Detached ``verify'' verifies attached signatures

jlouis / enacl

Erlang bindings for NaCl / libsodium

MIT License

197 stars 59 forks source link

Detached ``verify'' verifies attached signatures #57

Closed serokellcao closed 3 years ago

serokellcao commented 3 years ago

Steps to reproduce:

Call enacl:verify_detached on a signature produced by enacl:sign.

Observed behaviour

The signature is successfully verified.

Expected output

Fail with "invalid signature size".

jlouis commented 3 years ago

This is indeed a bug in two places:

The C code fails to size-check the detached signature. I have a fix for that.

The EQC test cases uses non-detached data in lieu of the detached data for its tests. This has worked until now, because of the bug, but after the fix, the EQC test cases needed a fixup too. I'll push a fix, and prepare for a release.

jlouis commented 3 years ago

Fixed in d6bd999c820317b742d02b4297e7619d126d9203 new 1.2.0 has been cut for hex.pm