Skip to content

Commit

Permalink
Use libsodium's s < L check, instead checking that libsodium checks t…
Browse files Browse the repository at this point in the history
…hat.

Adaptation coming from zcash@2902ac7ce8e754d09a5137cba82d8af10c172977
  • Loading branch information
furszy committed May 1, 2021
1 parent b8d4c8e commit 0b49eda
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/init.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1217,6 +1217,11 @@ bool AppInitSanityChecks()
{
// ********************************************************* Step 4: sanity checks

// Initialize libsodium
if (init_and_check_sodium() == -1) {
return false;
}

// Initialize elliptic curve code
RandomInit();
ECC_Start();
Expand Down
38 changes: 38 additions & 0 deletions src/sapling/sodium_sanity.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,44 @@

#include <sodium.h>

int init_and_check_sodium()
{
if (sodium_init() == -1) {
return -1;
}

// What follows is a runtime test that ensures the version of libsodium
// we're linked against checks that signatures are canonical (s < L).
const unsigned char message[1] = { 0 };

unsigned char pk[crypto_sign_PUBLICKEYBYTES];
unsigned char sk[crypto_sign_SECRETKEYBYTES];
unsigned char sig[crypto_sign_BYTES];

crypto_sign_keypair(pk, sk);
crypto_sign_detached(sig, NULL, message, sizeof(message), sk);

assert(crypto_sign_verify_detached(sig, message, sizeof(message), pk) == 0);

// Copied from libsodium/crypto_sign/ed25519/ref10/open.c
static const unsigned char L[32] =
{ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 };

// Add L to S, which starts at sig[32].
unsigned int s = 0;
for (size_t i = 0; i < 32; i++) {
s = sig[32 + i] + L[i] + (s >> 8);
sig[32 + i] = s & 0xff;
}

assert(crypto_sign_verify_detached(sig, message, sizeof(message), pk) != 0);

return 0;
}

void TestLibsodiumEd25519SignatureVerification(
const std::string &scope,
const std::string &msg,
Expand Down
1 change: 1 addition & 0 deletions src/sapling/sodium_sanity.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
#ifndef PIVX_SODIUM_SANITY_H
#define PIVX_SODIUM_SANITY_H

int init_and_check_sodium();
void libsodium_sanity_test();

#endif //PIVX_SODIUM_SANITY_H
2 changes: 2 additions & 0 deletions src/test/test_pivx.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include "net_processing.h"
#include "rpc/server.h"
#include "rpc/register.h"
#include "sapling/sodium_sanity.h"
#include "script/sigcache.h"
#include "sporkdb.h"
#include "txmempool.h"
Expand All @@ -40,6 +41,7 @@ std::ostream& operator<<(std::ostream& os, const uint256& num)

BasicTestingSetup::BasicTestingSetup()
{
assert(init_and_check_sodium() != -1);
ECC_Start();
SetupEnvironment();
InitSignatureCache();
Expand Down

0 comments on commit 0b49eda

Please sign in to comment.