From 5202b6312ff2629891509583394f69fba887144e Mon Sep 17 00:00:00 2001
From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 26 Dec 2018 19:34:41 -0500
Subject: [PATCH] Add ed25519PrivateKey::Validate body (GH #764) We also clamp
 the private key and recalculate the public key. Note: we already know some
 IETF keys fail to validate because they are not clamped as specified in
 Bernsteain's paper or the RFCs (derp....)

---
 xed25519.cpp | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/xed25519.cpp b/xed25519.cpp
index 2270aea7..781d5ca1 100644
--- a/xed25519.cpp
+++ b/xed25519.cpp
@@ -264,6 +264,15 @@ bool x25519::Validate(RandomNumberGenerator &rng, unsigned int level) const
         return false;
     if (level >= 2 && IsSmallOrder(m_pk) == true)
         return false;
+    if (level >= 3)
+    {
+        SecByteBlock sk(m_sk, SECRET_KEYLENGTH), pk(PUBLIC_KEYLENGTH);
+        ClampKeys(pk, sk);
+        if (VerifyBufsEqual(pk, m_pk, PUBLIC_KEYLENGTH) == false || VerifyBufsEqual(sk, m_sk, SECRET_KEYLENGTH) == false)
+        {
+            return false;
+        }
+    }
 
     return true;
 }
@@ -372,7 +381,24 @@ bool ed25519PrivateKey::IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const
 
 bool ed25519PrivateKey::Validate(RandomNumberGenerator &rng, unsigned int level) const
 {
-    CRYPTOPP_UNUSED(rng); CRYPTOPP_UNUSED(level);
+    CRYPTOPP_UNUSED(rng);
+    CRYPTOPP_ASSERT(IsClamped(m_sk) == true);
+    CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false);
+
+    if (level >= 1 && IsClamped(m_sk) == false)
+        return false;
+    if (level >= 2 && IsSmallOrder(m_pk) == true)
+        return false;
+    if (level >= 3)
+    {
+        SecByteBlock sk(m_sk, SECRET_KEYLENGTH), pk(PUBLIC_KEYLENGTH);
+        ClampKeys(pk, sk);
+        if (VerifyBufsEqual(pk, m_pk, PUBLIC_KEYLENGTH) == false || VerifyBufsEqual(sk, m_sk, SECRET_KEYLENGTH) == false)
+        {
+            return false;
+        }
+    }
+
     return true;
 }