frost/secp256k1-zkp
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

surjectionproof: fix malleability in surjection proof parsing

Browse Source
This commit is contained in:
Andrew Poelstra 2019-06-03 21:50:40 +00:00
parent 290a27bb75
commit 49a1e01731
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/modules/surjection/main_impl.h
View File

@ -55,6 +55,15 @@ int secp256k1_surjectionproof_parse(const secp256k1_context* ctx, secp256k1_surj
return 0;
}
/* Check that the bitvector of used inputs is of the claimed
* length; i.e. the final byte has no "padding bits" set */
if (n_inputs % 8 != 0) {
const unsigned char padding_mask = (~0U) << (n_inputs % 8);
if ((input[2 + (n_inputs + 7) / 8 - 1] & padding_mask) != 0) {
return 0;
}
}
signature_len = 32 * (1 + secp256k1_count_bits_set(&input[2], (n_inputs + 7) / 8));
if (inputlen != 2 + (n_inputs + 7) / 8 + signature_len) {
return 0;

8
src/modules/surjection/tests_impl.h
View File

@ -644,18 +644,18 @@ void test_fixed_vectors(void) {
bad[2] = 0x3f; /* 0x1f -> 0x3f */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
/* Correct for the length */
CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32)); /* FIXME */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32));
/* Alternately just turn off one of the "legit" bits */
bad[2] = 0x37; /* 0x1f -> 0x37 */
CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); /* FIXME */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
/* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */
memcpy(bad, total5_used3, total5_used3_len);
bad[2] = 0x35; /* 0x15 -> 0x35 */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32)); /* FIXME */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32));
bad[2] = 0x34; /* 0x15 -> 0x34 */
CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); /* FIXME */
CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
}
void run_surjection_tests(void) {