519_ref10.h
View File

@ -7,8 +7,8 @@ int ed25519_ref10_seckey(unsigned char *sk);
int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
int ed25519_ref10_open(
unsigned char *m,uint64_t *mlen,
const unsigned char *sm,uint64_t smlen,
const unsigned char *signature,
const unsigned char *m,uint64_t mlen,
const unsigned char *pk);
int ed25519_ref10_sign(
unsigned char *sig,

20
src/ext/ed25519/ref10/open.c
View File

@ -6,8 +6,8 @@
#include "sc.h"
int crypto_sign_open(
unsigned char *m,uint64_t *mlen,
const unsigned char *sm,uint64_t smlen,
const unsigned char *signature,
const unsigned char *m,uint64_t mlen,
const unsigned char *pk
)
{
@ -19,30 +19,22 @@ int crypto_sign_open(
ge_p3 A;
ge_p2 R;
if (smlen < 64) goto badsig;
if (sm[63] & 224) goto badsig;
if (signature[63] & 224) goto badsig;
if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
memmove(pkcopy,pk,32);
memmove(rcopy,sm,32);
memmove(scopy,sm + 32,32);
memmove(rcopy,signature,32);
memmove(scopy,signature + 32,32);
memmove(m,sm,smlen);
memmove(m + 32,pkcopy,32);
crypto_hash_sha512(h,m,smlen);
crypto_hash_sha512_3(h, rcopy, 32, pkcopy, 32, m, mlen);
sc_reduce(h);
ge_double_scalarmult_vartime(&R,h,&A,scopy);
ge_tobytes(rcheck,&R);
if (crypto_verify_32(rcheck,rcopy) == 0) {
memmove(m,m + 64,smlen - 64);
memset(m + smlen - 64,0,64);
*mlen = smlen - 64;
return 0;
}
badsig:
*mlen = -1;
memset(m,0,smlen);
return -1;
}