diff options
Diffstat (limited to 'src/util')
-rw-r--r-- | src/util/crypto_ecc_gnsrecord.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/util/crypto_ecc_gnsrecord.c b/src/util/crypto_ecc_gnsrecord.c index a78511105..ce41a4699 100644 --- a/src/util/crypto_ecc_gnsrecord.c +++ b/src/util/crypto_ecc_gnsrecord.c | |||
@@ -351,12 +351,17 @@ GNUNET_CRYPTO_eddsa_private_key_derive ( | |||
351 | gcry_ctx_release (ctx); | 351 | gcry_ctx_release (ctx); |
352 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); | 352 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); |
353 | /** | 353 | /** |
354 | * Note that we copy all of SHA512(d) into the result and | 354 | * We hash the derived "h" parameter with the |
355 | * then overwrite the derived private scalar. | 355 | * other half of the expanded private key. This ensures |
356 | * This means that we re-use SHA512(d)[32..63] | 356 | * that for signature generation, the "R" is derived from |
357 | * FIXME: Do we want to derive this part as well?? | 357 | * the same derivation path as "h" and is not reused. |
358 | */ | 358 | */ |
359 | memcpy (result->s, sk, sizeof (sk)); | 359 | crypto_hash_sha256_state hs; |
360 | crypto_hash_sha256_init (&hs); | ||
361 | crypto_hash_sha256_update (&hs, sk + 32, 32); | ||
362 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); | ||
363 | crypto_hash_sha256_final (&hs, result->s + 32); | ||
364 | //memcpy (result->s, sk, sizeof (sk)); | ||
360 | /* Convert to little endian for libsodium */ | 365 | /* Convert to little endian for libsodium */ |
361 | for (size_t i = 0; i < 32; i++) | 366 | for (size_t i = 0; i < 32; i++) |
362 | result->s[i] = dc[31 - i]; | 367 | result->s[i] = dc[31 - i]; |