Skip to content

Commit

Permalink
ed25519: put entire order into buffer for sanity check
Browse files Browse the repository at this point in the history
  • Loading branch information
julek-wolfssl committed May 9, 2024
1 parent 2508c9e commit ab03324
Showing 1 changed file with 19 additions and 33 deletions.
52 changes: 19 additions & 33 deletions wolfcrypt/src/ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -698,15 +698,14 @@ static int ed25519_verify_msg_update_with_sha(const byte* msgSegment,
return ed25519_hash_update(key, sha, msgSegment, msgSegmentLen);
}

/* Low part of order in big endian. */
static const byte ed25519_low_order[] = {
0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6,
0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
/* ed25519 order in little endian. */
static const byte ed25519_order[] = {
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10
};

#define ED25519_SIG_LOW_ORDER_IDX \
((int)(ED25519_SIG_SIZE/2 + sizeof(ed25519_low_order) - 1))

/*
sig is array of bytes containing the signature
sigLen is the length of sig byte array
Expand All @@ -725,6 +724,7 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
ge_p2 R;
#endif
int ret;
int i;

/* sanity check on arguments */
if (sig == NULL || res == NULL || key == NULL)
Expand All @@ -740,33 +740,19 @@ static int ed25519_verify_msg_final_with_sha(const byte* sig, word32 sigLen,
* 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed
* = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
*/
if (sig[ED25519_SIG_SIZE-1] > 0x10)
return BAD_FUNC_ARG;
if (sig[ED25519_SIG_SIZE-1] == 0x10) {
int i = ED25519_SIG_SIZE-1;
int j;

/* Check high zeros. */
for (--i; i > ED25519_SIG_LOW_ORDER_IDX; i--) {
if (sig[i] > 0x00)
return BAD_FUNC_ARG;
}
/* Did we see all zeros up to lower order index? */
if (i == ED25519_SIG_LOW_ORDER_IDX) {
/* Check lower part. */
for (j = 0; j < (int)sizeof(ed25519_low_order); j++, i--) {
/* Check smaller. */
if (sig[i] < ed25519_low_order[j])
break;
/* Check bigger. */
if (sig[i] > ed25519_low_order[j])
return BAD_FUNC_ARG;
}
/* Check equal - all bytes match. */
if (i == ED25519_SIG_SIZE/2 - 1)
return BAD_FUNC_ARG;
}

/* Check S is not larger than or equal to order. */
for (i = (int)sizeof(ed25519_order) - 1; i >= 0; i--) {
/* Bigger than order. */
if (sig[ED25519_SIG_SIZE/2 + i] > ed25519_order[i])
return BAD_FUNC_ARG;
/* Less than order. */
if (sig[ED25519_SIG_SIZE/2 + i] < ed25519_order[i])
break;
}
/* Check equal - all bytes match. */
if (i == -1)
return BAD_FUNC_ARG;

/* uncompress A (public key), test if valid, and negate it */
#ifndef FREESCALE_LTC_ECC
Expand Down

0 comments on commit ab03324

Please sign in to comment.