Reject small-order public keys for Edwards and Montgomery curves#10540
Open
Frauschi wants to merge 1 commit into
Open
Reject small-order public keys for Edwards and Montgomery curves#10540Frauschi wants to merge 1 commit into
Frauschi wants to merge 1 commit into
Conversation
A public key that is the identity or another small-order point makes
h*A vanish during EdDSA verification, so a forged (R = [S]B, S) pair
verifies for any message; for X25519/X448 ECDH the same input yields a
low-entropy shared secret the peer fully controls. Honest key
generation never produces such keys, but we did not reject them on
import or verification. wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() now reject every small-order
encoding; wc_curve25519_check_public() rejects the two intermediate
u-coordinates the range checks missed; and wc_curve{25519,448}_
import_public_ex() now invoke check_public() on peer-supplied input.
New tests are gated on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reject small-order public keys for Ed25519, Ed448, and X25519, and validate peer-supplied public keys on import for X25519/X448.
Honest EdDSA/ECDH key generation never produces points of small order, but we previously accepted them, which weakens the contributory property of X25519/X448 ECDH (a small-order peer key yields a low-entropy shared secret the peer fully controls) and removes a defense-in-depth layer for EdDSA public-key validation. This change adds explicit rejection at both key-import and signature-verification time, and closes a related gap where
wc_curve{25519,448}_import_public_ex()were not running their existingcheck_public()validation on peer-supplied keys.All new behavior is gated on
!HAVE_FIPS || FIPS_VERSION3_GE(7,0,0)so existing FIPS-certified modules are unaffected.Fixes zd21881. Thanks to piquo, HOOKED! / Majestic Labs for reporting.