Reject small-order public keys for Ed25519 and Ed448#10540
Open
Frauschi wants to merge 1 commit into
Open
Conversation
Frauschi
force-pushed
the
small_order_check
branch
2 times, most recently
from
92256d8 to
47406e2
Compare
Contributor
Author
|
Jenkins retest this please |
Frauschi
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds defense-in-depth checks to Ed25519 and Ed448 public-key handling to reject identity/small-order points at both key-check and signature-verification entry points, and extends test coverage to exercise the new rejection behavior.
Changes:
- Add small-order public key detection to
wc_ed25519_check_key()/wc_ed448_check_key()and to the “final” verification paths to catch eventrusted=1imports. - Update wolfcrypt test vectors to reflect the new rejection behavior and add positive-control valid public keys.
- Add new API-level tests to ensure small-order keys are rejected on import and during verification (trusted import bypass path).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
wolfcrypt/src/ed25519.c |
Adds ed25519_is_small_order() and rejects small-order keys during key check and verify-final. |
wolfcrypt/src/ed448.c |
Adds ed448_is_small_order() and rejects small-order keys during key check and verify-final. |
wolfcrypt/test/test.c |
Updates Ed25519/Ed448 key-check tests to expect rejection of the order-2 point and adds positive controls. |
tests/api/test_ed25519.c |
Adds API test to ensure small-order Ed25519 keys are rejected (import + trusted-import verify path). |
tests/api/test_ed25519.h |
Registers the new Ed25519 API test. |
tests/api/test_ed448.c |
Adds API test to ensure small-order Ed448 keys are rejected (import + trusted-import verify path). |
tests/api/test_ed448.h |
Registers the new Ed448 API test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add defense-in-depth checks to wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() that reject the identity
point and other small-order public keys. Honest EdDSA key generation
never produces such keys, but wolfSSL previously accepted them on
import and verification. The guard runs at both entry points so it
holds even when a key is imported with trusted=1. New tests are gated
on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).
Frauschi
force-pushed
the
small_order_check
branch
from
47406e2 to
25a1a20
Compare
Contributor
Author
|
Fixed the Copilot issues |
Contributor
Author
|
Jenkins retest this please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add defense-in-depth checks to
wc_ed{25519,448}_check_key()anded{25519,448}_verify_msg_final_with_sha()that reject the identity point and other small-order public keys. Honest EdDSA key generation never produces such keys, but we previously accepted them on import and verification. The guard runs at both entry points so it holds even when a key is imported withtrusted=1.Fixes zd21881. Thanks to piquo, HOOKED! / Majestic Labs for reporting.