From 73d617f0676bef0bd46fd47e5039a3b162844129 Mon Sep 17 00:00:00 2001
From: Tobias Heider <tobias.heider@canonical.com>
Date: Fri, 12 May 2023 14:18:32 +0200
Subject: [PATCH] Add ed25519 rule. Verified to work with nettle libhogweed.

---
 crypto/crypto_signatures.yar | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/crypto/crypto_signatures.yar b/crypto/crypto_signatures.yar
index 9d255748..0fc89173 100644
--- a/crypto/crypto_signatures.yar
+++ b/crypto/crypto_signatures.yar
@@ -1577,4 +1577,16 @@ rule SipHash_big_endian_constants {
 		$c3 = "setybdet"
 	condition:
 		2 of them
-}
\ No newline at end of file
+}
+
+rule ed25519 {
+	meta:
+		author = "tobhe"
+		description = "ge25519 base point coordinates"
+		date = "2023-05"
+	strings:
+		$c0 = { 1A D5 25 8F 60 2D 56 C9 B2 A7 25 95 60 C7 2C 69 5C DC D6 FD 31 E2 A4 C0 FE 53 6E CD D3 36 69 21 }
+		$c1 = { 5c dc d6 fd 31 e2 a4 c0 fe 53 6e cd d3 36 69 21}
+	condition:
+		any of them
+}