Opened 3 years ago

Closed 3 years ago

Last modified 20 months ago

#12694 closed defect (fixed)

Upgrade to latest curve25519-donna32

Reported by: nickm Owned by:
Priority: High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay, curve25519, 2016-bug-retrospective
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Adam Langley has updated the 32-bit curve25519-donna implementation so that it behaves the same as the 64-bit one (and the same as nacl) for all keys and scalars. The old one had bounds-checking problems. His commit message:

    Correct bounds in 32-bit code.
    
    The 32-bit code was illustrative of the tricks used in the original
    curve25519 paper rather than rigorous. However, it has proven quite
    popular.
    
    This change fixes an issue that Robert Ransom found where outputs between
    2^255-19 and 2^255-1 weren't correctly reduced in fcontract. This
    appears to leak a small fraction of a bit of security of private keys.
    
    Additionally, the code has been cleaned up to reflect the real-world
    needs. The ref10 code also exists for 32-bit, generic C but is somewhat
    slower and objections around the lack of qhasm availibility have been
    raised.

To be clear, this does not seem to affect most private keys, and for the private keys it does affect, it doesn't actually appear to weaken them appreciably. Still, it's not the kind of behavior that it seems okay to leave in our implementation. So let's upgrade.

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by nickm

Resolution: fixed
Status: newclosed

I made a branch -- "curve25519-donna32" -- for this, and merged it to 0.2.4 and later. My changelog entry:

  o Major bugfixes:

    - Fix a bug in the bounds-checking in the 32-bit curve25519-donna
      implementation that caused incorrect results on 32-bit
      implementations when certain malformed inputs were used along with
      a small class of private ntor keys. This bug does not currently
      appear to allow an attacker to learn private keys or impersonate a
      Tor server, but it could provide a means to distinguish 32-bit Tor
      implementations from 64-bit Tor implementations. Fixes bug 12694;
      bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from
      Adam Langley.

(Arma has looked this over and asked me to merge it.)

comment:2 Changed 20 months ago by nickm

Keywords: 2016-bug-retrospective added

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

comment:3 Changed 20 months ago by nickm

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

comment:4 Changed 20 months ago by nickm

Mark bugs for 2016 bug retrospective based on hand-examination of changelogs for 0.2.5 onwards.

Note: See TracTickets for help on using tickets.