additional sanity checks on invalid input

Author: JacobBarthelmeh

tests/api/test_evp_pkey.c

@@ -1592,9 +1592,19 @@ static int test_wolfSSL_EVP_PKEY_sign_verify(int keyType)
     ExpectIntEQ(EVP_PKEY_verify(
         ctx_verify, sig, siglen, hash, SHA256_DIGEST_LENGTH),
         WOLFSSL_SUCCESS);
-    ExpectIntEQ(EVP_PKEY_verify(
-        ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
-        WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+
+    if (keyType == EVP_PKEY_EC) {
+        /* wolfSSL differs from OpenSSL in that it treats a hash of all 0's as a
+         * fatal error and does not attempt to verify */
+        ExpectIntEQ(EVP_PKEY_verify(
+            ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
+            WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
+    }
+    else {
+        ExpectIntEQ(EVP_PKEY_verify(
+            ctx_verify, sig, siglen, zero, SHA256_DIGEST_LENGTH),
+            WC_NO_ERR_TRACE(WOLFSSL_FAILURE));
+    }
 
 #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && \
     !defined(HAVE_SELFTEST)

wolfcrypt/src/ecc.c

@@ -7420,6 +7420,10 @@ int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
        /* may still need bit truncation too */
        if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * inlen) > orderBits)
            mp_rshb(e, (int)(WOLFSSL_BIT_SIZE - (orderBits & 0x7)));
+
+       if (err == MP_OKAY && mp_iszero(e)) {
+           err = ECC_BAD_ARG_E;
+       }
    }
 
    /* make up a key and export the public copy */
@@ -8999,6 +9003,10 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
        /* may still need bit truncation too */
        if (err == MP_OKAY && (WOLFSSL_BIT_SIZE * hashlen) > orderBits)
            mp_rshb(e, (int)(WOLFSSL_BIT_SIZE - (orderBits & 0x7)));
+
+       if (err == MP_OKAY && mp_iszero(e)) {
+           err = ECC_BAD_ARG_E;
+       }
    }
 
    /* check for async hardware acceleration */

wolfcrypt/src/sp_arm32.c

@@ -79334,8 +79334,8 @@ static int sp_256_calc_s_8(sp_digit* s, const sp_digit* r, sp_digit* k,
  * rm       First part of result as an mp_int.
  * sm       Sirst part of result as an mp_int.
  * heap     Heap to use for allocation.
- * returns RNG failures, MEMORY_E when memory allocation fails and
- * MP_OKAY on success.
+ * returns RNG failures, MEMORY_E when memory allocation fails,
+ * ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
  */
 int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng,
     const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
@@ -79365,6 +79365,11 @@ int sp_ecc_sign_256(const byte* hash, word32 hashLen, WC_RNG* rng,
         if (hashLen > 32U) {
             hashLen = 32U;
         }
+
+        sp_256_from_bin(e, 8, hash, (int)hashLen);
+        if (sp_256_iszero_8(e)) {
+            err = ECC_BAD_ARG_E;
+        }
     }
 
     for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
@@ -79454,12 +79459,25 @@ int sp_ecc_sign_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W
 
     switch (ctx->state) {
     case 0: /* INIT */
+    {
+        word32 hl = hashLen;
+
         ctx->s = ctx->e;
         ctx->kInv = ctx->k;
 
-        ctx->i = SP_ECC_MAX_SIG_GEN;
-        ctx->state = 1;
-        break;
+        if (hl > 32U) {
+            hl = 32U;
+        }
+        sp_256_from_bin(ctx->e, 8, hash, (int)hl);
+        if (sp_256_iszero_8(ctx->e)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            ctx->i = SP_ECC_MAX_SIG_GEN;
+            ctx->state = 1;
+        }
+    }
+    break;
     case 1: /* GEN */
         /* New random point. */
         if (km == NULL || mp_iszero(km)) {
@@ -80576,7 +80594,12 @@ int sp_ecc_verify_256(const byte* hash, word32 hashLen, const mp_int* pX,
         sp_256_from_mp(p2->y, 8, pY);
         sp_256_from_mp(p2->z, 8, pZ);
 
-        err = sp_256_calc_vfy_point_8(p1, p2, s, u1, u2, tmp, heap);
+        if (sp_256_iszero_8(u1)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            err = sp_256_calc_vfy_point_8(p1, p2, s, u1, u2, tmp, heap);
+        }
     }
     if (err == MP_OKAY) {
         /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
@@ -80659,6 +80682,10 @@ int sp_ecc_verify_256_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
         sp_256_from_mp(ctx->p2.x, 8, pX);
         sp_256_from_mp(ctx->p2.y, 8, pY);
         sp_256_from_mp(ctx->p2.z, 8, pZ);
+        if (sp_256_iszero_8(ctx->u1)) {
+            err = ECC_BAD_ARG_E;
+            break;
+        }
         ctx->state = 1;
         break;
     case 1: /* NORMS0 */
@@ -97495,8 +97522,8 @@ static int sp_384_calc_s_12(sp_digit* s, const sp_digit* r, sp_digit* k,
  * rm       First part of result as an mp_int.
  * sm       Sirst part of result as an mp_int.
  * heap     Heap to use for allocation.
- * returns RNG failures, MEMORY_E when memory allocation fails and
- * MP_OKAY on success.
+ * returns RNG failures, MEMORY_E when memory allocation fails,
+ * ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
  */
 int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng,
     const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
@@ -97526,6 +97553,11 @@ int sp_ecc_sign_384(const byte* hash, word32 hashLen, WC_RNG* rng,
         if (hashLen > 48U) {
             hashLen = 48U;
         }
+
+        sp_384_from_bin(e, 12, hash, (int)hashLen);
+        if (sp_384_iszero_12(e)) {
+            err = ECC_BAD_ARG_E;
+        }
     }
 
     for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
@@ -97615,12 +97647,25 @@ int sp_ecc_sign_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W
 
     switch (ctx->state) {
     case 0: /* INIT */
+    {
+        word32 hl = hashLen;
+
         ctx->s = ctx->e;
         ctx->kInv = ctx->k;
 
-        ctx->i = SP_ECC_MAX_SIG_GEN;
-        ctx->state = 1;
-        break;
+        if (hl > 48U) {
+            hl = 48U;
+        }
+        sp_384_from_bin(ctx->e, 12, hash, (int)hl);
+        if (sp_384_iszero_12(ctx->e)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            ctx->i = SP_ECC_MAX_SIG_GEN;
+            ctx->state = 1;
+        }
+    }
+    break;
     case 1: /* GEN */
         /* New random point. */
         if (km == NULL || mp_iszero(km)) {
@@ -98859,7 +98904,12 @@ int sp_ecc_verify_384(const byte* hash, word32 hashLen, const mp_int* pX,
         sp_384_from_mp(p2->y, 12, pY);
         sp_384_from_mp(p2->z, 12, pZ);
 
-        err = sp_384_calc_vfy_point_12(p1, p2, s, u1, u2, tmp, heap);
+        if (sp_384_iszero_12(u1)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            err = sp_384_calc_vfy_point_12(p1, p2, s, u1, u2, tmp, heap);
+        }
     }
     if (err == MP_OKAY) {
         /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
@@ -98942,6 +98992,10 @@ int sp_ecc_verify_384_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
         sp_384_from_mp(ctx->p2.x, 12, pX);
         sp_384_from_mp(ctx->p2.y, 12, pY);
         sp_384_from_mp(ctx->p2.z, 12, pZ);
+        if (sp_384_iszero_12(ctx->u1)) {
+            err = ECC_BAD_ARG_E;
+            break;
+        }
         ctx->state = 1;
         break;
     case 1: /* NORMS0 */
@@ -125905,8 +125959,8 @@ static int sp_521_calc_s_17(sp_digit* s, const sp_digit* r, sp_digit* k,
  * rm       First part of result as an mp_int.
  * sm       Sirst part of result as an mp_int.
  * heap     Heap to use for allocation.
- * returns RNG failures, MEMORY_E when memory allocation fails and
- * MP_OKAY on success.
+ * returns RNG failures, MEMORY_E when memory allocation fails,
+ * ECC_BAD_ARG_E with invalid argument, and MP_OKAY on success.
  */
 int sp_ecc_sign_521(const byte* hash, word32 hashLen, WC_RNG* rng,
     const mp_int* priv, mp_int* rm, mp_int* sm, mp_int* km, void* heap)
@@ -125936,6 +125990,15 @@ int sp_ecc_sign_521(const byte* hash, word32 hashLen, WC_RNG* rng,
         if (hashLen > 66U) {
             hashLen = 66U;
         }
+
+        sp_521_from_bin(e, 17, hash, (int)hashLen);
+        if (hashLen == 66U) {
+            sp_521_rshift_17(e, e, 7);
+        }
+
+        if (sp_521_iszero_17(e)) {
+            err = ECC_BAD_ARG_E;
+        }
     }
 
     for (i = SP_ECC_MAX_SIG_GEN; err == MP_OKAY && i > 0; i--) {
@@ -126030,12 +126093,29 @@ int sp_ecc_sign_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash, word32 hashLen, W
 
     switch (ctx->state) {
     case 0: /* INIT */
+    {
+        word32 hl = hashLen;
+
         ctx->s = ctx->e;
         ctx->kInv = ctx->k;
 
-        ctx->i = SP_ECC_MAX_SIG_GEN;
-        ctx->state = 1;
-        break;
+        if (hl > 66U) {
+            hl = 66U;
+        }
+        sp_521_from_bin(ctx->e, 17, hash, (int)hl);
+        if (hl == 66U) {
+            sp_521_rshift_17(ctx->e, ctx->e, 7);
+        }
+
+        if (sp_521_iszero_17(ctx->e)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            ctx->i = SP_ECC_MAX_SIG_GEN;
+            ctx->state = 1;
+        }
+    }
+    break;
     case 1: /* GEN */
         /* New random point. */
         if (km == NULL || mp_iszero(km)) {
@@ -127800,7 +127880,12 @@ int sp_ecc_verify_521(const byte* hash, word32 hashLen, const mp_int* pX,
             sp_521_rshift_17(u1, u1, 7);
         }
 
-        err = sp_521_calc_vfy_point_17(p1, p2, s, u1, u2, tmp, heap);
+        if (sp_521_iszero_17(u1)) {
+            err = ECC_BAD_ARG_E;
+        }
+        else {
+            err = sp_521_calc_vfy_point_17(p1, p2, s, u1, u2, tmp, heap);
+        }
     }
     if (err == MP_OKAY) {
         /* (r + n*order).z'.z' mod prime == (u1.G + u2.Q)->x' */
@@ -127886,6 +127971,10 @@ int sp_ecc_verify_521_nb(sp_ecc_ctx_t* sp_ctx, const byte* hash,
         if (hashLen == 66U) {
             sp_521_rshift_17(ctx->u1, ctx->u1, 7);
         }
+        if (sp_521_iszero_17(ctx->u1)) {
+            err = ECC_BAD_ARG_E;
+            break;
+        }
         ctx->state = 1;
         break;
     case 1: /* NORMS0 */