From eb28464a8bf8652a2b49d2ed765801d7c0aa195d Mon Sep 17 00:00:00 2001 From: Tim Ruffing Date: Tue, 31 Mar 2020 13:40:37 +0200 Subject: [PATCH] Change SHA256 byte counter from size_t to uint64_t This avoids that the SHA256 implementation would produce wrong paddings and thus wrong digests for messages of length >= 2^32 bytes on 32-bit platforms. This is not exploitable in any way since the SHA256 API is an internal API and we never call it with that long messages. --- src/hash.h | 2 +- src/hash_impl.h | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/hash.h b/src/hash.h index 0947a09..7da6770 100644 --- a/src/hash.h +++ b/src/hash.h @@ -13,7 +13,7 @@ typedef struct { uint32_t s[8]; uint32_t buf[16]; /* In big endian */ - size_t bytes; + uint64_t bytes; } secp256k1_sha256; static void secp256k1_sha256_initialize(secp256k1_sha256 *hash); diff --git a/src/hash_impl.h b/src/hash_impl.h index f8cd3a1..18342bb 100644 --- a/src/hash_impl.h +++ b/src/hash_impl.h @@ -153,6 +153,8 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out uint32_t sizedesc[2]; uint32_t out[8]; int i = 0; + /* The maximum message size of SHA256 is 2^64-1 bits. */ + VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61)); sizedesc[0] = BE32(hash->bytes >> 29); sizedesc[1] = BE32(hash->bytes << 3); secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));