Change SHA256 byte counter from size_t to uint64_t

This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.

This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
This commit is contained in:
Tim Ruffing 2020-03-31 13:40:37 +02:00
parent ac83be33d0
commit eb28464a8b
2 changed files with 3 additions and 1 deletions

View File

@ -13,7 +13,7 @@
typedef struct { typedef struct {
uint32_t s[8]; uint32_t s[8];
uint32_t buf[16]; /* In big endian */ uint32_t buf[16]; /* In big endian */
size_t bytes; uint64_t bytes;
} secp256k1_sha256; } secp256k1_sha256;
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash); static void secp256k1_sha256_initialize(secp256k1_sha256 *hash);

View File

@ -153,6 +153,8 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out
uint32_t sizedesc[2]; uint32_t sizedesc[2];
uint32_t out[8]; uint32_t out[8];
int i = 0; int i = 0;
/* The maximum message size of SHA256 is 2^64-1 bits. */
VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61));
sizedesc[0] = BE32(hash->bytes >> 29); sizedesc[0] = BE32(hash->bytes >> 29);
sizedesc[1] = BE32(hash->bytes << 3); sizedesc[1] = BE32(hash->bytes << 3);
secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));