wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

ed25519: check that the signature is smaller than the order

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2024-05-08 17:54:37 +02:00
parent 52861cbdbf
commit 2508c9e1f4
2 changed files with 74 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wolfcrypt/src/ed25519.c
View File

@ -749,7 +749,7 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
/* Check high zeros. */
for (--i; i > ED25519_SIG_LOW_ORDER_IDX; i--) {
if (sig[i] > 0x00)
break;
return BAD_FUNC_ARG;
}
/* Did we see all zeros up to lower order index? */
if (i == ED25519_SIG_LOW_ORDER_IDX) {

73
wolfcrypt/test/test.c
View File

@ -33910,6 +33910,79 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
#endif /* HAVE_ED25519_VERIFY */
}
{
/* Run tests for some rare code paths */
/* sig is exactly equal to the order */
const byte rareEd1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
/* sig is larger than the order before we get to the low part */
const byte rareEd2[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x10
};
/* sig is larger than the order in the low part */
const byte rareEd3[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf9, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
/* sig is smaller than the order */
const byte rareEd4[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf1, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
ret = wc_ed25519_import_private_key(sKeys[0], ED25519_KEY_SIZE,
pKeys[0], pKeySz[0], &key);
if (ret != 0)
return ret;
ret = wc_ed25519_verify_msg(rareEd1, sizeof(rareEd1), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd2, sizeof(rareEd2), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd3, sizeof(rareEd3), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd4, sizeof(rareEd4), msgs[0], msgSz[0],
&verify, &key);
if (ret != SIG_VERIFY_E)
return ret;
}
ret = ed25519ctx_test();
if (ret != 0)
return ret;