diff options
author | Richard van der Hoff <richard@matrix.org> | 2016-09-01 13:35:23 +0100 |
---|---|---|
committer | Richard van der Hoff <richard@matrix.org> | 2016-09-01 13:35:23 +0100 |
commit | 0c462cff112589fc52d13da6c919f881cb6d3f8c (patch) | |
tree | 9c71802ce0d583856b7cd47bfcf20cdfa05354ba /lib/ed25519_additions.c | |
parent | f03febb772c47855ab748ed6dee2f29db9f9c5ba (diff) |
Fix Ed25519 keypair generation
Ed25519 private keys, it turns out, have 64 bytes, not 32.
We were previously generating only 32 bytes (which is all that is required to
generate the public key), and then using the public key as the upper 32 bytes
when generating the per-message session key. This meant that everything
appeared to work, but the security of the private key was severely compromised.
By way of fixes:
* Use the correct algorithm for generating the Ed25519 private key, and store
all 512 bits of it.
* Update the account pickle format and refuse to load the old format (since we
should consider it compromised).
* Bump the library version, and add a function to retrieve the library
version, so that applications can verify that they are linked against a
fixed version of the library.
* Remove the curve25519_{sign, verify} functions which were unused and of
dubious quality.
Diffstat (limited to 'lib/ed25519_additions.c')
-rw-r--r-- | lib/ed25519_additions.c | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/lib/ed25519_additions.c b/lib/ed25519_additions.c deleted file mode 100644 index 5fa0c68..0000000 --- a/lib/ed25519_additions.c +++ /dev/null @@ -1,43 +0,0 @@ -void convert_curve25519_to_ed25519( - unsigned char * public_key, - unsigned char * signature -) { - fe mont_x, mont_x_minus_one, mont_x_plus_one, inv_mont_x_plus_one; - fe one; - fe ed_y; - - fe_frombytes(mont_x, public_key); - fe_1(one); - fe_sub(mont_x_minus_one, mont_x, one); - fe_add(mont_x_plus_one, mont_x, one); - fe_invert(inv_mont_x_plus_one, mont_x_plus_one); - fe_mul(ed_y, mont_x_minus_one, inv_mont_x_plus_one); - fe_tobytes(public_key, ed_y); - - public_key[31] &= 0x7F; - public_key[31] |= (signature[63] & 0x80); - signature[63] &= 0x7F; -} - - -void convert_ed25519_to_curve25519( - unsigned char const * public_key, - unsigned char * signature -) { - unsigned char sign_bit = public_key[31] & 0x80; - signature[63] &= 0x7F; - signature[63] |= sign_bit; -} - - -void ed25519_keypair( - unsigned char * private_key, - unsigned char * public_key -) { - ge_p3 A; - private_key[0] &= 248; - private_key[31] &= 63; - private_key[31] |= 64; - ge_scalarmult_base(&A, private_key); - ge_p3_tobytes(public_key, &A); -} |