Changeset 61419

Timestamp:

12/30/2025 10:53:23 PM (2 months ago)

Author:

SergeyBiryukov

Message:

Upgrade/Install: Update sodium_compat to v1.24.0.

The latest version includes a security fix to ensure that the public key is on the prime order subgroup.

References:

• ​sodium_compat 1.24.0 release notes
• ​Full list of changes in sodium_compat 1.24.0

Follow-up to [55699], [58752], [58753], [60787], [60905].

Props paragoninitiativeenterprises, johnbillion, SergeyBiryukov.
Fixes #64462.

Location:

trunk/src/wp-includes/sodium_compat/src

Files:

• Core/Ed25519.php (modified) (4 diffs)
• File.php (modified) (1 diff)

trunk/src/wp-includes/sodium_compat/src/Core/Ed25519.php

@@ -108 +108 @@
 
     /**
+     * Returns TRUE if $A represents a point on the order of the Edwards25519 prime order subgroup.
+     * Returns FALSE if $A is on a different subgroup.
+     *
+     * @param ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A
+     * @return bool
+     *
+     * @throws SodiumException
+     */
+    public static function is_on_main_subgroup(ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A)
+    {
+        $p1 = self::ge_mul_l($A);
+        $t = self::fe_sub($p1->Y, $p1->Z);
+        return self::fe_isnonzero($p1->X) && self::fe_isnonzero($t);
+    }
+
+    /**
      * @param string $pk
      * @return string
@@ -119 +135 @@
         }
         $A = self::ge_frombytes_negate_vartime(self::substr($pk, 0, 32));
-        $p1 = self::ge_mul_l($A);
-        if (!self::fe_isnonzero($p1->X)) {
-            throw new SodiumException('Unexpected zero result');
+        if (!self::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
         }
 
@@ -288 +303 @@
         }
         if ((self::chrToInt($sig[63]) & 240) && self::check_S_lt_L(self::substr($sig, 32, 32))) {
-            throw new SodiumException('S < L - Invalid signature');
+            throw new SodiumException('S >= L - Invalid signature');
         }
         if (self::small_order($sig)) {
@@ -312 +327 @@
         /** @var ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A */
         $A = self::ge_frombytes_negate_vartime($pk);
+        if (!self::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
+        }
 
         /** @var string $hDigest */

trunk/src/wp-includes/sodium_compat/src/File.php

@@ -787 +787 @@
         ParagonIE_Sodium_Compat::$fastMult = true;
 
+        if (ParagonIE_Sodium_Core_Ed25519::small_order($publicKey)) {
+            throw new SodiumException('Public key has small order');
+        }
         /** @var ParagonIE_Sodium_Core_Curve25519_Ge_P3 $A */
         $A = ParagonIE_Sodium_Core_Ed25519::ge_frombytes_negate_vartime($publicKey);
+        if (!ParagonIE_Sodium_Core_Ed25519::is_on_main_subgroup($A)) {
+            throw new SodiumException('Public key is not on a member of the main subgroup');
+        }
 
         $hs = hash_init('sha512');