@@ -118,7 +118,7 @@ byte[][] crypto_sign_keypair(byte[] srcpk, int pk, byte[] srcsk, int sk)
118118 /*
119119 * Encode public key.
120120 */
121- srcpk [pk + 0 ] = (byte )(0x00 + LOGN ); // old python header
121+ srcpk [pk + 0 ] = (byte )(0x00 + LOGN );
122122 v = codec .modq_encode (srcpk , pk + 1 , CRYPTO_PUBLICKEYBYTES - 1 , h , 0 , LOGN );
123123 if (v != CRYPTO_PUBLICKEYBYTES - 1 )
124124 {
@@ -128,7 +128,7 @@ byte[][] crypto_sign_keypair(byte[] srcpk, int pk, byte[] srcsk, int sk)
128128 return new byte [][] { Arrays .copyOfRange (srcpk , 1 , srcpk .length ), fEnc , gEnc , FEnc };
129129 }
130130
131- byte [] crypto_sign (byte [] srcsm ,
131+ byte [] crypto_sign (boolean attached , byte [] srcsm ,
132132 byte [] srcm , int m , int mlen ,
133133 byte [] srcsk , int sk )
134134 {
@@ -143,7 +143,7 @@ byte[] crypto_sign(byte[] srcsm,
143143 byte [] seed = new byte [48 ],
144144 nonce = new byte [NONCELEN ];
145145
146- byte [] esig = new byte [ CRYPTO_BYTES - 2 - NONCELEN ];
146+
147147 SHAKE256 sc = new SHAKE256 ();
148148 int u , v , sig_len ;
149149 FalconSign sign = new FalconSign ();
@@ -232,19 +232,31 @@ byte[] crypto_sign(byte[] srcsm,
232232
233233// set_fpu_cw(savcw);
234234
235- /*
236- * Encode the signature. Format is:
237- * signature header 1 bytes
238- * nonce 40 bytes
239- * signature slen bytes
240- */
241- esig [0 ] = (byte )(0x20 + LOGN );
242- sig_len = codec .comp_encode (esig , 1 , esig .length - 1 , sig , 0 , LOGN );
243- if (sig_len == 0 )
235+ byte [] esig = new byte [CRYPTO_BYTES - 2 - NONCELEN ];
236+ if (attached )
244237 {
245- throw new IllegalStateException ("signature failed to generate" );
238+ /*
239+ * Encode the signature. Format is:
240+ * signature header 1 bytes
241+ * nonce 40 bytes
242+ * signature slen bytes
243+ */
244+ esig [0 ] = (byte )(0x20 + LOGN );
245+ sig_len = codec .comp_encode (esig , 1 , esig .length - 1 , sig , 0 , LOGN );
246+ if (sig_len == 0 )
247+ {
248+ throw new IllegalStateException ("signature failed to generate" );
249+ }
250+ sig_len ++;
251+ }
252+ else
253+ {
254+ sig_len = codec .comp_encode (esig , 0 , esig .length , sig , 0 , LOGN );
255+ if (sig_len == 0 )
256+ {
257+ throw new IllegalStateException ("signature failed to generate" );
258+ }
246259 }
247- sig_len ++;
248260
249261 // header
250262 srcsm [0 ] = (byte )(0x30 + LOGN );
@@ -257,7 +269,7 @@ byte[] crypto_sign(byte[] srcsm,
257269 return Arrays .copyOfRange (srcsm , 0 , 1 + NONCELEN + sig_len );
258270 }
259271
260- int crypto_sign_open (byte [] sig_encoded , byte [] nonce , byte [] msg ,
272+ int crypto_sign_open (boolean attached , byte [] sig_encoded , byte [] nonce , byte [] msg ,
261273 byte [] srcpk , int pk )
262274 {
263275 short [] h = new short [N ],
@@ -300,14 +312,26 @@ int crypto_sign_open(byte[] sig_encoded, byte[] nonce, byte[] msg,
300312 /*
301313 * Decode signature.
302314 */
303- if (sig_len < 1 || sig_encoded [0 ] != (byte )(0x20 + LOGN ))
315+ // Check only required for attached signatures - see 3.11.3 and 3.11.6 in the spec
316+ if (attached )
304317 {
305- return -1 ;
318+ if (sig_len < 1 || sig_encoded [0 ] != (byte )(0x20 + LOGN ))
319+ {
320+ return -1 ;
321+ }
322+ if (codec .comp_decode (sig , 0 , LOGN ,
323+ sig_encoded , 1 , sig_len - 1 ) != sig_len - 1 )
324+ {
325+ return -1 ;
326+ }
306327 }
307- if (codec .comp_decode (sig , 0 , LOGN ,
308- sig_encoded , 1 , sig_len - 1 ) != sig_len - 1 )
328+ else
309329 {
310- return -1 ;
330+ if (sig_len < 1 || codec .comp_decode (sig , 0 , LOGN ,
331+ sig_encoded , 0 , sig_len ) != sig_len )
332+ {
333+ return -1 ;
334+ }
311335 }
312336
313337 /*
0 commit comments