summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Schanzenbach <mschanzenbach@posteo.de>2021-05-10 21:48:40 +0200
committerMartin Schanzenbach <mschanzenbach@posteo.de>2021-05-10 21:48:40 +0200
commit78ad9a3344f8e833cf2c60d61b80dd2c8c6bd268 (patch)
tree9f9920a6659f30ad22257bfbddad8ac14d6e3375
parent96eddc25f413b7e0c089761be199ba23ccf78640 (diff)
- include h in expanded key as defined in lsd0001
-rw-r--r--src/util/crypto_ecc_gnsrecord.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
index a78511105..ce41a4699 100644
--- a/src/util/crypto_ecc_gnsrecord.c
+++ b/src/util/crypto_ecc_gnsrecord.c
@@ -351,12 +351,17 @@ GNUNET_CRYPTO_eddsa_private_key_derive (
gcry_ctx_release (ctx);
GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
/**
- * Note that we copy all of SHA512(d) into the result and
- * then overwrite the derived private scalar.
- * This means that we re-use SHA512(d)[32..63]
- * FIXME: Do we want to derive this part as well??
+ * We hash the derived "h" parameter with the
+ * other half of the expanded private key. This ensures
+ * that for signature generation, the "R" is derived from
+ * the same derivation path as "h" and is not reused.
*/
- memcpy (result->s, sk, sizeof (sk));
+ crypto_hash_sha256_state hs;
+ crypto_hash_sha256_init (&hs);
+ crypto_hash_sha256_update (&hs, sk + 32, 32);
+ crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
+ crypto_hash_sha256_final (&hs, result->s + 32);
+ //memcpy (result->s, sk, sizeof (sk));
/* Convert to little endian for libsodium */
for (size_t i = 0; i < 32; i++)
result->s[i] = dc[31 - i];