CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2022/11/17 12:01:59
Modified files: lib/libcrypto/curve25519: curve25519.c Log message: Prevent Ed25519 signature malleability Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing