wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

EdDsa: check private value after sign

Browse Source 
Check the private value hasn't changed during signing with EdDSA.
This commit is contained in:
Sean Parkinson
2024-02-05 08:44:36 +10:00
parent 851f059023
commit e28d6a7b71
3 changed files with 49 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
wolfcrypt/src/ed25519.c
View File

@ -22,6 +22,12 @@
/* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */ /* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */
/* Possible Ed25519 enable options:
* WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN Default: OFF
* Check that the private key didn't change during the signing operations.
*/
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
@ -304,6 +310,9 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
ALIGN16 byte nonce[WC_SHA512_DIGEST_SIZE]; ALIGN16 byte nonce[WC_SHA512_DIGEST_SIZE];
ALIGN16 byte hram[WC_SHA512_DIGEST_SIZE]; ALIGN16 byte hram[WC_SHA512_DIGEST_SIZE];
ALIGN16 byte az[ED25519_PRV_KEY_SIZE]; ALIGN16 byte az[ED25519_PRV_KEY_SIZE];
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
byte orig_k[ED25519_KEY_SIZE];
#endif
/* sanity check on arguments */ /* sanity check on arguments */
if (in == NULL || out == NULL || outLen == NULL || key == NULL || if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@ -331,6 +340,10 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
} }
*outLen = ED25519_SIG_SIZE; *outLen = ED25519_SIG_SIZE;
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
XMEMCPY(orig_k, key->k, ED25519_KEY_SIZE);
#endif
/* step 1: create nonce to use where nonce is r in /* step 1: create nonce to use where nonce is r in
r = H(h_b, ... ,h_2b-1,M) */ r = H(h_b, ... ,h_2b-1,M) */
ret = ed25519_hash(key, key->k, ED25519_KEY_SIZE, az); ret = ed25519_hash(key, key->k, ED25519_KEY_SIZE, az);
@ -441,6 +454,18 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce); sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
#endif #endif
#endif /* WOLFSSL_SE050 */ #endif /* WOLFSSL_SE050 */
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
{
int i;
byte c = 0;
for (i = 0; i < ED25519_KEY_SIZE; i++) {
c |= key->k[i] ^ orig_k[i];
}
ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
}
#endif
return ret; return ret;
} }

23
wolfcrypt/src/ed448.c
View File

@ -25,6 +25,11 @@
* Reworked for curve448 by Sean Parkinson. * Reworked for curve448 by Sean Parkinson.
*/ */
/* Possible Ed448 enable options:
* WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN Default: OFF
* Check that the private key didn't change during the signing operations.
*/
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
@ -279,6 +284,9 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
byte hram[ED448_SIG_SIZE]; byte hram[ED448_SIG_SIZE];
byte az[ED448_PRV_KEY_SIZE]; byte az[ED448_PRV_KEY_SIZE];
int ret = 0; int ret = 0;
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
byte orig_k[ED448_KEY_SIZE];
#endif
/* sanity check on arguments */ /* sanity check on arguments */
if ((in == NULL) || (out == NULL) || (outLen == NULL) || (key == NULL) || if ((in == NULL) || (out == NULL) || (outLen == NULL) || (key == NULL) ||
@ -298,6 +306,10 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
if (ret == 0) { if (ret == 0) {
*outLen = ED448_SIG_SIZE; *outLen = ED448_SIG_SIZE;
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
XMEMCPY(orig_k, key->k, ED448_KEY_SIZE);
#endif
/* step 1: create nonce to use where nonce is r in /* step 1: create nonce to use where nonce is r in
r = H(h_b, ... ,h_2b-1,M) */ r = H(h_b, ... ,h_2b-1,M) */
ret = ed448_hash(key, key->k, ED448_KEY_SIZE, az, sizeof(az)); ret = ed448_hash(key, key->k, ED448_KEY_SIZE, az, sizeof(az));
@ -391,6 +403,17 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
sc448_muladd(out + (ED448_SIG_SIZE/2), hram, az, nonce); sc448_muladd(out + (ED448_SIG_SIZE/2), hram, az, nonce);
} }
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
if (ret == 0) {
int i;
byte c = 0;
for (i = 0; i < ED448_KEY_SIZE; i++) {
c |= key->k[i] ^ orig_k[i];
}
ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
}
#endif
return ret; return ret;
} }

2
wolfssl/wolfcrypt/ed448.h
View File

@ -80,7 +80,7 @@ enum {
/* An ED448 Key */ /* An ED448 Key */
struct ed448_key { struct ed448_key {
byte p[ED448_PUB_KEY_SIZE]; /* compressed public key */ byte p[ED448_PUB_KEY_SIZE]; /* compressed public key */
byte k[ED448_PRV_KEY_SIZE]; /* private key : 56 secret -- 56 public */ byte k[ED448_PRV_KEY_SIZE]; /* private key : 57 secret -- 57 public */
#ifdef FREESCALE_LTC_ECC #ifdef FREESCALE_LTC_ECC
/* uncompressed point coordinates */ /* uncompressed point coordinates */
byte pointX[ED448_KEY_SIZE]; /* recovered X coordinate */ byte pointX[ED448_KEY_SIZE]; /* recovered X coordinate */