diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-20 18:22:25 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-11-20 18:22:25 +0700 |
| commit | 9faf5ec8a3232756e884bab592e353b6eb53f42b (patch) | |
| tree | 583c261f077697f15e58c125236435dc5c43e057 | |
| parent | Refactoring in Math.EC.Rfc8032 (diff) | |
| download | BouncyCastle.NET-ed25519-9faf5ec8a3232756e884bab592e353b6eb53f42b.tar.xz | |
Ed25519: Reject small order public keys
| -rw-r--r-- | crypto/src/math/ec/rfc8032/Ed25519.cs | 63 | ||||
| -rw-r--r-- | crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs | 46 |
2 files changed, 80 insertions, 29 deletions
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs index 350e39120..c3e2b5b7e 100644 --- a/crypto/src/math/ec/rfc8032/Ed25519.cs +++ b/crypto/src/math/ec/rfc8032/Ed25519.cs @@ -64,6 +64,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private const int L3 = -0x006215D1; // L3:23/-- private const int L4 = 0x000014DF; // L4:12/11 + private static readonly uint[] Order8_y1 = { 0x706A17C7, 0x4FD84D3D, 0x760B3CBA, 0x0F67100D, 0xFA53202A, + 0xC6CC392C, 0x77FDC74E, 0x7A03AC92 }; + private static readonly uint[] Order8_y2 = { 0x8F95E826, 0xB027B2C2, 0x89F4C345, 0xF098EFF2, 0x05ACDFD5, + 0x3933C6D3, 0x880238B1, 0x05FC536D }; + private static readonly int[] B_x = { 0x0325D51A, 0x018B5823, 0x007B2C95, 0x0304A92D, 0x00D2598E, 0x01D6DC5C, 0x01388C7F, 0x013FEC0A, 0x029E6B72, 0x0042D26D }; private static readonly int[] B_y = { 0x02666658, 0x01999999, 0x00666666, 0x03333333, 0x00CCCCCC, 0x02666666, @@ -209,12 +214,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 } return false; } - - private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n) - { - DecodeScalar(s, n); - return !Nat.Gte(ScalarUints, n, L); - } #else private static bool CheckPointVar(byte[] p) { @@ -227,7 +226,51 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 } return false; } +#endif + private static bool CheckPointFullVar(byte[] p) + { + uint y7 = Codec.Decode32(p, 28) & 0x7FFFFFFFU; + + uint t0 = y7; + uint t1 = y7 ^ P[7]; + uint t2 = y7 ^ Order8_y1[7]; + uint t3 = y7 ^ Order8_y2[7]; + + for (int i = CoordUints - 2; i > 0; --i) + { + uint yi = Codec.Decode32(p, i * 4); + + t0 |= yi; + t1 |= yi ^ P[i]; + t2 |= yi ^ Order8_y1[i]; + t3 |= yi ^ Order8_y2[i]; + } + + uint y0 = Codec.Decode32(p, 0); + + // Reject 0 and 1 + if (t0 == 0 && y0 <= 1U) + return false; + + // Reject P - 1 and non-canonical encodings (i.e. >= P) + if (t1 == 0 && y0 >= (P[0] - 1U)) + return false; + + t2 |= y0 ^ Order8_y1[0]; + t3 |= y0 ^ Order8_y2[0]; + + // Reject order 8 points + return (t2 != 0) & (t3 != 0); + } + +#if NETCOREAPP2_1_OR_GREATER || NETSTANDARD2_1_OR_GREATER + private static bool CheckScalarVar(ReadOnlySpan<byte> s, Span<uint> n) + { + DecodeScalar(s, n); + return !Nat.Gte(ScalarUints, n, L); + } +#else private static bool CheckScalarVar(byte[] s, uint[] n) { DecodeScalar(s, 0, n); @@ -258,7 +301,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 private static bool DecodePointVar(byte[] p, int pOff, bool negate, ref PointAffine r) { byte[] py = Copy(p, pOff, PointBytes); - if (!CheckPointVar(py)) + if (!CheckPointFullVar(py)) return false; int x_0 = (py[PointBytes - 1] & 0x80) >> 7; @@ -1910,12 +1953,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032 if (!DecodePointVar(pk, pkOff, false, ref p)) return false; - F.Normalize(p.x); - F.Normalize(p.y); - - if (IsNeutralElementVar(p.x, p.y)) - return false; - Init(out PointAccum r); ScalarMultOrderVar(ref p, ref r); diff --git a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs index 04b9c3cce..d042aff9f 100644 --- a/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs +++ b/crypto/test/src/math/ec/rfc8032/test/Ed25519Test.cs @@ -15,8 +15,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests { private static readonly SecureRandom Random = new SecureRandom(); - private static readonly byte[] Neutral = Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000000"); - [SetUp] public void SetUp() { @@ -371,8 +369,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests [Test] public void TestPublicKeyValidationFull() { - Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Neutral, 0)); - byte[] sk = new byte[Ed25519.SecretKeySize]; byte[] pk = new byte[Ed25519.PublicKeySize]; @@ -383,9 +379,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsTrue(Ed25519.ValidatePublicKeyFull(pk, 0)); } + // Small order points (canonical encodings) + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0000000000000000000000000000000000000000000000000000000000000000"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0000000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000000"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC037A"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC03FA"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC05"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC85"), 0)); + + // Small order points (non-canonical encodings) Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); - Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + // Non-canonical encodings Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyFull(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); @@ -417,8 +425,6 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests [Test] public void TestPublicKeyValidationPartial() { - Assert.IsTrue(Ed25519.ValidatePublicKeyPartial(Neutral, 0)); - byte[] sk = new byte[Ed25519.SecretKeySize]; byte[] pk = new byte[Ed25519.PublicKeySize]; @@ -429,9 +435,21 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests Assert.IsTrue(Ed25519.ValidatePublicKeyPartial(pk, 0)); } + // Small order points (canonical encodings) + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0000000000000000000000000000000000000000000000000000000000000000"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0000000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000000"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC037A"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("C7176A703D4DD84FBA3C0B760D10670F2A2053FA2C39CCC64EC7FD7792AC03FA"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC05"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("26E8958FC2B227B045C3F489F2EF98F0D5DFAC05D3C63339B13802886D53FC85"), 0)); + + // Small order points (non-canonical encodings) Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("0100000000000000000000000000000000000000000000000000000000000080"), 0)); + Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); - Assert.IsTrue (Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); + // Non-canonical encodings Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"), 0)); Assert.IsFalse(Ed25519.ValidatePublicKeyPartial(Hex.DecodeStrict("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7F"), 0)); @@ -469,23 +487,20 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests [Test] public void TamingNonRepudiation() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - byte[] msg1 = Encoding.UTF8.GetBytes("Send 100 USD to Alice"); byte[] msg2 = Encoding.UTF8.GetBytes("Send 100000 USD to Alice"); byte[] pub = Hex.DecodeStrict("ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"); byte[] sig = Hex.DecodeStrict("a9d55260f765261eb9b84e106f665e00b867287a761990d7135963ee0a7d59dc" + "a5bb704786be79fc476f91d3f3f89b03984d8068dcf1bb7dfc6637b45450ac04"); - Assert.IsTrue(Ed25519.Verify(sig, 0, pub, 0, msg1, 0, msg1.Length)); - Assert.IsTrue(Ed25519.Verify(sig, 0, pub, 0, msg2, 0, msg2.Length)); + Assert.IsFalse(Ed25519.Verify(sig, 0, pub, 0, msg1, 0, msg1.Length)); + Assert.IsFalse(Ed25519.Verify(sig, 0, pub, 0, msg2, 0, msg2.Length)); } [Test] public void TamingVector_00() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - ImplTamingVector(0, true, + ImplTamingVector(0, false, "8c93255d71dcab10e8f379c26200f3c7bd5f09d9bc3068d3ef4edeb4853022b6", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a" + @@ -495,8 +510,7 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032.Tests [Test] public void TamingVector_01() { - // TODO Algorithm 2 rejects this because A is one of 8 small order points - ImplTamingVector(1, true, + ImplTamingVector(1, false, "9bd9f44f4dcc75bd531b56b2cd280b0bb38fc1cd6d1230e14861d861de092e79", "c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac03fa", "f7badec5b8abeaf699583992219b7b223f1df3fbbea919844e3f7c554a43dd43" + |