From 2508c9e1f45b53d3a3cba2437f63f06030c48d74 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 8 May 2024 17:54:37 +0200 Subject: [PATCH] ed25519: check that the signature is smaller than the order --- wolfcrypt/src/ed25519.c | 2 +- wolfcrypt/test/test.c | 73 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c index 7a708ce62..59a9d3dfb 100644 --- a/wolfcrypt/src/ed25519.c +++ b/wolfcrypt/src/ed25519.c @@ -749,7 +749,7 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen, /* Check high zeros. */ for (--i; i > ED25519_SIG_LOW_ORDER_IDX; i--) { if (sig[i] > 0x00) - break; + return BAD_FUNC_ARG; } /* Did we see all zeros up to lower order index? */ if (i == ED25519_SIG_LOW_ORDER_IDX) { diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6c025c3e0..3d4383ae5 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -33910,6 +33910,79 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void) #endif /* HAVE_ED25519_VERIFY */ } + { + /* Run tests for some rare code paths */ + /* sig is exactly equal to the order */ + const byte rareEd1[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 + }; + /* sig is larger than the order before we get to the low part */ + const byte rareEd2[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x10 + }; + /* sig is larger than the order in the low part */ + const byte rareEd3[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf9, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 + }; + /* sig is smaller than the order */ + const byte rareEd4[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf1, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 + }; + + ret = wc_ed25519_import_private_key(sKeys[0], ED25519_KEY_SIZE, + pKeys[0], pKeySz[0], &key); + if (ret != 0) + return ret; + + ret = wc_ed25519_verify_msg(rareEd1, sizeof(rareEd1), msgs[0], msgSz[0], + &verify, &key); + if (ret != BAD_FUNC_ARG) + return ret; + + ret = wc_ed25519_verify_msg(rareEd2, sizeof(rareEd2), msgs[0], msgSz[0], + &verify, &key); + if (ret != BAD_FUNC_ARG) + return ret; + + ret = wc_ed25519_verify_msg(rareEd3, sizeof(rareEd3), msgs[0], msgSz[0], + &verify, &key); + if (ret != BAD_FUNC_ARG) + return ret; + + ret = wc_ed25519_verify_msg(rareEd4, sizeof(rareEd4), msgs[0], msgSz[0], + &verify, &key); + if (ret != SIG_VERIFY_E) + return ret; + } + ret = ed25519ctx_test(); if (ret != 0) return ret;