commit d5cfa6bdc8dbd34c0cbc62e46a75511a475f3a5d
parent cebf0790e77c1919e20e62c27c75a2d8d5e90182
Author: lukechampine <luke.champine@gmail.com>
Date: Tue, 24 May 2022 19:19:26 -0400
crypto::ed25519: fix bugs in point_decode
Signed-off-by: lukechampine <luke.champine@gmail.com>
Diffstat:
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/crypto/ed25519/+test.ha b/crypto/ed25519/+test.ha
@@ -45,3 +45,26 @@ use strings;
assert(bytes::equal(sig, good_sig));
assert(verify(&pub_key, msg, &sig));
};
+
+@test fn issue716() void = {
+ // See https://todo.sr.ht/~sircmpwn/hare/716
+ let pubkey: [_]u8 = [
+ 0x51, 0xe2, 0xf3, 0x79, 0xb1, 0x52, 0x37, 0x59, 0x19, 0x0e, 0x08, 0xc8,
+ 0xcb, 0xd3, 0xab, 0xb6, 0xbd, 0x2d, 0xf7, 0x71, 0x22, 0x87, 0x95, 0xa7,
+ 0x52, 0x5a, 0x1b, 0x67, 0xb1, 0x7f, 0x2d, 0x26,
+ ];
+ let signature: [_]u8 = [
+ 0xae, 0x81, 0x01, 0x87, 0x46, 0xba, 0x6d, 0xcb, 0x5e, 0x40, 0xda, 0x4d,
+ 0x5a, 0x9b, 0xaa, 0x15, 0xc3, 0x9c, 0x84, 0xd7, 0x3d, 0x98, 0xf2, 0x85,
+ 0x0a, 0x82, 0x5e, 0x37, 0xc5, 0x92, 0xa6, 0x4d, 0x2b, 0x93, 0x64, 0x80,
+ 0xe8, 0xde, 0x2e, 0x3b, 0x4b, 0x69, 0x50, 0x3b, 0xda, 0xa2, 0x4d, 0xcd,
+ 0x7f, 0x73, 0xbe, 0x92, 0x2d, 0x7c, 0x90, 0xc4, 0x85, 0x27, 0xff, 0x68,
+ 0xfc, 0x6a, 0x53, 0x0b,
+ ];
+ let msg: []u8 = [
+ 0xaa, 0xaf, 0x0a, 0xa9, 0x77, 0xf1, 0x29, 0x40, 0x28, 0xed, 0xef, 0xa9,
+ 0x7c, 0x22, 0x80, 0x60, 0x84, 0x96, 0x53, 0xef, 0x54, 0x42, 0x29, 0x9b,
+ 0x07, 0xf8, 0x88, 0xaa, 0xb1, 0x04, 0xe2, 0x4d,
+ ];
+ assert(verify(&pubkey, msg, &signature));
+};
diff --git a/crypto/ed25519/edwards25519.ha b/crypto/ed25519/edwards25519.ha
@@ -102,7 +102,7 @@ fn fe_cmp(a: const *elem, b: const *elem) u8 = {
let x: scalar = [0...];
fe_encode(&x, a);
let y: scalar = [0...];
- fe_encode(&y, a);
+ fe_encode(&y, b);
// constant-time compare
let d: u32 = 0;
@@ -342,13 +342,13 @@ fn point_decode(p: *point, in: *[POINTSZ]u8) bool = {
fe_square(&chk, &p.x);
fe_mul(&chk, &chk, &den);
- if (fe_cmp(&chk, &num) == 1) {
+ if (fe_cmp(&chk, &num) != 0) {
fe_mul(&p.x, &p.x, &I);
};
fe_square(&chk, &p.x);
fe_mul(&chk, &chk, &den);
- if (fe_cmp(&chk, &num) == 1) {
+ if (fe_cmp(&chk, &num) != 0) {
return false;
};
