diff options
| author | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2018-07-24 21:12:57 +0100 |
|---|---|---|
| committer | moneromooo-monero <moneromooo-monero@users.noreply.github.com> | 2018-09-11 13:38:12 +0000 |
| commit | a4317e61b5f48c05bb094f8bfe1a8cc890885a6f (patch) | |
| tree | 0396e132f9b61087280aa4e972418683987df3ed /src/crypto/crypto.cpp | |
| parent | crypto: never return zero in random32_unbiased (diff) | |
| download | monero-a4317e61b5f48c05bb094f8bfe1a8cc890885a6f.tar.xz | |
crypto: some paranoid checks in generate_signature/check_signature
Reported by QuarksLab.
Diffstat (limited to 'src/crypto/crypto.cpp')
| -rw-r--r-- | src/crypto/crypto.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/crypto/crypto.cpp b/src/crypto/crypto.cpp index d6e3b8e0e..ad7721cf0 100644 --- a/src/crypto/crypto.cpp +++ b/src/crypto/crypto.cpp @@ -274,11 +274,18 @@ namespace crypto { #endif buf.h = prefix_hash; buf.key = pub; + try_again: random_scalar(k); + if (((const uint32_t*)(&k))[7] == 0) // we don't want tiny numbers here + goto try_again; ge_scalarmult_base(&tmp3, &k); ge_p3_tobytes(&buf.comm, &tmp3); hash_to_scalar(&buf, sizeof(s_comm), sig.c); + if (!sc_isnonzero((const unsigned char*)sig.c.data)) + goto try_again; sc_mulsub(&sig.r, &sig.c, &unwrap(sec), &k); + if (!sc_isnonzero((const unsigned char*)sig.r.data)) + goto try_again; } bool crypto_ops::check_signature(const hash &prefix_hash, const public_key &pub, const signature &sig) { @@ -292,11 +299,14 @@ namespace crypto { if (ge_frombytes_vartime(&tmp3, &pub) != 0) { return false; } - if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0) { + if (sc_check(&sig.c) != 0 || sc_check(&sig.r) != 0 || !sc_isnonzero(&sig.c)) { return false; } ge_double_scalarmult_base_vartime(&tmp2, &sig.c, &tmp3, &sig.r); ge_tobytes(&buf.comm, &tmp2); + static const ec_point infinity = {{ 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + if (memcmp(&buf.comm, &infinity, 32) == 0) + return false; hash_to_scalar(&buf, sizeof(s_comm), c); sc_sub(&c, &c, &sig.c); return sc_isnonzero(&c) == 0; |