From e254cd0b368d72bd8a5beb71b5d5533a5020c452 Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@codecow.com>
Date: Wed, 25 Feb 2026 15:16:19 -0800
Subject: [PATCH] Add check for canonical scalar S from signature.

---
 assembly/nano-nacl.ts | 24 +++++++++++++++++++++---
 index.html            |  9 ++++++++-
 2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/assembly/nano-nacl.ts b/assembly/nano-nacl.ts
index 5bcc896..1119380 100644
--- a/assembly/nano-nacl.ts
+++ b/assembly/nano-nacl.ts
@@ -806,6 +806,20 @@ function unpackneg (r: Array<StaticArray<i32>>, p: StaticArray<u8>): i8 {
 	return 0
 }
 
+// Validate signature scalar S is canonical (S < L)
+function canonical (S: StaticArray<u8>): boolean {
+	// If S >= 2^253 then S >= L for sure.
+	if ((S[32] & 0xE0) != 0) return false
+
+	// Check S-L for underflow (c=1) which means S < L
+	let c = 0
+	for (let i = 0; i < 32; i++) {
+		const diff = S[i] - L[i] - c
+		c = (diff >> 31) & 1
+	}
+	return c == 1
+}
+
 const blake2b = new Blake2b()
 function crypto_hash (o: StaticArray<u8>, i: StaticArray<u8>): void {
 	blake2b.init().update(i).digest(o)
@@ -917,9 +931,7 @@ function crypto_verify (h: StaticArray<u8>, s: StaticArray<u8>, k: StaticArray<u
 	q[3].fill(0)
 
 	// fail
-	if (unpackneg(q, k)) {
-		return false
-	}
+	if (unpackneg(q, k)) return false
 
 	// signature is nonce point R and scalar S (R || S)
 	// data to hash is nonce point R, public key A, and message M (R || A || M)
@@ -930,6 +942,12 @@ function crypto_verify (h: StaticArray<u8>, s: StaticArray<u8>, k: StaticArray<u
 		sm[i + 32] = k[i]
 		sm[i + 64] = h[i]
 	}
+
+	// fail as non-canonical
+	const c = canonical(S)
+	trace(`c: ${c}`)
+	if (!canonical(S)) return false
+
 	crypto_hash(d, sm)
 	reduce(d)
 	scalarmult(p, q, d)
diff --git a/index.html b/index.html
index 06670ff..874de6e 100644
--- a/index.html
+++ b/index.html
@@ -178,7 +178,8 @@ SPDX-License-Identifier: GPL-3.0-or-later
 					blockHash: 'BB569136FA05F8CBF65CEF2EDE368475B289C4477342976556BA4C0DDF216E45',
 					privateKey: '781186FB9EF17DB6E3D1056550D9FAE5D5BBADA6A6BC370E4CBB938B1DC71DA3',
 					publicKey: '3068BB1CA04525BB0E416C485FE6A67FD52540227D267CC8B6E8DA958A7FA039',
-					signature: '74BCC59DBA39A1E34A5F75F96D6DE9154E3477AAD7DE30EA563DFCFE501A804228008F98DDF4A15FD35705102785C50EF76732C3A74B0FEC5B0DD67B574A5900'
+					signature: '74BCC59DBA39A1E34A5F75F96D6DE9154E3477AAD7DE30EA563DFCFE501A804228008F98DDF4A15FD35705102785C50EF76732C3A74B0FEC5B0DD67B574A5900',
+					badSignature: '74BCC59DBA39A1E34A5F75F96D6DE9154E3477AAD7DE30EA563DFCFE501A804215d484f5f757b4b7a9f4fcb2057fa423f76732c3a74b0fec5b0dd67b574a5910'
 				}
 				const zeroes = '0000000000000000000000000000000000000000000000000000000000000000'
 				const expect = []
@@ -204,6 +205,12 @@ SPDX-License-Identifier: GPL-3.0-or-later
 				expect.push(result)
 
 				// XFAIL
+				result = await NanoNaCl.verify(TEST_VECTORS.blockHash, TEST_VECTORS.badSignature, TEST_VECTORS.publicKey)
+				console.log(result)
+				result = result === false
+				console.log(`verify() output for non-canonical signature is ${result === true ? 'correct' : 'incorrect'}`)
+				expect.push(result)
+
 				result = await NanoNaCl.verify(zeroes, TEST_VECTORS.signature, TEST_VECTORS.publicKey)
 				console.log(result)
 				result = result === false
-- 
2.47.3

