wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7513 from julek-wolfssl/gh/7510

Browse Source 
ed25519: check that the signature is smaller than the order
This commit is contained in:
David Garske
2024-05-13 09:16:17 -07:00
committed by GitHub
parent 568fda0e8b ab03324dc7
commit a9164293c2
2 changed files with 91 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
wolfcrypt/src/ed25519.c
View File

@ -698,15 +698,14 @@ static int ed25519_verify_msg_update_with_sha(const byte* msgSegment,
return ed25519_hash_update(key, sha, msgSegment, msgSegmentLen); return ed25519_hash_update(key, sha, msgSegment, msgSegmentLen);
} }
/* Low part of order in big endian. */ /* ed25519 order in little endian. */
static const byte ed25519_low_order[] = { static const byte ed25519_order[] = {
0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6, 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
}; };
#define ED25519_SIG_LOW_ORDER_IDX \
((int)(ED25519_SIG_SIZE/2 + sizeof(ed25519_low_order) - 1))
/* /*
sig is array of bytes containing the signature sig is array of bytes containing the signature
sigLen is the length of sig byte array sigLen is the length of sig byte array
@ -725,6 +724,7 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
ge_p2 R; ge_p2 R;
#endif #endif
int ret; int ret;
int i;
/* sanity check on arguments */ /* sanity check on arguments */
if (sig == NULL || res == NULL || key == NULL) if (sig == NULL || res == NULL || key == NULL)
@ -740,33 +740,19 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
* 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed * 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
* = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed * = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
*/ */
if (sig[ED25519_SIG_SIZE-1] > 0x10)
return BAD_FUNC_ARG;
if (sig[ED25519_SIG_SIZE-1] == 0x10) {
int i = ED25519_SIG_SIZE-1;
int j;
/* Check high zeros. */ /* Check S is not larger than or equal to order. */
for (--i; i > ED25519_SIG_LOW_ORDER_IDX; i--) { for (i = (int)sizeof(ed25519_order) - 1; i >= 0; i--) {
if (sig[i] > 0x00) /* Bigger than order. */
break; if (sig[ED25519_SIG_SIZE/2 + i] > ed25519_order[i])
} return BAD_FUNC_ARG;
/* Did we see all zeros up to lower order index? */ /* Less than order. */
if (i == ED25519_SIG_LOW_ORDER_IDX) { if (sig[ED25519_SIG_SIZE/2 + i] < ed25519_order[i])
/* Check lower part. */ break;
for (j = 0; j < (int)sizeof(ed25519_low_order); j++, i--) {
/* Check smaller. */
if (sig[i] < ed25519_low_order[j])
break;
/* Check bigger. */
if (sig[i] > ed25519_low_order[j])
return BAD_FUNC_ARG;
}
/* Check equal - all bytes match. */
if (i == ED25519_SIG_SIZE/2 - 1)
return BAD_FUNC_ARG;
}
} }
/* Check equal - all bytes match. */
if (i == -1)
return BAD_FUNC_ARG;
/* uncompress A (public key), test if valid, and negate it */ /* uncompress A (public key), test if valid, and negate it */
#ifndef FREESCALE_LTC_ECC #ifndef FREESCALE_LTC_ECC

73
wolfcrypt/test/test.c
View File

@ -34016,6 +34016,79 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t ed25519_test(void)
#endif /* HAVE_ED25519_VERIFY */ #endif /* HAVE_ED25519_VERIFY */
} }
{
/* Run tests for some rare code paths */
/* sig is exactly equal to the order */
const byte rareEd1[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
/* sig is larger than the order before we get to the low part */
const byte rareEd2[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x10
};
/* sig is larger than the order in the low part */
const byte rareEd3[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf9, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
/* sig is smaller than the order */
const byte rareEd4[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf1, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};
ret = wc_ed25519_import_private_key(sKeys[0], ED25519_KEY_SIZE,
pKeys[0], pKeySz[0], &key);
if (ret != 0)
return ret;
ret = wc_ed25519_verify_msg(rareEd1, sizeof(rareEd1), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd2, sizeof(rareEd2), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd3, sizeof(rareEd3), msgs[0], msgSz[0],
&verify, &key);
if (ret != BAD_FUNC_ARG)
return ret;
ret = wc_ed25519_verify_msg(rareEd4, sizeof(rareEd4), msgs[0], msgSz[0],
&verify, &key);
if (ret != SIG_VERIFY_E)
return ret;
}
ret = ed25519ctx_test(); ret = ed25519ctx_test();
if (ret != 0) if (ret != 0)
return ret; return ret;