Change SHA256 byte counter from size_t to uint64_t

real-or-random · real-or-random · commit eb28464a8bf8 · 2022-03-02T15:54:33.000+01:00
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length &gt;= 2^32 bytes on 32-bit
platforms.

This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
diff --git a/src/hash.h b/src/hash.h
@@ -13,7 +13,7 @@
 typedef struct {
     uint32_t s[8];
     uint32_t buf[16]; /* In big endian */
-    size_t bytes;
+    uint64_t bytes;
 } secp256k1_sha256;
 
 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash);
diff --git a/src/hash_impl.h b/src/hash_impl.h
@@ -153,6 +153,8 @@ static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out
     uint32_t sizedesc[2];
     uint32_t out[8];
     int i = 0;
+    /* The maximum message size of SHA256 is 2^64-1 bits. */
+    VERIFY_CHECK(hash->bytes < ((uint64_t)1 << 61));
     sizedesc[0] = BE32(hash->bytes >> 29);
     sizedesc[1] = BE32(hash->bytes << 3);
     secp256k1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64));
