The branch OpenSSL_1_1_1-stable has been updated via 0643ffdecb2d3744bac7cff1e859d332f5fa2547 (commit) via f807ad17f327c40d2ed89739f7ed037ea9a80ee5 (commit) from 488521d77fdc1de5ae256ce0d9203e35ebc92993 (commit)
- Log ----------------------------------------------------------------- commit 0643ffdecb2d3744bac7cff1e859d332f5fa2547 Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 3 16:36:50 2018 +0000 Add an Ed448 malleability test Reviewed-by: Kurt Roeckx <k...@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7748) (cherry picked from commit 6de98b4fb6265f8a4b2e5b599d6714ff937dca6b) commit f807ad17f327c40d2ed89739f7ed037ea9a80ee5 Author: Matt Caswell <m...@openssl.org> Date: Mon Dec 3 17:01:07 2018 +0000 Disallow Ed448 signature malleability Check that s is less than the order before attempting to verify the signature as per RFC8032 5.2.7 Fixes #7706 Reviewed-by: Kurt Roeckx <k...@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7748) (cherry picked from commit 08afd2f37a4465c90b9b9e2081c9e8df4726db89) ----------------------------------------------------------------------- Summary of changes: crypto/ec/curve448/eddsa.c | 30 ++++++++++++++++++++++++++++-- test/recipes/30-test_evp_data/evppkey.txt | 7 +++++++ 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c index 909413a..b28f7df 100644 --- a/crypto/ec/curve448/eddsa.c +++ b/crypto/ec/curve448/eddsa.c @@ -246,10 +246,36 @@ c448_error_t c448_ed448_verify( uint8_t context_len) { curve448_point_t pk_point, r_point; - c448_error_t error = - curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); + c448_error_t error; curve448_scalar_t challenge_scalar; curve448_scalar_t response_scalar; + /* Order in little endian format */ + static const uint8_t order[] = { + 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D, + 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4, + 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00 + }; + int i; + + /* + * Check that s (second 57 bytes of the sig) is less than the order. Both + * s and the order are in little-endian format. This can be done in + * variable time, since if this is not the case the signature if publicly + * invalid. + */ + for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) { + if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i]) + return C448_FAILURE; + if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i]) + break; + } + if (i < 0) + return C448_FAILURE; + + error = + curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey); if (C448_SUCCESS != error) return error; diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt index dc50dc8..736e0ce 100644 --- a/test/recipes/30-test_evp_data/evppkey.txt +++ b/test/recipes/30-test_evp_data/evppkey.txt @@ -17817,6 +17817,13 @@ Key = ED448-1-PUBLIC-Raw Input = "" Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600 +#Signature malelability test. +#Same as the verify operation above but with the order added to s +OneShotDigestVerify = NULL +Key = ED448-1-PUBLIC-Raw +Input = "" +Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980f25278d3667403c14bcec5f9cfde9955ebc8333c0ae78fc86e518317c5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e656600 +Result = VERIFY_ERROR # Key generation tests KeyGen = rsaEncryption _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits