Giters

MystenLabs / ed25519-unsafe-libs

List of unsafe ed25519 signature libs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

erlang-libdecaf fixed as of 2022-08-28 (version 2.1.0)

potatosalad opened this issue · comments

commented

Hey @kchalkias,

Thank you for putting this together and helping to track everything.

I'm the maintainer of erlang-libdecaf and as of libdecaf 2.1.0 released earlier today, I think that this misuse bug has been fixed.

Although users can still call the old function, internally I'm performing a re-derivation of the public key and checking that it matches the provided public key. If they don't, it raises an exception along with a link to this repository: https://github.com/potatosalad/erlang-libdecaf/blob/2.1.0/c_src/nif/impl/ed255.c.h#L71-L80

A new keypair-based API has been provided, too, which does now allow users to pass different public keys along with the private key: https://github.com/potatosalad/erlang-libdecaf/blob/2.1.0/src/libdecaf_curve25519.erl#L144-L145

Example:

M = <<"Hello World">>,
{PK1, <<SK1:256/bits, PK1:256/bits>>} = libdecaf_curve25519:eddsa_keypair(),
{PK2, <<SK2:256/bits, PK2:256/bits>>} = libdecaf_curve25519:eddsa_keypair(),
Sig1 = <<R1:256/bits, S1:256/bits>> = libdecaf_curve25519:ed25519_sign(M, <<SK1:256/bits, PK1:256/bits>>),
Sig2 = <<R2:256/bits, S2:256/bits>> = libdecaf_curve25519:ed25519_sign(M, <<SK1:256/bits, PK2:256/bits>>).

With libdecaf 1.0.0, the bug was present:

% Whoops: R1 and R2 are the same :-(
true = (R1 := R2).

With libdecaf 2.0.0, the Erlang VM would be aborted due to the upstream ed448goldilocks library properly detecting this bug:

Abort trap: 6

Finally, with libdecaf 2.1.0, an exception is raised:

** exception error: {error,{"libdecaf/c_src/nif/impl/ed255.c.h", 76},
                           "UNSAFE: Privkey and Pubkey are not part of the same keypair. See: https://github.com/MystenLabs/ed25519-unsafe-libs"}

The new keypair API in version 2.1.0 uses NIF resources which cannot be easily modified:

1> KP = libdecaf_curve25519:keypair_random().
#Ref<0.1425966899.490340357.81756>
2> libdecaf_curve25519:ed25519_keypair_sign(<<"Hello World">>, KP).
<<96,253,64,179,127,94,104,99,90,180,61,116,25,62,67,211,141,104,136,4,221,215,101,95,203,22,210,1,239,12,25,34,22,200,187,164,33,39,71,223,134,101,155,166,85,15,78,132,148,145,150,77,101,29,243,130,111,79,251,219,147,137,202,1>>
commented

Awesome work and excellent handling + logging!
The README doc with vulnerable/fixed apis has been updated in this commit: 5d90a7d

Thanks a bunch <3