aboutsummaryrefslogtreecommitdiff
path: root/src/util
diff options
context:
space:
mode:
Diffstat (limited to 'src/util')
-rw-r--r--src/util/crypto_ecc_gnsrecord.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c
index a78511105..ce41a4699 100644
--- a/src/util/crypto_ecc_gnsrecord.c
+++ b/src/util/crypto_ecc_gnsrecord.c
@@ -351,12 +351,17 @@ GNUNET_CRYPTO_eddsa_private_key_derive (
351 gcry_ctx_release (ctx); 351 gcry_ctx_release (ctx);
352 GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); 352 GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d);
353 /** 353 /**
354 * Note that we copy all of SHA512(d) into the result and 354 * We hash the derived "h" parameter with the
355 * then overwrite the derived private scalar. 355 * other half of the expanded private key. This ensures
356 * This means that we re-use SHA512(d)[32..63] 356 * that for signature generation, the "R" is derived from
357 * FIXME: Do we want to derive this part as well?? 357 * the same derivation path as "h" and is not reused.
358 */ 358 */
359 memcpy (result->s, sk, sizeof (sk)); 359 crypto_hash_sha256_state hs;
360 crypto_hash_sha256_init (&hs);
361 crypto_hash_sha256_update (&hs, sk + 32, 32);
362 crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc));
363 crypto_hash_sha256_final (&hs, result->s + 32);
364 //memcpy (result->s, sk, sizeof (sk));
360 /* Convert to little endian for libsodium */ 365 /* Convert to little endian for libsodium */
361 for (size_t i = 0; i < 32; i++) 366 for (size_t i = 0; i < 32; i++)
362 result->s[i] = dc[31 - i]; 367 result->s[i] = dc[31 - i];