From fe5a9db1e6d32f6d706140a6ddda6b40db80434a Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Fri, 30 Jul 2021 16:35:48 +0300 Subject: Disable ed25519-donna's batch verification. Fixes bug 40078. As reported by hdevalence our batch verification logic can cause an assert crash. The assert happens because when the batch verification of ed25519-donna fails, the code in `ed25519_checksig_batch()` falls back to doing a single verification for each signature. The crash occurs because batch verification failed, but then all signatures individually verified just fine. That's because batch verification and single verification use a different equation which means that there are sigs that can pass single verification but fail batch verification. Fixing this would require modding ed25519-donna which is not in scope for this ticket, and will be soon deprecated in favor of arti and ed25519-dalek, so my branch instead removes batch verification. --- changes/bug40078 | 3 +++ src/lib/crypt_ops/crypto_ed25519.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changes/bug40078 diff --git a/changes/bug40078 b/changes/bug40078 new file mode 100644 index 0000000000..717309e076 --- /dev/null +++ b/changes/bug40078 @@ -0,0 +1,3 @@ + o Minor bugfix (crypto): + - Disable the unused batch verification feature of ed25519-donna. Fixes + bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. \ No newline at end of file diff --git a/src/lib/crypt_ops/crypto_ed25519.c b/src/lib/crypt_ops/crypto_ed25519.c index 0a442bb739..98beaf75f8 100644 --- a/src/lib/crypt_ops/crypto_ed25519.c +++ b/src/lib/crypt_ops/crypto_ed25519.c @@ -102,7 +102,7 @@ static const ed25519_impl_t impl_donna = { ed25519_donna_open, ed25519_donna_sign, - ed25519_sign_open_batch_donna, + NULL, /* Don't use donna's batching code because of #40078 */ ed25519_donna_blind_secret_key, ed25519_donna_blind_public_key, -- cgit v1.2.3-54-g00ecf