Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issues found in Quarkslab audit #276

Merged
merged 3 commits into from
Aug 6, 2019
Merged

Fix issues found in Quarkslab audit #276

merged 3 commits into from
Aug 6, 2019

Conversation

hdevalence
Copy link
Contributor

A Quarkslab audit (to be published shortly) looked through the curve25519-dalek source code; this PR fixes the issues they identified.

The only serious one is that, although the rest of the Scalar API works with canonical scalars, the API has an "invariant loophole", Scalar::from_bits, which allows constructing non-reduced scalars for use in, e.g., X/Ed25519, which mandate the use of non-reduced scalars.

However, although the group operations (scalar, point) were designed to operate on non-reduced scalars, this was not true of (scalar, scalar) addition and subtraction, and so it was possible to use the API to explicitly construct large, unreduced Scalars via from_bits and then perform additions and subtractions which compute incorrect results. This is now fixed, with tests that ensure that addition and subtraction work correctly on very large Scalar values.

A search of Scalar::from_bits of all Rust code on Github suggests that the function is mostly only used to implement X/Ed25519, which don't do those operations, so it's unlikely that this issue affects any existing code. This issue was noticed independently by @str4d in #238.

Closes #238.

str4d and others added 3 commits August 6, 2019 15:18
@str4d @hdevalence
Tests showing that scalar addition and subtraction don't reduce mod l
a3246d8
@hdevalence
Ensure Scalar Add and Sub produce canonical results.
90baabe 
Closes #238.

This issue was discovered independently by both Jack "str4d" Grigg
(issue #238), who noted that reduction was not performed on addition, and
Laurent Grémy & Nicolas Surbayrole of Quarkslab, who noted that it was possible
to cause an overflow and compute incorrect results.
@hdevalence
Tighten a too-permissive debug_assert in NafLookupTable8.
a480844 
This issue was found by Laurent Grémy & Nicolas Surbayrole of Quarkslab.
@hdevalence hdevalence added the bug label Aug 6, 2019
@hdevalence hdevalence added this to the Patch Release milestone Aug 6, 2019
@hdevalence hdevalence merged commit 4bc2ec0 into develop Aug 6, 2019
@hdevalence hdevalence deleted the quarkslab branch August 6, 2019 23:08
@staltz staltz mentioned this pull request Oct 14, 2020
Open
pinkforest pushed a commit to pinkforest/curve25519-dalek that referenced this pull request Jun 27, 2023
@tarcieri
Bump curve25519-dalek to v4.0.0-rc.0 (dalek-cryptography#276)
1b86ff1 
Eliminates the `patch.crates-io` directive by using the latest RC
release of `curve25519-dalek` on crates.io
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Patch Release
Development

Successfully merging this pull request may close these issues.
2 participants
@hdevalence @str4d