1 files changed, 28 insertions, 1 deletions
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index c35863ef87..cd1b0c5802 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.13 2022/11/09 17:45:55 jsing Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.14 2022/11/17 19:01:59 tb Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -24,6 +24,7 @@
 * The field functions are shared by Ed25519 and X25519 where possible.
 */
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -4671,10 +4672,22 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
  return 1;
 }
+/*
+ * Little endian representation of the order of edwards25519,
+ * see https://www.rfc-editor.org/rfc/rfc7748#section-4.1
+ */
+static const uint8_t order[] = {
+  0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
+  0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
+};
 int ED25519_verify(const uint8_t *message, size_t message_len,
    const uint8_t signature[ED25519_SIGNATURE_LENGTH],
    const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]) {
  ge_p3 A;
+  int i;
  if ((signature[63] & 224) != 0 ||
      x25519_ge_frombytes_vartime(&A, public_key) != 0) {
    return 0;
@@ -4690,6 +4703,20 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  uint8_t scopy[32];
  memcpy(scopy, signature + 32, 32);
+  /*
+   * https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that scopy be
+   * in the range [0, order) to prevent signature malleability. This value is
+   * public, so there is no need to make this constant time.
+   */
+  for (i = 31; i >= 0; i--) {
+    if (scopy[i] > order[i])
+      return 0;
+    if (scopy[i] < order[i])
+      break;
+    if (i == 0)
+      return 0;
+  }
  SHA512_CTX hash_ctx;
  SHA512_Init(&hash_ctx);
  SHA512_Update(&hash_ctx, signature, 32);

diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c index c35863ef87..cd1b0c5802 100644 --- a/src/lib/libcrypto/curve25519/curve25519.c +++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: curve25519.c,v 1.13 2022/11/09 17:45:55 jsing Exp $ */	1	/* $OpenBSD: curve25519.c,v 1.14 2022/11/17 19:01:59 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015, Google Inc.	3	* Copyright (c) 2015, Google Inc.
4	*	4	*
@@ -24,6 +24,7 @@
24	* The field functions are shared by Ed25519 and X25519 where possible.	24	* The field functions are shared by Ed25519 and X25519 where possible.
25	*/	25	*/
26		26
		27	#include <stdio.h>
27	#include <stdlib.h>	28	#include <stdlib.h>
28	#include <string.h>	29	#include <string.h>
29		30
@@ -4671,10 +4672,22 @@ int ED25519_sign(uint8_t out_sig, const uint8_t message, size_t message_len,
4671	return 1;	4672	return 1;
4672	}	4673	}
4673		4674
		4675	/*
		4676	* Little endian representation of the order of edwards25519,
		4677	* see https://www.rfc-editor.org/rfc/rfc7748#section-4.1
		4678	*/
		4679	static const uint8_t order[] = {
		4680	0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58,
		4681	0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14,
		4682	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		4683	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10,
		4684	};
		4685
4674	int ED25519_verify(const uint8_t *message, size_t message_len,	4686	int ED25519_verify(const uint8_t *message, size_t message_len,
4675	const uint8_t signature[ED25519_SIGNATURE_LENGTH],	4687	const uint8_t signature[ED25519_SIGNATURE_LENGTH],
4676	const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]) {	4688	const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]) {
4677	ge_p3 A;	4689	ge_p3 A;
		4690	int i;
4678	if ((signature[63] & 224) != 0 \|\|	4691	if ((signature[63] & 224) != 0 \|\|
4679	x25519_ge_frombytes_vartime(&A, public_key) != 0) {	4692	x25519_ge_frombytes_vartime(&A, public_key) != 0) {
4680	return 0;	4693	return 0;
@@ -4690,6 +4703,20 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
4690	uint8_t scopy[32];	4703	uint8_t scopy[32];
4691	memcpy(scopy, signature + 32, 32);	4704	memcpy(scopy, signature + 32, 32);
4692		4705
		4706	/*
		4707	* https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that scopy be
		4708	* in the range [0, order) to prevent signature malleability. This value is
		4709	* public, so there is no need to make this constant time.
		4710	*/
		4711	for (i = 31; i >= 0; i--) {
		4712	if (scopy[i] > order[i])
		4713	return 0;
		4714	if (scopy[i] < order[i])
		4715	break;
		4716	if (i == 0)
		4717	return 0;
		4718	}
		4719
4693	SHA512_CTX hash_ctx;	4720	SHA512_CTX hash_ctx;
4694	SHA512_Init(&hash_ctx);	4721	SHA512_Init(&hash_ctx);
4695	SHA512_Update(&hash_ctx, signature, 32);	4722	SHA512_Update(&hash_ctx, signature, 32);