Reject small-order public keys for Edwards and Montgomery curves

A public key that is the identity or another small-order point makes
h*A vanish during EdDSA verification, so a forged (R = [S]B, S) pair
verifies for any message; for X25519/X448 ECDH the same input yields a
low-entropy shared secret the peer fully controls. Honest key
generation never produces such keys, but we did not reject them on
import or verification. wc_ed{25519,448}_check_key() and
ed{25519,448}_verify_msg_final_with_sha() now reject every small-order
encoding; wc_curve25519_check_public() rejects the two intermediate
u-coordinates the range checks missed; and wc_curve{25519,448}_
import_public_ex() now invoke check_public() on peer-supplied input.
New tests are gated on !HAVE_FIPS || FIPS_VERSION3_GE(7,0,0).

Author: Frauschi

tests/api/test_curve25519.c

@@ -517,8 +517,32 @@ int test_wc_curve25519_import_private_raw_ex(void)
         &key, endian), WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
     ExpectIntEQ(wc_curve25519_import_private_raw_ex(priv, privSz, pub, 0,
         &key, endian), WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
+#if !defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)
+    {
+        byte privLE[CURVE25519_KEYSIZE];
+        byte pubLE[CURVE25519_KEYSIZE];
+        word32 privLESz = sizeof(privLE);
+        word32 pubLESz = sizeof(pubLE);
+
+        /* wc_curve25519_import_public_ex() now calls check_public() on
+         * the input, so we must export the public half in little-endian
+         * to round-trip through an LE import. On older FIPS modules
+         * import_public_ex skipped validation and accepted the
+         * BE-encoded bytes labelled as LE; we keep that behaviour
+         * exercised below for those builds. */
+        ExpectIntEQ(wc_curve25519_export_private_raw_ex(&key, privLE,
+            &privLESz, EC25519_LITTLE_ENDIAN), 0);
+        ExpectIntEQ(wc_curve25519_export_public_ex(&key, pubLE, &pubLESz,
+            EC25519_LITTLE_ENDIAN), 0);
+        ExpectIntEQ(wc_curve25519_import_private_raw_ex(privLE, privLESz,
+            pubLE, pubLESz, &key, EC25519_LITTLE_ENDIAN), 0);
+    }
+#else
+    /* Older FIPS behaviour: BE-encoded pub accepted under LE flag
+     * because import_public_ex did not run check_public(). */
     ExpectIntEQ(wc_curve25519_import_private_raw_ex(priv, privSz, pub, pubSz,
         &key, EC25519_LITTLE_ENDIAN), 0);
+#endif
 
     DoExpectIntEQ(wc_FreeRng(&rng), 0);
     wc_curve25519_free(&key);
@@ -666,3 +690,88 @@ int test_wc_Curve25519KeyToDer_oneasymkey_version(void)
     return EXPECT_RESULT();
 }
 
+/* Defence-in-depth: wc_curve25519_check_public() must reject every known
+ * small-order Curve25519 u-coordinate. A small-order public key during
+ * ECDH leaks information about the private scalar; clamping bounds but
+ * does not eliminate the leakage. Gated on FIPS_VERSION3_GE(7,0,0)
+ * because older FIPS-certified modules do not have this check in their
+ * frozen copy of curve25519.c and would fail this test. */
+int test_wc_curve25519_reject_small_order_keys(void)
+{
+    EXPECT_DECLS;
+#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
+    defined(HAVE_CURVE25519)
+    /* All seven small-order Curve25519 u-coordinates, little-endian. */
+    static const byte small_order_u[][CURVE25519_KEYSIZE] = {
+        /* u = 0 */
+        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+        /* u = 1 */
+        {0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+        /* u = 32558...104 (small order) */
+        {0xe0,0xeb,0x7a,0x7c,0x3b,0x41,0xb8,0xae,
+         0x16,0x56,0xe3,0xfa,0xf1,0x9f,0xc4,0x6a,
+         0xda,0x09,0x8d,0xeb,0x9c,0x32,0xb1,0xfd,
+         0x86,0x62,0x05,0x16,0x5f,0x49,0xb8,0x00},
+        /* u = 39382...823 (small order) */
+        {0x5f,0x9c,0x95,0xbc,0xa3,0x50,0x8c,0x24,
+         0xb1,0xd0,0xb1,0x55,0x9c,0x83,0xef,0x5b,
+         0x04,0x44,0x5c,0xc4,0x58,0x1c,0x8e,0x86,
+         0xd8,0x22,0x4e,0xdd,0xd0,0x9f,0x11,0x57},
+        /* u = p - 1 */
+        {0xec,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f},
+        /* u = p */
+        {0xed,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f},
+        /* u = p + 1 */
+        {0xee,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f},
+    };
+    byte be[CURVE25519_KEYSIZE];
+    word32 i, j;
+
+    for (i = 0; i < sizeof(small_order_u) / CURVE25519_KEYSIZE; i++) {
+        /* Reject in little-endian form. */
+        ExpectIntEQ(wc_curve25519_check_public(small_order_u[i],
+            CURVE25519_KEYSIZE, EC25519_LITTLE_ENDIAN),
+            WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
+
+        /* Reject in big-endian form (byte-reversed). */
+        for (j = 0; j < CURVE25519_KEYSIZE; j++)
+            be[j] = small_order_u[i][CURVE25519_KEYSIZE - 1 - j];
+        ExpectIntEQ(wc_curve25519_check_public(be, CURVE25519_KEYSIZE,
+            EC25519_BIG_ENDIAN), WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
+    }
+
+    /* Higher-level entry point: wc_curve25519_import_public_ex() must
+     * also fail because it calls check_public() during the import. This
+     * pins that the unit-level guard is reachable through the API real
+     * callers use. */
+#ifdef HAVE_CURVE25519_KEY_IMPORT
+    {
+        curve25519_key key;
+
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_curve25519_init(&key), 0);
+        ExpectIntEQ(wc_curve25519_import_public_ex(small_order_u[0],
+            CURVE25519_KEYSIZE, &key, EC25519_LITTLE_ENDIAN),
+            WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
+        wc_curve25519_free(&key);
+    }
+#endif
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_curve25519.h

@@ -37,6 +37,7 @@ int test_wc_curve25519_import_private_raw_ex(void);
 int test_wc_curve25519_import_private(void);
 int test_wc_curve25519_priv_clamp_check(void);
 int test_wc_Curve25519KeyToDer_oneasymkey_version(void);
+int test_wc_curve25519_reject_small_order_keys(void);
 
 #define TEST_CURVE25519_DECLS                                                  \
     TEST_DECL_GROUP("curve25519", test_wc_curve25519_init),                    \
@@ -51,6 +52,7 @@ int test_wc_Curve25519KeyToDer_oneasymkey_version(void);
     TEST_DECL_GROUP("curve25519", test_wc_curve25519_import_private_raw_ex),   \
     TEST_DECL_GROUP("curve25519", test_wc_curve25519_import_private),          \
     TEST_DECL_GROUP("curve25519", test_wc_curve25519_priv_clamp_check),        \
-    TEST_DECL_GROUP("curve25519", test_wc_Curve25519KeyToDer_oneasymkey_version)
+    TEST_DECL_GROUP("curve25519", test_wc_Curve25519KeyToDer_oneasymkey_version), \
+    TEST_DECL_GROUP("curve25519", test_wc_curve25519_reject_small_order_keys)
 
 #endif /* WOLFCRYPT_TEST_CURVE25519_H */

tests/api/test_ed25519.c

@@ -725,3 +725,109 @@ int test_wc_Ed25519KeyToDer_oneasymkey_version(void)
     return EXPECT_RESULT();
 }
 
+/* Ed25519 identity and small-order public keys must be rejected. When
+ * the public key is the identity point (or any small-order point), any
+ * signature of the form (R = [S]B, S) verifies for arbitrary messages
+ * because h*A is the neutral element. Gated on FIPS_VERSION3_GE(7,0,0)
+ * because older FIPS-certified modules do not have this check in their
+ * frozen copy of ed25519.c and would fail this test. */
+int test_wc_ed25519_reject_small_order_keys(void)
+{
+    EXPECT_DECLS;
+#if (!defined(HAVE_FIPS) || FIPS_VERSION3_GE(7,0,0)) && \
+    defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
+    /* Each entry holds an encoded small-order Ed25519 public key. The
+     * sign-bit variants of each y-coordinate are listed explicitly so
+     * the test catches both possible encodings of each y. */
+    static const byte small_order_keys[][ED25519_PUB_KEY_SIZE] = {
+        /* identity (y = 1) */
+        {0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+        /* identity with x-sign bit set */
+        {0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},
+        /* order 2: y = p - 1 */
+        {0xec,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+         0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x7f},
+        /* order 4: y = 0 */
+        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+        /* order 4 with x-sign bit set */
+        {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+         0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80},
+        /* order 8 */
+        {0x26,0xe8,0x95,0x8f,0xc2,0xb2,0x27,0xb0,
+         0x45,0xc3,0xf4,0x89,0xf2,0xef,0x98,0xf0,
+         0xd5,0xdf,0xac,0x05,0xd3,0xc6,0x33,0x39,
+         0xb1,0x38,0x02,0x88,0x6d,0x53,0xfc,0x05},
+        /* order 8 with x-sign bit set */
+        {0x26,0xe8,0x95,0x8f,0xc2,0xb2,0x27,0xb0,
+         0x45,0xc3,0xf4,0x89,0xf2,0xef,0x98,0xf0,
+         0xd5,0xdf,0xac,0x05,0xd3,0xc6,0x33,0x39,
+         0xb1,0x38,0x02,0x88,0x6d,0x53,0xfc,0x85},
+        /* order 8 (other y) */
+        {0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f,
+         0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f,
+         0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6,
+         0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0x7a},
+        /* order 8 (other y) with x-sign bit set */
+        {0xc7,0x17,0x6a,0x70,0x3d,0x4d,0xd8,0x4f,
+         0xba,0x3c,0x0b,0x76,0x0d,0x10,0x67,0x0f,
+         0x2a,0x20,0x53,0xfa,0x2c,0x39,0xcc,0xc6,
+         0x4e,0xc7,0xfd,0x77,0x92,0xac,0x03,0xfa},
+    };
+    /* Forged signature: R = B (base point), S = 1.
+     * With public key A = identity, S*B - h*A = B = R for any message. */
+    static const byte forged_sig[ED25519_SIG_SIZE] = {
+        0x58,0x66,0x66,0x66,0x66,0x66,0x66,0x66,
+        0x66,0x66,0x66,0x66,0x66,0x66,0x66,0x66,
+        0x66,0x66,0x66,0x66,0x66,0x66,0x66,0x66,
+        0x66,0x66,0x66,0x66,0x66,0x66,0x66,0x66,
+        0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+    };
+    ed25519_key key;
+    word32 i;
+
+    for (i = 0; i < sizeof(small_order_keys) / ED25519_PUB_KEY_SIZE; i++) {
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_ed25519_init(&key), 0);
+        ExpectIntEQ(wc_ed25519_import_public(small_order_keys[i],
+            ED25519_PUB_KEY_SIZE, &key),
+            WC_NO_ERR_TRACE(PUBLIC_KEY_E));
+        wc_ed25519_free(&key);
+    }
+
+    /* Defence-in-depth: even a "trusted" import (which bypasses
+     * wc_ed25519_check_key) must not let wc_ed25519_verify_msg accept a
+     * forged signature against an identity public key. */
+    {
+        const char* msg = "forged message";
+        int verify_result = 1;
+
+        XMEMSET(&key, 0, sizeof(key));
+        ExpectIntEQ(wc_ed25519_init(&key), 0);
+        ExpectIntEQ(wc_ed25519_import_public_ex(small_order_keys[0],
+            ED25519_PUB_KEY_SIZE, &key, 1), 0);
+        ExpectIntEQ(wc_ed25519_verify_msg(forged_sig, sizeof(forged_sig),
+            (const byte*)msg, (word32)XSTRLEN(msg), &verify_result, &key),
+            WC_NO_ERR_TRACE(BAD_FUNC_ARG));
+        ExpectIntEQ(verify_result, 0);
+        wc_ed25519_free(&key);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_ed25519.h

@@ -37,6 +37,7 @@ int test_wc_Ed25519PublicKeyToDer(void);
 int test_wc_Ed25519KeyToDer(void);
 int test_wc_Ed25519PrivateKeyToDer(void);
 int test_wc_Ed25519KeyToDer_oneasymkey_version(void);
+int test_wc_ed25519_reject_small_order_keys(void);
 
 #define TEST_ED25519_DECLS                                          \
     TEST_DECL_GROUP("ed25519", test_wc_ed25519_make_key),           \
@@ -51,6 +52,7 @@ int test_wc_Ed25519KeyToDer_oneasymkey_version(void);
     TEST_DECL_GROUP("ed25519", test_wc_Ed25519PublicKeyToDer),      \
     TEST_DECL_GROUP("ed25519", test_wc_Ed25519KeyToDer),            \
     TEST_DECL_GROUP("ed25519", test_wc_Ed25519PrivateKeyToDer),     \
-    TEST_DECL_GROUP("ed25519", test_wc_Ed25519KeyToDer_oneasymkey_version)
+    TEST_DECL_GROUP("ed25519", test_wc_Ed25519KeyToDer_oneasymkey_version), \
+    TEST_DECL_GROUP("ed25519", test_wc_ed25519_reject_small_order_keys)
 
 #endif /* WOLFCRYPT_TEST_ED25519_H */