packages/ed25519-java
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ed25519-java/CVE-2020-36843.patch
wk333 b8b9364db0 Fix CVE-2020-36843 
(cherry picked from commit fc0eeffa9167728333cee9764a77e77862e2f66e)
2025-03-21 10:24:26 +08:00

56 lines
2.1 KiB
Diff
Raw Blame History

From d7d1dcb5399c61cf2916ccc45aa25b0209c88712 Mon Sep 17 00:00:00 2001
From: zzz <zzz@mail.i2p>
Date: Tue, 12 Mar 2019 12:55:58 +0000
Subject: [PATCH] Crypto: Ed25519 check for S < L as in RFC 8032
Origin: https://github.com/i2p/i2p.i2p/commit/d7d1dcb5399c61cf2916ccc45aa25b0209c88712
---
src/net/i2p/crypto/eddsa/EdDSAEngine.java | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/net/i2p/crypto/eddsa/EdDSAEngine.java b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
index 1f0ba6d..9c55104 100644
--- a/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+++ b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
@@ -12,6 +12,7 @@
package net.i2p.crypto.eddsa;
import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
@@ -30,6 +31,7 @@ import net.i2p.crypto.eddsa.math.Curve;
import net.i2p.crypto.eddsa.math.GroupElement;
import net.i2p.crypto.eddsa.math.ScalarOps;
import sun.security.x509.X509Key;
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
/**
* Signing and verification for EdDSA.
@@ -69,6 +71,8 @@ import sun.security.x509.X509Key;
public final class EdDSAEngine extends Signature {
public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+ private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+
private MessageDigest digest;
private ByteArrayOutputStream baos;
private EdDSAKey key;
@@ -306,6 +310,11 @@ public final class EdDSAEngine extends Signature {
h = key.getParams().getScalarOps().reduce(h);
byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+ // RFC 8032
+ BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
+ if (Sbigint.compareTo(ORDER) >= 0)
+ return false;
+
// R = SB - H(Rbar,Abar,M)A
GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink