CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2022/11/17 12:01:59
Modified files:
lib/libcrypto/curve25519: curve25519.c
Log message:
Prevent Ed25519 signature malleability
Add a check that ensures that the upper half s of an Ed25519 signature is
bounded by the group order, i.e, 0 <= s < order. This is required by the
Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple
modifications of signatures such as adding (a multiple of) the group order
to the upper half of the signature.
Found with EdDSA testcase 63 of project Wycheproof.
ok beck jsing
