[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Tue Dec 11 12:02:21 UTC 2018
The branch OpenSSL_1_1_1-stable has been updated
via 0643ffdecb2d3744bac7cff1e859d332f5fa2547 (commit)
via f807ad17f327c40d2ed89739f7ed037ea9a80ee5 (commit)
from 488521d77fdc1de5ae256ce0d9203e35ebc92993 (commit)
- Log -----------------------------------------------------------------
commit 0643ffdecb2d3744bac7cff1e859d332f5fa2547
Author: Matt Caswell <matt at openssl.org>
Date: Mon Dec 3 16:36:50 2018 +0000
Add an Ed448 malleability test
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)
(cherry picked from commit 6de98b4fb6265f8a4b2e5b599d6714ff937dca6b)
commit f807ad17f327c40d2ed89739f7ed037ea9a80ee5
Author: Matt Caswell <matt at openssl.org>
Date: Mon Dec 3 17:01:07 2018 +0000
Disallow Ed448 signature malleability
Check that s is less than the order before attempting to verify the
signature as per RFC8032 5.2.7
Fixes #7706
Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)
(cherry picked from commit 08afd2f37a4465c90b9b9e2081c9e8df4726db89)
-----------------------------------------------------------------------
Summary of changes:
crypto/ec/curve448/eddsa.c | 30 ++++++++++++++++++++++++++++--
test/recipes/30-test_evp_data/evppkey.txt | 7 +++++++
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/crypto/ec/curve448/eddsa.c b/crypto/ec/curve448/eddsa.c
index 909413a..b28f7df 100644
--- a/crypto/ec/curve448/eddsa.c
+++ b/crypto/ec/curve448/eddsa.c
@@ -246,10 +246,36 @@ c448_error_t c448_ed448_verify(
uint8_t context_len)
{
curve448_point_t pk_point, r_point;
- c448_error_t error =
- curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
+ c448_error_t error;
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
+ /* Order in little endian format */
+ static const uint8_t order[] = {
+ 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
+ 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
+ 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
+ };
+ int i;
+
+ /*
+ * Check that s (second 57 bytes of the sig) is less than the order. Both
+ * s and the order are in little-endian format. This can be done in
+ * variable time, since if this is not the case the signature if publicly
+ * invalid.
+ */
+ for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
+ if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
+ return C448_FAILURE;
+ if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
+ break;
+ }
+ if (i < 0)
+ return C448_FAILURE;
+
+ error =
+ curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
if (C448_SUCCESS != error)
return error;
diff --git a/test/recipes/30-test_evp_data/evppkey.txt b/test/recipes/30-test_evp_data/evppkey.txt
index dc50dc8..736e0ce 100644
--- a/test/recipes/30-test_evp_data/evppkey.txt
+++ b/test/recipes/30-test_evp_data/evppkey.txt
@@ -17817,6 +17817,13 @@ Key = ED448-1-PUBLIC-Raw
Input = ""
Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600
+#Signature malelability test.
+#Same as the verify operation above but with the order added to s
+OneShotDigestVerify = NULL
+Key = ED448-1-PUBLIC-Raw
+Input = ""
+Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980f25278d3667403c14bcec5f9cfde9955ebc8333c0ae78fc86e518317c5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e656600
+Result = VERIFY_ERROR
# Key generation tests
KeyGen = rsaEncryption
More information about the openssl-commits
mailing list