diff --git a/src/libsodium/crypto_core/ed25519/core_ed25519.c b/src/libsodium/crypto_core/ed25519/core_ed25519.c index 312685c0..c11f681d 100644 --- a/src/libsodium/crypto_core/ed25519/core_ed25519.c +++ b/src/libsodium/crypto_core/ed25519/core_ed25519.c @@ -1,5 +1,6 @@ #include +#include #include #include "crypto_core_ed25519.h" @@ -88,8 +89,25 @@ _string_to_points(unsigned char * const px, size_t n, const char *suite, size_t ctx_len = ctx != NULL ? strlen(ctx) : 0U; size_t i, j; - if (n > 2U || suite_len > 0xff || ctx_len > 0xff - suite_len) { - return -1; + /* LCOV_EXCL_START */ + if (n > 2U || suite_len > 0xff) { + abort(); + } + /* LCOV_EXCL_END */ + if (ctx_len > 0xff - suite_len) { + crypto_hash_sha512_init(&st); + crypto_hash_sha512_update(&st, "H2C-OVERSIZE-DST-", + sizeof "H2C-OVERSIZE-DST-" - 1U); + crypto_hash_sha512_update(&st, (const unsigned char *) suite, suite_len); + crypto_hash_sha512_update(&st, (const unsigned char *) ctx, ctx_len); + crypto_hash_sha512_final(&st, u0); + ctx = (const char *) u0; + ctx_len = HASH_BYTES; + /* LCOV_EXCL_START */ + if (ctx_len > 0xff - suite_len) { + abort(); + } + /* LCOV_EXCL_END */ } crypto_hash_sha512_init(&st); crypto_hash_sha512_update(&st, empty_block, sizeof empty_block); diff --git a/test/default/core_ed25519_h2c.c b/test/default/core_ed25519_h2c.c index 177fdeb5..4ac70a6b 100644 --- a/test/default/core_ed25519_h2c.c +++ b/test/default/core_ed25519_h2c.c @@ -50,7 +50,9 @@ main(void) { unsigned char *expected_yr, *expected_y, *y; char * expected_y_hex, *y_hex; + char * oversized_ctx; size_t i, j; + size_t oversized_ctx_len = 250U; expected_yr = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES); expected_y = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES); @@ -97,6 +99,21 @@ main(void) printf("Failed with empty parameters"); } + oversized_ctx = sodium_malloc(oversized_ctx_len); + memset(oversized_ctx, 'X', oversized_ctx_len - 1U); + oversized_ctx[oversized_ctx_len - 1U] = 0; + crypto_core_ed25519_from_string(y, oversized_ctx, + (const unsigned char *) "msg", 3U); + sodium_bin2hex(y_hex, crypto_core_ed25519_BYTES * 2U + 1U, y, + crypto_core_ed25519_BYTES); + printf("NU with oversized context: %s\n", y_hex); + crypto_core_ed25519_from_string_ro(y, oversized_ctx, + (const unsigned char *) "msg", 3U); + sodium_bin2hex(y_hex, crypto_core_ed25519_BYTES * 2U + 1U, y, + crypto_core_ed25519_BYTES); + printf("RO with oversized context: %s\n", y_hex); + + sodium_free(oversized_ctx); sodium_free(y_hex); sodium_free(expected_y_hex); sodium_free(y); diff --git a/test/default/core_ed25519_h2c.exp b/test/default/core_ed25519_h2c.exp index d86bac9d..f3dae4de 100644 --- a/test/default/core_ed25519_h2c.exp +++ b/test/default/core_ed25519_h2c.exp @@ -1 +1,3 @@ +NU with oversized context: b811f71786d032196a8a07d90393084ac4dbec5506590cd96be0f5a92f084298 +RO with oversized context: 5948dc10765f78b8f183377a7af622b205ce8bb62de98254c203b512a9ef966b OK