ed25519: Don't negate output when decoding.

The function |ge_frombytes_negate_vartime|, as the name suggests,
negates its output. This change converts it to |ge_frombytes_vartime|
and, instead, does the negation explicitly when verifying signatures.
The latter function is more generally useful.

Change-Id: I465f8bdf5edb101a80ab1835909ae0ff41d3e295
Reviewed-on: https://boringssl-review.googlesource.com/7142
Reviewed-by: Arnar Birgisson <arnarb@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Adam Langley 2016-02-11 10:05:34 -08:00
parent bd42603943
commit 815b12ece6

View File

@ -1049,7 +1049,7 @@ static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729,
static const fe sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472,
-272473, -25146209, -2005654, 326686, 11406482};
static int ge_frombytes_negate_vartime(ge_p3 *h, const uint8_t *s) {
static int ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
fe u;
fe v;
fe v3;
@ -1084,7 +1084,7 @@ static int ge_frombytes_negate_vartime(ge_p3 *h, const uint8_t *s) {
fe_mul(h->X, h->X, sqrtm1);
}
if (fe_isnegative(h->X) == (s[31] >> 7)) {
if (fe_isnegative(h->X) != (s[31] >> 7)) {
fe_neg(h->X, h->X);
}
@ -4655,10 +4655,13 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[64], const uint8_t public_key[32]) {
ge_p3 A;
if ((signature[63] & 224) != 0 ||
ge_frombytes_negate_vartime(&A, public_key) != 0) {
ge_frombytes_vartime(&A, public_key) != 0) {
return 0;
}
fe_neg(A.X, A.X);
fe_neg(A.T, A.T);
uint8_t pkcopy[32];
memcpy(pkcopy, public_key, 32);
uint8_t rcopy[32];