Skip to content

Commit

Permalink
EdDsa: check private value after sign
Browse files Browse the repository at this point in the history
Check the private value hasn't changed during signing with EdDSA.
  • Loading branch information
SparkiDev committed Feb 13, 2024
1 parent 851f059 commit e28d6a7
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 1 deletion.
25 changes: 25 additions & 0 deletions wolfcrypt/src/ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@

/* Based On Daniel J Bernstein's ed25519 Public Domain ref10 work. */


/* Possible Ed25519 enable options:
* WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN Default: OFF
* Check that the private key didn't change during the signing operations.
*/

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
Expand Down Expand Up @@ -304,6 +310,9 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
ALIGN16 byte nonce[WC_SHA512_DIGEST_SIZE];
ALIGN16 byte hram[WC_SHA512_DIGEST_SIZE];
ALIGN16 byte az[ED25519_PRV_KEY_SIZE];
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
byte orig_k[ED25519_KEY_SIZE];
#endif

/* sanity check on arguments */
if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
Expand Down Expand Up @@ -331,6 +340,10 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
}
*outLen = ED25519_SIG_SIZE;

#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
XMEMCPY(orig_k, key->k, ED25519_KEY_SIZE);
#endif

/* step 1: create nonce to use where nonce is r in
r = H(h_b, ... ,h_2b-1,M) */
ret = ed25519_hash(key, key->k, ED25519_KEY_SIZE, az);
Expand Down Expand Up @@ -441,6 +454,18 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
sc_muladd(out + (ED25519_SIG_SIZE/2), hram, az, nonce);
#endif
#endif /* WOLFSSL_SE050 */

#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
{
int i;
byte c = 0;
for (i = 0; i < ED25519_KEY_SIZE; i++) {
c |= key->k[i] ^ orig_k[i];
}
ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
}
#endif

return ret;
}

Expand Down
23 changes: 23 additions & 0 deletions wolfcrypt/src/ed448.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@
* Reworked for curve448 by Sean Parkinson.
*/

/* Possible Ed448 enable options:
* WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN Default: OFF
* Check that the private key didn't change during the signing operations.
*/

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
Expand Down Expand Up @@ -279,6 +284,9 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
byte hram[ED448_SIG_SIZE];
byte az[ED448_PRV_KEY_SIZE];
int ret = 0;
#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
byte orig_k[ED448_KEY_SIZE];
#endif

/* sanity check on arguments */
if ((in == NULL) || (out == NULL) || (outLen == NULL) || (key == NULL) ||
Expand All @@ -298,6 +306,10 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
if (ret == 0) {
*outLen = ED448_SIG_SIZE;

#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
XMEMCPY(orig_k, key->k, ED448_KEY_SIZE);
#endif

/* step 1: create nonce to use where nonce is r in
r = H(h_b, ... ,h_2b-1,M) */
ret = ed448_hash(key, key->k, ED448_KEY_SIZE, az, sizeof(az));
Expand Down Expand Up @@ -391,6 +403,17 @@ int wc_ed448_sign_msg_ex(const byte* in, word32 inLen, byte* out,
sc448_muladd(out + (ED448_SIG_SIZE/2), hram, az, nonce);
}

#ifdef WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN
if (ret == 0) {
int i;
byte c = 0;
for (i = 0; i < ED448_KEY_SIZE; i++) {
c |= key->k[i] ^ orig_k[i];
}
ret = ctMaskGT(c, 0) & SIG_VERIFY_E;
}
#endif

return ret;
}

Expand Down
2 changes: 1 addition & 1 deletion wolfssl/wolfcrypt/ed448.h
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ enum {
/* An ED448 Key */
struct ed448_key {
byte p[ED448_PUB_KEY_SIZE]; /* compressed public key */
byte k[ED448_PRV_KEY_SIZE]; /* private key : 56 secret -- 56 public */
byte k[ED448_PRV_KEY_SIZE]; /* private key : 57 secret -- 57 public */
#ifdef FREESCALE_LTC_ECC
/* uncompressed point coordinates */
byte pointX[ED448_KEY_SIZE]; /* recovered X coordinate */
Expand Down

0 comments on commit e28d6a7

Please sign in to comment.