Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[dalek] vulnerability has been fixed #20

Merged
merged 1 commit into from
May 4, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 32 additions & 31 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
# ed25519-unsafe-libs
List of potentially unsafe ed25519 signature libraries that allow a public api where secret and public key can be provided independently as signing function inputs. Misuse of these public apis can result to private key exposure.
### Double Public Key Signing Function Oracle Attack on Ed25519
A list of potentially unsafe ed25519 signature libraries that allow a public api where secret and public key can be provided independently as signing function inputs. Misuse of these public apis can result to private key exposure.

Μost of the repositories in our analysis are enlisted in [IANIX :: Things that use Ed25519](https://ianix.com/pub/ed25519-deployment.html).

Number of impacted libraries: 46 <br />
Number of libraries that fixed the issue after the announcement: 7 <br />
*last updated: Mar 15, 2023*
Number of impacted libraries: 45 <br />
Number of libraries that fixed the issue after the announcement: 8 <br />
*last updated: May 04, 2023*

## Proof of Concept implementations that demonstrate this potential exploit:
* Rust: [ed25519-chalkias-exploit](https://github.com/MystenLabs/ed25519-unsafe-libs/tree/main/ed25519-chalkias-exploit)
Expand Down Expand Up @@ -44,7 +45,7 @@ That said, public apis should NOT allow a decoupled private/public key-pair as s

*Of course, this does not mean that all applications with dependencies to these libraries are prone to key exposure attacks; actually, most are probably safe due to usually not publicly exposing the affected api to their users and coupling their pub/priv key pair just before the `sign` invocation. On the other hand, even when these apis are not exposed, there are applications with different TCB threat model strategies on how the private and public keys are managed and stored. That said, to prevent this attack, developers should also enforce an integrity protection protocol for the public keys as well.*

Here, we enlist some of the affected libraries along with the related code-references.
Here, we enlist some affected libraries along with the related code-references.

![Ed25519 api misuse resulting to key extraction](dalek_api_misuse.jpg?raw=true "Ed25519 api misuse resulting to key extraction")
Fig 1. An example api misuse in the ed25519-dalek Rust crate.
Expand All @@ -57,82 +58,79 @@ Fig 1. An example api misuse in the ed25519-dalek Rust crate.
* C: GNU Nettle <br />
[https://github.com/gnutls/nettle/blob/fe7ae87d1b837e82f7c7968b068bca7d853a4cec/ed25519-sha512-sign.c#L43](https://github.com/gnutls/nettle/blob/fe7ae87d1b837e82f7c7968b068bca7d853a4cec/ed25519-sha512-sign.c#L43)

* ASM/C: iroha-ed25519 (Hyperledger Project) <br />
* ASM/C: iroha-ed25519 (Hyperledger Project) <br />
[https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/ref10/ed25519.c#L27](https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/ref10/ed25519.c#L27)
and
[https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/amd64-64-24k-pic/ed25519.c#L30](https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/amd64-64-24k-pic/ed25519.c#L30)

* C: ed25519-donna (Andrew Moon) <br />
* C: ed25519-donna (Andrew Moon) <br />
[https://github.com/floodyberry/ed25519-donna/blob/master/ed25519.c#L59](https://github.com/floodyberry/ed25519-donna/blob/master/ed25519.c#L59)

* C: ed25519 (Orson Peters) <br />
* C: ed25519 (Orson Peters) <br />
[https://github.com/orlp/ed25519/blob/master/src/sign.c#L7](https://github.com/orlp/ed25519/blob/master/src/sign.c#L7)

* C: libbrine (Kevin Smith) <br />
* C: libbrine (Kevin Smith) <br />
[https://github.com/kevsmith/libbrine/blob/master/src/ed25519/sign.c#L7](https://github.com/kevsmith/libbrine/blob/master/src/ed25519/sign.c#L7)

* C++: Ed25519 (ArduinoLibs) <br />
* C++: Ed25519 (ArduinoLibs) <br />
[https://rweather.github.io/arduinolibs/classEd25519.html#a36ecf67b4c5d2d39a31888f56af1f8a5](https://rweather.github.io/arduinolibs/classEd25519.html#a36ecf67b4c5d2d39a31888f56af1f8a5)

* C#: ed25519 (Hans Wolff) <br />
* C#: ed25519 (Hans Wolff) <br />
[https://github.com/hanswolff/ed25519/blob/master/Ed25519/Ed25519.cs#L146](https://github.com/hanswolff/ed25519/blob/master/Ed25519/Ed25519.cs#L146)

* C#: Ed25519 (CryptoManiac) <br />
* C#: Ed25519 (CryptoManiac) <br />
[https://github.com/CryptoManiac/Ed25519/blob/972829ac688847895d5105f19ca1e5777131b421/Chaos.NaCl/Internal/Ed25519Ref10/keypair.cs#L7](https://github.com/CryptoManiac/Ed25519/blob/972829ac688847895d5105f19ca1e5777131b421/Chaos.NaCl/Internal/Ed25519Ref10/keypair.cs#L7)

* Dart: ed25519_dart (Oleksii Semeshchuk) <br />
* Dart: ed25519_dart (Oleksii Semeshchuk) <br />
[https://github.com/semolex/ed25519_dart/blob/master/lib/src/ed25519_dart_base.dart#L200](https://github.com/semolex/ed25519_dart/blob/master/lib/src/ed25519_dart_base.dart#L200)

* Dart: riclava_ed25519 (riclava) <br />
* Dart: riclava_ed25519 (riclava) <br />
[https://github.com/riclava/ed25519/blob/master/lib/ed25519.dart#L125](https://github.com/riclava/ed25519/blob/master/lib/ed25519.dart#L125)

* Clojure: ed25519 (Kevin Downey) <br />
* Clojure: ed25519 (Kevin Downey) <br />
[https://github.com/hiredman/ed25519/blob/master/src/ed25519/core.clj#L168](https://github.com/hiredman/ed25519/blob/master/src/ed25519/core.clj#L168)

* Haskell: hs-scraps (Vincent Hanquez) <br />
* Haskell: hs-scraps (Vincent Hanquez) <br />
[https://github.com/vincenthz/hs-scraps/blob/master/Crypto/Signature/Ed25519.hs#L115](https://github.com/vincenthz/hs-scraps/blob/master/Crypto/Signature/Ed25519.hs#L115)

* Java: ed25519-java (k3d3) <br />
* Java: ed25519-java (k3d3) <br />
[https://github.com/k3d3/ed25519-java/blob/master/ed25519.java#L144](https://github.com/k3d3/ed25519-java/blob/master/ed25519.java#L144)

* Java: ed25519 (Bjorn Arnelid) <br />
* Java: ed25519 (Bjorn Arnelid) <br />
[https://github.com/BjornArnelid/ed25519/blob/master/src/ed25519/application/Ed25519.java#L32](https://github.com/BjornArnelid/ed25519/blob/master/src/ed25519/application/Ed25519.java#L32)

* Java: Punisher.NaCl (Arpan Jati) <br />
* Java: Punisher.NaCl (Arpan Jati) <br />
[https://github.com/arpanj/Punisher.NaCl/blob/c9619ca3028b90d0556c0473e4eba1d429a3744c/Punisher.NaCl/src/Punisher/NaCl/Ed25519Operations.java#L72](https://github.com/arpanj/Punisher.NaCl/blob/c9619ca3028b90d0556c0473e4eba1d429a3744c/Punisher.NaCl/src/Punisher/NaCl/Ed25519Operations.java#L72)

* Java: ED25519 (Mick Michalski) <br />
* Java: ED25519 (Mick Michalski) <br />
[https://github.com/michami/ED25519/blob/master/ED25519.java#L60](https://github.com/michami/ED25519/blob/master/ED25519.java#L60)

* Java: vRallev/ECC-25519 (Ralf Wondratschek) <br />
[https://github.com/vRallev/ECC-25519/blob/master/ECC-25519-Java/src/main/java/net/vrallev/java/ecc/Ecc25519Helper.java#L102](https://github.com/vRallev/ECC-25519/blob/master/ECC-25519-Java/src/main/java/net/vrallev/java/ecc/Ecc25519Helper.java#L102)

* Perl: Crypt::Ed25519 (Marc Lehmann) <br />
* Perl: Crypt::Ed25519 (Marc Lehmann) <br />
[https://metacpan.org/release/MLEHMANN/Crypt-Ed25519-0.9/view/Ed25519.pm#$signature-=-Crypt::Ed25519::sign-$message,-$public_key,-$private_key](https://metacpan.org/release/MLEHMANN/Crypt-Ed25519-0.9/view/Ed25519.pm#$signature-=-Crypt::Ed25519::sign-$message,-$public_key,-$private_key)

* Python: ed25519.py (Ed25519 authors) <br />
* Python: ed25519.py (Ed25519 authors) <br />
[https://ed25519.cr.yp.to/python/ed25519.py](https://ed25519.cr.yp.to/python/ed25519.py)

* Python: ed25519 (Python Cryptographic Authority) <br />
* Python: ed25519 (Python Cryptographic Authority) <br />
[https://github.com/pyca/ed25519/blob/main/ed25519.py#L243](https://github.com/pyca/ed25519/blob/main/ed25519.py#L243)
(*authors mention it’s unsafe against side channels anyway*)

* Python: python-pure25519 (Brian Warner) <br />
* Python: python-pure25519 (Brian Warner) <br />
[https://github.com/warner/python-pure25519/blob/master/pure25519/eddsa.py#L21](https://github.com/warner/python-pure25519/blob/master/pure25519/eddsa.py#L21)

* Python: nmed25519 (naturalmessage) <br />
* Python: nmed25519 (naturalmessage) <br />
[https://github.com/naturalmessage/nmed25519/blob/master/nmed25519.py#L150](https://github.com/naturalmessage/nmed25519/blob/master/nmed25519.py#L150)

* Python: ed25519.py (Shiho Midorikawa) <br />
* Python: ed25519.py (Shiho Midorikawa) <br />
[https://gist.github.com/elliptic-shiho/f41fd75cc30646a61d7ad63043fdd56e#file-ed25519-py-L77](https://gist.github.com/elliptic-shiho/f41fd75cc30646a61d7ad63043fdd56e#file-ed25519-py-L77)

* Rust: ed25519-dalek (Isis Agora Lovecruft) <br />
[https://github.com/dalek-cryptography/ed25519-dalek/blob/main/src/secret.rs#L399](https://github.com/dalek-cryptography/ed25519-dalek/blob/main/src/secret.rs#L399)

* Python: bindings for ed25519-dalek: py-ed25519-bindings <br />
* Python: bindings for ed25519-dalek: py-ed25519-bindings <br />
[https://github.com/polkascan/py-ed25519-bindings/blob/master/src/lib.rs#L111](https://github.com/polkascan/py-ed25519-bindings/blob/master/src/lib.rs#L111)

* Swift: ed25519swift (pebble8888) <br />
* Swift: ed25519swift (pebble8888) <br />
[https://github.com/pebble8888/ed25519swift/blob/master/Ed25519ref/ed25519s.swift#L120](https://github.com/pebble8888/ed25519swift/blob/master/Ed25519ref/ed25519s.swift#L120)

* JS: supercop.js (1p6 Flynx) <br />
Expand Down Expand Up @@ -211,6 +209,9 @@ Fixed in this PR: [https://github.com/Yawning/horse25519/pull/3](https://github.
* Erlang: erlang-libdecaf <br />
Fixed in this commit: [https://github.com/potatosalad/erlang-libdecaf/commit/16ba07ea122660e95f6cfa9107e28ed58bada713](https://github.com/potatosalad/erlang-libdecaf/commit/16ba07ea122660e95f6cfa9107e28ed58bada713). Logic addressed in this issue: [ed25519-unsafe-libs/issues/7](https://github.com/MystenLabs/ed25519-unsafe-libs/issues/7) *(Fix merged on August 28, 2022)*

* Rust: ed25519-dalek (Isis Agora Lovecruft) <br />
Fixed in this PR: [https://github.com/dalek-cryptography/ed25519-dalek/pull/205](https://github.com/dalek-cryptography/ed25519-dalek/pull/205) *(Fix merged on October 22, 2022)*

* C: Monocypher (Loup Vaillant) <br />
Fixed in this commit: [https://github.com/LoupVaillant/Monocypher/commit/da7b5407d20329f21a53ea993f516fb55e2f5e26](https://github.com/LoupVaillant/Monocypher/commit/da7b5407d20329f21a53ea993f516fb55e2f5e26) *(Fix merged on February 27, 2023)*

Expand Down