diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-08-26 14:55:08 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-09-25 15:08:31 -0400 |
| commit | 9e43ee5b4ca3650ecd9c4ee8a1b77843b273d480 (patch) | |
| tree | 3f4d62dd70ad058e964f3ce7f7d17cae7f673aab /src/ext/ed25519 | |
| parent | e0097a8839c9dc8e56a7304b84482155dccd0af0 (diff) | |
| download | tor-9e43ee5b4ca3650ecd9c4ee8a1b77843b273d480.tar.gz tor-9e43ee5b4ca3650ecd9c4ee8a1b77843b273d480.zip | |
Fix API for ed25519_ref10_open()
This is another case where DJB likes sticking the whole signature
prepended to the message, and I don't think that's the hottest idea.
The unit tests still pass.
Diffstat (limited to 'src/ext/ed25519')
| -rw-r--r-- | src/ext/ed25519/ref10/ed25519_ref10.h | 4 | ||||
| -rw-r--r-- | src/ext/ed25519/ref10/open.c | 20 |
2 files changed, 8 insertions, 16 deletions
diff --git a/src/ext/ed25519/ref10/ed25519_ref10.h b/src/ext/ed25519/ref10/ed25519_ref10.h index 1f7946d04a..bd1e46133f 100644 --- a/src/ext/ed25519/ref10/ed25519_ref10.h +++ b/src/ext/ed25519/ref10/ed25519_ref10.h @@ -7,8 +7,8 @@ int ed25519_ref10_seckey(unsigned char *sk); int ed25519_ref10_pubkey(unsigned char *pk,const unsigned char *sk); int ed25519_ref10_keygen(unsigned char *pk,unsigned char *sk); int ed25519_ref10_open( - unsigned char *m,uint64_t *mlen, - const unsigned char *sm,uint64_t smlen, + const unsigned char *signature, + const unsigned char *m,uint64_t mlen, const unsigned char *pk); int ed25519_ref10_sign( unsigned char *sig, diff --git a/src/ext/ed25519/ref10/open.c b/src/ext/ed25519/ref10/open.c index 2d0d55ec01..790f668f94 100644 --- a/src/ext/ed25519/ref10/open.c +++ b/src/ext/ed25519/ref10/open.c @@ -6,8 +6,8 @@ #include "sc.h" int crypto_sign_open( - unsigned char *m,uint64_t *mlen, - const unsigned char *sm,uint64_t smlen, + const unsigned char *signature, + const unsigned char *m,uint64_t mlen, const unsigned char *pk ) { @@ -19,30 +19,22 @@ int crypto_sign_open( ge_p3 A; ge_p2 R; - if (smlen < 64) goto badsig; - if (sm[63] & 224) goto badsig; + if (signature[63] & 224) goto badsig; if (ge_frombytes_negate_vartime(&A,pk) != 0) goto badsig; memmove(pkcopy,pk,32); - memmove(rcopy,sm,32); - memmove(scopy,sm + 32,32); + memmove(rcopy,signature,32); + memmove(scopy,signature + 32,32); - memmove(m,sm,smlen); - memmove(m + 32,pkcopy,32); - crypto_hash_sha512(h,m,smlen); + crypto_hash_sha512_3(h, rcopy, 32, pkcopy, 32, m, mlen); sc_reduce(h); ge_double_scalarmult_vartime(&R,h,&A,scopy); ge_tobytes(rcheck,&R); if (crypto_verify_32(rcheck,rcopy) == 0) { - memmove(m,m + 64,smlen - 64); - memset(m + smlen - 64,0,64); - *mlen = smlen - 64; return 0; } badsig: - *mlen = -1; - memset(m,0,smlen); return -1; } |