Add null-check for hash_to_scalar

daxpedda · daxpedda · commit 85e4e704338b · 2022-01-10T07:49:16.000+01:00
diff --git a/src/group/p256.rs b/src/group/p256.rs
@@ -27,10 +27,10 @@ use num_traits::{One, ToPrimitive, Zero};
 use once_cell::unsync::Lazy;
 use p256_::elliptic_curve::bigint::{Encoding, U384};
 use p256_::elliptic_curve::group::prime::PrimeCurveAffine;
-use p256_::elliptic_curve::ops::Reduce;
 use p256_::elliptic_curve::sec1::{FromEncodedPoint, ToEncodedPoint};
 #[cfg(test)]
 use p256_::elliptic_curve::Field;
+use p256_::elliptic_curve::PrimeField;
 use p256_::{AffinePoint, EncodedPoint, NistP256, ProjectivePoint, PublicKey, Scalar, SecretKey};
 use rand_core::{CryptoRng, RngCore};
 use subtle::{Choice, ConditionallySelectable};
@@ -133,9 +133,11 @@ impl Group for NistP256 {
             .unwrap()
             .to_be_bytes();
 
-        Ok(Scalar::from_be_bytes_reduced(
-            GenericArray::clone_from_slice(&bytes[16..]),
-        ))
+        if bytes == [0; 48] {
+            Err(Error::PointError)
+        } else {
+            Ok(Scalar::from_repr_vartime(GenericArray::clone_from_slice(&bytes[16..])).unwrap())
+        }
     }
 
     fn base_elem() -> Self::Elem {
diff --git a/src/group/ristretto.rs b/src/group/ristretto.rs
@@ -5,8 +5,6 @@
 // License, Version 2.0 found in the LICENSE-APACHE file in the root directory
 // of this source tree.
 
-use core::convert::TryInto;
-
 use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;
 use curve25519_dalek::ristretto::{CompressedRistretto, RistrettoPoint};
 use curve25519_dalek::scalar::Scalar;
@@ -62,13 +60,13 @@ impl Group for Ristretto255 {
             GenericArray::from(STR_HASH_TO_SCALAR).concat(voprf::get_context_string::<Self>(mode));
 
         let uniform_bytes = expand::expand_message_xmd::<H, U64>(input, &dst)?;
+        let scalar = Scalar::from_bytes_mod_order_wide(&uniform_bytes.into());
 
-        Ok(Scalar::from_bytes_mod_order_wide(
-            uniform_bytes
-                .as_slice()
-                .try_into()
-                .map_err(|_| Error::HashToCurveError)?,
-        ))
+        if scalar == Scalar::zero() {
+            Err(Error::PointError)
+        } else {
+            Ok(scalar)
+        }
     }
 
     fn base_elem() -> Self::Elem {
