diff options
| author | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-05-10 21:48:40 +0200 |
|---|---|---|
| committer | Martin Schanzenbach <mschanzenbach@posteo.de> | 2021-05-10 21:48:40 +0200 |
| commit | 78ad9a3344f8e833cf2c60d61b80dd2c8c6bd268 (patch) | |
| tree | 9f9920a6659f30ad22257bfbddad8ac14d6e3375 | |
| parent | 96eddc25f413b7e0c089761be199ba23ccf78640 (diff) | |
- include h in expanded key as defined in lsd0001
| -rw-r--r-- | src/util/crypto_ecc_gnsrecord.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index a78511105..ce41a4699 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c @@ -351,12 +351,17 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( gcry_ctx_release (ctx); GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); /** - * Note that we copy all of SHA512(d) into the result and - * then overwrite the derived private scalar. - * This means that we re-use SHA512(d)[32..63] - * FIXME: Do we want to derive this part as well?? + * We hash the derived "h" parameter with the + * other half of the expanded private key. This ensures + * that for signature generation, the "R" is derived from + * the same derivation path as "h" and is not reused. */ - memcpy (result->s, sk, sizeof (sk)); + crypto_hash_sha256_state hs; + crypto_hash_sha256_init (&hs); + crypto_hash_sha256_update (&hs, sk + 32, 32); + crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); + crypto_hash_sha256_final (&hs, result->s + 32); + //memcpy (result->s, sk, sizeof (sk)); /* Convert to little endian for libsodium */ for (size_t i = 0; i < 32; i++) result->s[i] = dc[31 - i]; |