artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 4c8ae43) | patch
Prevent Ed25519 signature malleability
authortb <tb@openbsd.org>
Thu, 17 Nov 2022 19:01:59 +0000 (19:01 +0000)
committertb <tb@openbsd.org>
Thu, 17 Nov 2022 19:01:59 +0000 (19:01 +0000)
commit21b5f757b17a85facb8d90bc32759bf8d2617153
treee2d9e5fafdfc46b60d107c681d24e7efabae1586tree | snapshot
parent4c8ae43b414e360c78829ab3998d96ef59945a74commit | diff
Prevent Ed25519 signature malleability

Add a check that ensures that the upper half s of an Ed25519 signature is
bounded by the group order, i.e, 0 <= s < order. This is required by the
Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple
modifications of signatures such as adding (a multiple of) the group order
to the upper half of the signature.

Found with EdDSA testcase 63 of project Wycheproof.

ok beck jsing
lib/libcrypto/curve25519/curve25519.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim