7d5fbbbfb8
Allow for shorter ecdsa signatures by padding them to full length
336 lines
16 KiB
Diff
336 lines
16 KiB
Diff
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
|
|
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
|
|
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
|
|
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
|
|
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
|
|
|
|
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
|
|
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
|
|
+const uint8_t kP521SpkiUnpaddedSig[] = {
|
|
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
|
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
|
|
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
|
|
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
|
|
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
|
|
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
|
|
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
|
|
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
|
|
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
|
|
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
|
|
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
|
|
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
|
|
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
|
|
+ 0xe2, 0x9f};
|
|
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
|
|
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
|
|
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
|
|
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
|
|
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
|
|
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
|
|
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
|
|
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
|
|
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
|
|
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
|
|
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
|
|
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
|
|
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
|
|
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
|
|
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
|
|
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
|
|
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
|
|
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
|
|
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
|
|
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
|
|
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
|
|
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
|
|
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
|
|
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
|
|
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
|
|
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
|
|
+const uint8_t kP384SpkiUnpaddedSig[] = {
|
|
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
|
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
|
|
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
|
|
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
|
|
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
|
|
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
|
|
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
|
|
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
|
|
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
|
|
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
|
|
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
|
|
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
|
|
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
|
|
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
|
|
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
|
|
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
|
|
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
|
|
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
|
|
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
|
|
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
|
|
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
|
|
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
|
|
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
|
|
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
|
|
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
|
|
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
|
|
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
|
|
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
|
|
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
|
|
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
|
|
+const uint8_t kP256SpkiUnpaddedSig[] = {
|
|
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
|
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
|
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
|
|
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
|
|
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
|
|
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
|
|
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
|
|
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
|
|
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
|
|
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
|
|
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
|
|
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
|
|
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
|
|
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
|
|
+ 0xcf, 0x61, 0x91, 0x5f};
|
|
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
|
|
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
|
|
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
|
|
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
|
|
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
|
|
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
|
|
+ 0x78, 0xc4};
|
|
} // namespace nss_test
|
|
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
|
|
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
|
|
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
|
|
SEC_OID_SECG_EC_SECP521R1,
|
|
SEC_OID_CURVE25519));
|
|
|
|
+class Pkcs11EcdsaUnpaddedSignatureTest
|
|
+ : public Pkcs11EcdsaTestBase,
|
|
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
|
|
+ public:
|
|
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
|
|
+};
|
|
+
|
|
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
|
|
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
|
|
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
|
|
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
|
|
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
|
|
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
|
|
+ {SEC_OID_SHA512,
|
|
+ {DataBuffer(NULL, 0),
|
|
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
|
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
|
|
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
|
|
+};
|
|
+
|
|
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
|
|
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
|
|
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
|
|
} // namespace nss_test
|
|
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
|
|
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
|
|
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
{
|
|
SECStatus res = SECSuccess;
|
|
|
|
+ unsigned char _padded_sig_data[64] = { 0 };
|
|
+ unsigned char *sig_r, *sig_s;
|
|
+
|
|
if (!key || !signature || !digest ||
|
|
!key->publicValue.data ||
|
|
!signature->data || !digest->data ||
|
|
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
- if (key->publicValue.len != 65 ||
|
|
- digest->len == 0 ||
|
|
- signature->len != 64) {
|
|
+ unsigned int olen = key->ecParams.order.len;
|
|
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
+ signature->len > 2 * olen ||
|
|
+ digest->len == 0 || key->publicValue.len != 65) {
|
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
res = SECFailure;
|
|
return res;
|
|
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
|
|
+ if (signature->len != 64) {
|
|
+ unsigned split = signature->len / 2;
|
|
+ unsigned pad = 32 - split;
|
|
+
|
|
+ unsigned char *o_sig = signature->data;
|
|
+ unsigned char *p_sig = _padded_sig_data;
|
|
+
|
|
+ memcpy(p_sig + pad, o_sig, split);
|
|
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
|
|
+
|
|
+ sig_r = p_sig;
|
|
+ sig_s = p_sig + 32;
|
|
+ } else {
|
|
+ sig_r = signature->data;
|
|
+ sig_s = signature->data + 32;
|
|
+ }
|
|
+
|
|
+
|
|
uint8_t hash[32] = { 0 };
|
|
if (digest->len < 32) {
|
|
memcpy(hash + 32 - digest->len, digest->data, digest->len);
|
|
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
bool b = Hacl_P256_ecdsa_verif_without_hash(
|
|
32, hash,
|
|
key->publicValue.data + 1,
|
|
- signature->data, signature->data + 32);
|
|
+ sig_r, sig_s);
|
|
if (!b) {
|
|
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
res = SECFailure;
|
|
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
|
|
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
|
|
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
{
|
|
SECStatus res = SECSuccess;
|
|
|
|
+ unsigned char _padded_sig_data[96] = { 0 };
|
|
+ unsigned char *sig_r, *sig_s;
|
|
+
|
|
if (!key || !signature || !digest ||
|
|
!key->publicValue.data ||
|
|
!signature->data || !digest->data ||
|
|
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
- if (key->publicValue.len != 97 ||
|
|
- digest->len == 0 ||
|
|
- signature->len != 96) {
|
|
+ unsigned int olen = key->ecParams.order.len;
|
|
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
+ signature->len > 2 * olen ||
|
|
+ digest->len == 0 || key->publicValue.len != 97) {
|
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
res = SECFailure;
|
|
return res;
|
|
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
|
|
+ if (signature->len != 96) {
|
|
+ unsigned split = signature->len / 2;
|
|
+ unsigned pad = 48 - split;
|
|
+
|
|
+ unsigned char *o_sig = signature->data;
|
|
+ unsigned char *p_sig = _padded_sig_data;
|
|
+
|
|
+ memcpy(p_sig + pad, o_sig, split);
|
|
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
|
|
+
|
|
+ sig_r = p_sig;
|
|
+ sig_s = p_sig + 48;
|
|
+ } else {
|
|
+ sig_r = signature->data;
|
|
+ sig_s = signature->data + 48;
|
|
+ }
|
|
+
|
|
uint8_t hash[48] = { 0 };
|
|
if (digest->len < 48) {
|
|
memcpy(hash + 48 - digest->len, digest->data, digest->len);
|
|
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
bool b = Hacl_P384_ecdsa_verif_without_hash(
|
|
48, hash,
|
|
key->publicValue.data + 1,
|
|
- signature->data, signature->data + 48);
|
|
+ sig_r, sig_s);
|
|
if (!b) {
|
|
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
res = SECFailure;
|
|
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
|
|
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
|
|
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
{
|
|
SECStatus res = SECSuccess;
|
|
|
|
+ unsigned char _padded_sig_data[132] = { 0 };
|
|
+ unsigned char *sig_r, *sig_s;
|
|
+
|
|
if (!key || !signature || !digest ||
|
|
!key->publicValue.data ||
|
|
!signature->data || !digest->data ||
|
|
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
- if (key->publicValue.len != 133 ||
|
|
- digest->len == 0 ||
|
|
- signature->len != 132) {
|
|
+ unsigned int olen = key->ecParams.order.len;
|
|
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
+ signature->len > 2 * olen ||
|
|
+ digest->len == 0 || key->publicValue.len != 133) {
|
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
res = SECFailure;
|
|
return res;
|
|
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
return res;
|
|
}
|
|
|
|
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
|
|
+ if (signature->len != 132) {
|
|
+ unsigned split = signature->len / 2;
|
|
+ unsigned pad = 66 - split;
|
|
+
|
|
+ unsigned char *o_sig = signature->data;
|
|
+ unsigned char *p_sig = _padded_sig_data;
|
|
+
|
|
+ memcpy(p_sig + pad, o_sig, split);
|
|
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
|
|
+
|
|
+ sig_r = p_sig;
|
|
+ sig_s = p_sig + 66;
|
|
+ } else {
|
|
+ sig_r = signature->data;
|
|
+ sig_s = signature->data + 66;
|
|
+ }
|
|
+
|
|
uint8_t hash[66] = { 0 };
|
|
if (digest->len < 66) {
|
|
memcpy(hash + 66 - digest->len, digest->data, digest->len);
|
|
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
bool b = Hacl_P521_ecdsa_verif_without_hash(
|
|
66, hash,
|
|
key->publicValue.data + 1,
|
|
- signature->data, signature->data + 66);
|
|
+ sig_r, sig_s);
|
|
if (!b) {
|
|
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
res = SECFailure;
|