Fix some undefined behaviour in the Curve448 code
authorMatt Caswell <matt@openssl.org>
Tue, 20 Feb 2018 14:53:06 +0000 (14:53 +0000)
committerMatt Caswell <matt@openssl.org>
Wed, 21 Feb 2018 11:13:14 +0000 (11:13 +0000)
We can't add NULL data into a hash

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5418)

crypto/ec/curve448/eddsa.c

index 7175715..d318876 100644 (file)
@@ -63,7 +63,8 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
     if (!EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL)
             || !EVP_DigestUpdate(hashctx, dom_s, strlen(dom_s))
             || !EVP_DigestUpdate(hashctx, dom, sizeof(dom))
-            || !EVP_DigestUpdate(hashctx, context, context_len))
+            || (context_len > 0
+                && !EVP_DigestUpdate(hashctx, context, context_len)))
         return C448_FAILURE;
 
     return C448_SUCCESS;
@@ -160,7 +161,8 @@ c448_error_t c448_ed448_sign(
                 || !EVP_DigestUpdate(hashctx,
                                      expanded + EDDSA_448_PRIVATE_BYTES,
                                      EDDSA_448_PRIVATE_BYTES)
-                || !EVP_DigestUpdate(hashctx, message, message_len)) {
+                || (message_len > 0
+                    && !EVP_DigestUpdate(hashctx, message, message_len))) {
             OPENSSL_cleanse(expanded, sizeof(expanded));
             goto err;
         }
@@ -200,7 +202,8 @@ c448_error_t c448_ed448_sign(
         if (!hash_init_with_dom(hashctx, prehashed, 0, context, context_len)
                 || !EVP_DigestUpdate(hashctx, nonce_point, sizeof(nonce_point))
                 || !EVP_DigestUpdate(hashctx, pubkey, EDDSA_448_PUBLIC_BYTES)
-                || !EVP_DigestUpdate(hashctx, message, message_len)
+                || (message_len > 0
+                    && !EVP_DigestUpdate(hashctx, message, message_len))
                 || !EVP_DigestFinalXOF(hashctx, challenge, sizeof(challenge)))
             goto err;