When computing Ed25519 r, fully populate a BLAKE2b block (#1368)

When computing Ed25519 r, fully populate a BLAKE2b block with non-message data

ed25519-donna/ed25519.c

@@ -62,14 +62,22 @@ ED25519_FN(ed25519_sign) (const unsigned char *m, size_t mlen, const ed25519_sec
 	ge25519 ALIGN(16) R;
 	hash_512bits extsk, hashr, hram;
 	unsigned char randr[32];
+	static const unsigned char rzero[64] = {0};
 
 	ed25519_extsk(extsk, sk);
 
-	/* r = H(aExt[32..64], randr, m) */
+	/* r = H(aExt[32..63], randr[0..31], zero[0..63], m) */
 	ed25519_hash_init(&ctx);
 	ed25519_hash_update(&ctx, extsk + 32, 32);
 	ed25519_randombytes_unsafe(randr, 32);
 	ed25519_hash_update(&ctx, randr, 32);
+	/*
+	 * Pad the rest of the hash block (which is 128
+	 * bytes in size in our case) with zeros.
+	 * This puts the message (possibly known to a side
+	 * channel attacker) in a separate block.
+	 */
+	ed25519_hash_update(&ctx, rzero, 64);
 	ed25519_hash_update(&ctx, m, mlen);
 	ed25519_hash_final(&ctx, hashr);
 	expand256_modm(r, hashr, 64);