Fix API for ed25519_ref10_open()

This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.

The unit tests still pass.

3 files changed, 10 insertions, 34 deletions

diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index 90a5fa970f..5486c8977a 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -80,24 +80,8 @@ ed25519_checksig(const ed25519_signature_t *signature,
                  const uint8_t *msg, size_t len,
                  const ed25519_public_key_t *pubkey)
 {
-  uint8_t *smtmp;
-  uint8_t *tmp;
-  uint64_t tmplen;
-  int r;
-
-  tor_assert(len < SIZE_T_CEILING - 64);
-  tmplen = len + 64;
-  tmp = tor_malloc(tmplen);
-  smtmp = tor_malloc(tmplen);
-  memcpy(smtmp, signature->sig, 64);
-  memcpy(smtmp+64, msg, len);
-
-  r = ed25519_ref10_open(tmp, &tmplen, smtmp, tmplen, pubkey->pubkey);
-
-  tor_free(tmp);
-  tor_free(smtmp);
-
-  return r;
+  return
+    ed25519_ref10_open(signature->sig, msg, len, pubkey->pubkey) < 0 ? -1 : 0;
 }
 
 /** Validate every signature among those in <b>checkable</b>, which contains
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h
index 1f7946d04a..bd1e46133f 100644
--- a/src/ext/ed25519/ref10/ed25519_ref10.h
+++ b/src/ext/ed25519/ref10/ed25519_ref10.h
@@ -7,8 +7,8 @@ int ed25519_ref10_seckey(unsigned char *sk);
 int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk);
 int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk);
 int ed25519_ref10_open(
-  unsigned char *m,uint64_t *mlen,
-  const unsigned char *sm,uint64_t smlen,
+  const unsigned char *signature,
+  const unsigned char *m,uint64_t mlen,
   const unsigned char *pk);
 int ed25519_ref10_sign(
   unsigned char *sig,
diff --git a/src/ext/ed25519/ref10/open.c b/src/ext/ed25519/ref10/open.c
index 2d0d55ec01..790f668f94 100644
--- a/src/ext/ed25519/ref10/open.c
+++ b/src/ext/ed25519/ref10/open.c
@@ -6,8 +6,8 @@
 #include "sc.h"
 
 int crypto_sign_open(
-  unsigned char *m,uint64_t *mlen,
-  const unsigned char *sm,uint64_t smlen,
+  const unsigned char *signature,
+  const unsigned char *m,uint64_t mlen,
   const unsigned char *pk
 )
 {
@@ -19,30 +19,22 @@ int crypto_sign_open(
   ge_p3 A;
   ge_p2 R;
 
-  if (smlen < 64) goto badsig;
-  if (sm[63] & 224) goto badsig;
+  if (signature[63] & 224) goto badsig;
   if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig;
 
   memmove(pkcopy,pk,32);
-  memmove(rcopy,sm,32);
-  memmove(scopy,sm + 32,32);
+  memmove(rcopy,signature,32);
+  memmove(scopy,signature + 32,32);
 
-  memmove(m,sm,smlen);
-  memmove(m + 32,pkcopy,32);
-  crypto_hash_sha512(h,m,smlen);
+  crypto_hash_sha512_3(h, rcopy, 32, pkcopy, 32, m, mlen);
   sc_reduce(h);
 
   ge_double_scalarmult_vartime(&R,h,&A,scopy);
   ge_tobytes(rcheck,&R);
   if (crypto_verify_32(rcheck,rcopy) == 0) {
-    memmove(m,m + 64,smlen - 64);
-    memset(m + smlen - 64,0,64);
-    *mlen = smlen - 64;
     return 0;
   }
 
 badsig:
-  *mlen = -1;
-  memset(m,0,smlen);
   return -1;
 }