[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/maint-0.3.5] Disable ed25519-donna's batch verification.



commit fe5a9db1e6d32f6d706140a6ddda6b40db80434a
Author: George Kadianakis <desnacked@xxxxxxxxxx>
Date:   Fri Jul 30 16:35:48 2021 +0300

    Disable ed25519-donna's batch verification.
    
    Fixes bug 40078.
    
    As reported by hdevalence our batch verification logic can cause an assert
    crash.
    
    The assert happens because when the batch verification of ed25519-donna fails,
    the code in `ed25519_checksig_batch()` falls back to doing a single
    verification for each signature.
    
    The crash occurs because batch verification failed, but then all signatures
    individually verified just fine.
    
    That's because batch verification and single verification use a different
    equation which means that there are sigs that can pass single verification
    but fail batch verification.
    
    Fixing this would require modding ed25519-donna which is not in scope for
    this ticket, and will be soon deprecated in favor of arti and
    ed25519-dalek, so my branch instead removes batch verification.
---
 changes/bug40078                   | 3 +++
 src/lib/crypt_ops/crypto_ed25519.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changes/bug40078 b/changes/bug40078
new file mode 100644
index 0000000000..717309e076
--- /dev/null
+++ b/changes/bug40078
@@ -0,0 +1,3 @@
+  o Minor bugfix (crypto):
+    - Disable the unused batch verification feature of ed25519-donna. Fixes
+      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
\ No newline at end of file
diff --git a/src/lib/crypt_ops/crypto_ed25519.c b/src/lib/crypt_ops/crypto_ed25519.c
index 0a442bb739..98beaf75f8 100644
--- a/src/lib/crypt_ops/crypto_ed25519.c
+++ b/src/lib/crypt_ops/crypto_ed25519.c
@@ -102,7 +102,7 @@ static const ed25519_impl_t impl_donna = {
 
   ed25519_donna_open,
   ed25519_donna_sign,
-  ed25519_sign_open_batch_donna,
+  NULL, /* Don't use donna's batching code because of #40078 */
 
   ed25519_donna_blind_secret_key,
   ed25519_donna_blind_public_key,

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits