Merge pull request #20 from MystenLabs/kostas-dalek-fix

[dalek] vulnerability has been fixed
MystenLabs · May 4, 2023 · e3e6212 · e3e6212
2 parents efe52b9 + 3b7b80f
commit e3e6212
Showing 1 changed file with 32 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -1,11 +1,12 @@
 # ed25519-unsafe-libs
-List of potentially unsafe ed25519 signature libraries that allow a public api where secret and public key can be provided independently as signing function inputs. Misuse of these public apis can result to private key exposure.
+### Double Public Key Signing Function Oracle Attack on Ed25519
+A list of potentially unsafe ed25519 signature libraries that allow a public api where secret and public key can be provided independently as signing function inputs. Misuse of these public apis can result to private key exposure.
 
 Μost of the repositories in our analysis are enlisted in [IANIX :: Things that use Ed25519](https://ianix.com/pub/ed25519-deployment.html).
 
-Number of impacted libraries: 46 <br />
-Number of libraries that fixed the issue after the announcement: 7 <br />
-*last updated: Mar 15, 2023*
+Number of impacted libraries: 45 <br />
+Number of libraries that fixed the issue after the announcement: 8 <br />
+*last updated: May 04, 2023*
 
 ## Proof of Concept implementations that demonstrate this potential exploit:
 * Rust: [ed25519-chalkias-exploit](https://github.com/MystenLabs/ed25519-unsafe-libs/tree/main/ed25519-chalkias-exploit)
@@ -44,7 +45,7 @@ That said, public apis should NOT allow a decoupled private/public key-pair as s
 
 *Of course, this does not mean that all applications with dependencies to these libraries are prone to key exposure attacks; actually, most are probably safe due to usually not publicly exposing the affected api to their users and coupling their pub/priv key pair just before the `sign` invocation. On the other hand, even when these apis are not exposed, there are applications with different TCB threat model strategies on how the private and public keys are managed and stored. That said, to prevent this attack, developers should also enforce an integrity protection protocol for the public keys as well.*
 
-Here, we enlist some of the affected libraries along with the related code-references.
+Here, we enlist some affected libraries along with the related code-references.
 
 ![Ed25519 api misuse resulting to key extraction](dalek_api_misuse.jpg?raw=true "Ed25519 api misuse resulting to key extraction")
 Fig 1. An example api misuse in the ed25519-dalek Rust crate.
@@ -57,82 +58,79 @@ Fig 1. An example api misuse in the ed25519-dalek Rust crate.
 * C: GNU Nettle <br />
 [https://github.com/gnutls/nettle/blob/fe7ae87d1b837e82f7c7968b068bca7d853a4cec/ed25519-sha512-sign.c#L43](https://github.com/gnutls/nettle/blob/fe7ae87d1b837e82f7c7968b068bca7d853a4cec/ed25519-sha512-sign.c#L43)
 
-* ASM/C: iroha-ed25519 (Hyperledger Project) <br />
+* ASM/C: iroha-ed25519 (Hyperledger Project) <br />
 [https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/ref10/ed25519.c#L27](https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/ref10/ed25519.c#L27)
 and
 [https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/amd64-64-24k-pic/ed25519.c#L30](https://github.com/hyperledger/iroha-ed25519/blob/main/lib/ed25519/amd64-64-24k-pic/ed25519.c#L30)
 
-* C: ed25519-donna (Andrew Moon) <br />
+* C: ed25519-donna (Andrew Moon) <br />
 [https://github.com/floodyberry/ed25519-donna/blob/master/ed25519.c#L59](https://github.com/floodyberry/ed25519-donna/blob/master/ed25519.c#L59)
 
-* C: ed25519 (Orson Peters) <br />
+* C: ed25519 (Orson Peters) <br />
 [https://github.com/orlp/ed25519/blob/master/src/sign.c#L7](https://github.com/orlp/ed25519/blob/master/src/sign.c#L7)
 
-* C: libbrine (Kevin Smith) <br />
+* C: libbrine (Kevin Smith) <br />
 [https://github.com/kevsmith/libbrine/blob/master/src/ed25519/sign.c#L7](https://github.com/kevsmith/libbrine/blob/master/src/ed25519/sign.c#L7)
 
-* C++: Ed25519 (ArduinoLibs) <br />
+* C++: Ed25519 (ArduinoLibs) <br />
 [https://rweather.github.io/arduinolibs/classEd25519.html#a36ecf67b4c5d2d39a31888f56af1f8a5](https://rweather.github.io/arduinolibs/classEd25519.html#a36ecf67b4c5d2d39a31888f56af1f8a5)
 
-* C#: ed25519 (Hans Wolff) <br />
+* C#: ed25519 (Hans Wolff) <br />
 [https://github.com/hanswolff/ed25519/blob/master/Ed25519/Ed25519.cs#L146](https://github.com/hanswolff/ed25519/blob/master/Ed25519/Ed25519.cs#L146)
 
-* C#: Ed25519 (CryptoManiac) <br />
+* C#: Ed25519 (CryptoManiac) <br />
 [https://github.com/CryptoManiac/Ed25519/blob/972829ac688847895d5105f19ca1e5777131b421/Chaos.NaCl/Internal/Ed25519Ref10/keypair.cs#L7](https://github.com/CryptoManiac/Ed25519/blob/972829ac688847895d5105f19ca1e5777131b421/Chaos.NaCl/Internal/Ed25519Ref10/keypair.cs#L7)
 
-* Dart: ed25519_dart (Oleksii Semeshchuk) <br />
+* Dart: ed25519_dart (Oleksii Semeshchuk) <br />
 [https://github.com/semolex/ed25519_dart/blob/master/lib/src/ed25519_dart_base.dart#L200](https://github.com/semolex/ed25519_dart/blob/master/lib/src/ed25519_dart_base.dart#L200)
 
-* Dart: riclava_ed25519 (riclava) <br />
+* Dart: riclava_ed25519 (riclava) <br />
 [https://github.com/riclava/ed25519/blob/master/lib/ed25519.dart#L125](https://github.com/riclava/ed25519/blob/master/lib/ed25519.dart#L125)
 
-* Clojure: ed25519 (Kevin Downey) <br />
+* Clojure: ed25519 (Kevin Downey) <br />
 [https://github.com/hiredman/ed25519/blob/master/src/ed25519/core.clj#L168](https://github.com/hiredman/ed25519/blob/master/src/ed25519/core.clj#L168)
 
-* Haskell: hs-scraps (Vincent Hanquez) <br />
+* Haskell: hs-scraps (Vincent Hanquez) <br />
 [https://github.com/vincenthz/hs-scraps/blob/master/Crypto/Signature/Ed25519.hs#L115](https://github.com/vincenthz/hs-scraps/blob/master/Crypto/Signature/Ed25519.hs#L115)
 
-* Java: ed25519-java (k3d3) <br />
+* Java: ed25519-java (k3d3) <br />
 [https://github.com/k3d3/ed25519-java/blob/master/ed25519.java#L144](https://github.com/k3d3/ed25519-java/blob/master/ed25519.java#L144)
 
-* Java: ed25519 (Bjorn Arnelid) <br />
+* Java: ed25519 (Bjorn Arnelid) <br />
 [https://github.com/BjornArnelid/ed25519/blob/master/src/ed25519/application/Ed25519.java#L32](https://github.com/BjornArnelid/ed25519/blob/master/src/ed25519/application/Ed25519.java#L32)
 
-* Java: Punisher.NaCl (Arpan Jati) <br />
+* Java: Punisher.NaCl (Arpan Jati) <br />
 [https://github.com/arpanj/Punisher.NaCl/blob/c9619ca3028b90d0556c0473e4eba1d429a3744c/Punisher.NaCl/src/Punisher/NaCl/Ed25519Operations.java#L72](https://github.com/arpanj/Punisher.NaCl/blob/c9619ca3028b90d0556c0473e4eba1d429a3744c/Punisher.NaCl/src/Punisher/NaCl/Ed25519Operations.java#L72)
 
-* Java: ED25519 (Mick Michalski) <br />
+* Java: ED25519 (Mick Michalski) <br />
 [https://github.com/michami/ED25519/blob/master/ED25519.java#L60](https://github.com/michami/ED25519/blob/master/ED25519.java#L60)
 
 * Java: vRallev/ECC-25519 (Ralf Wondratschek) <br />
 [https://github.com/vRallev/ECC-25519/blob/master/ECC-25519-Java/src/main/java/net/vrallev/java/ecc/Ecc25519Helper.java#L102](https://github.com/vRallev/ECC-25519/blob/master/ECC-25519-Java/src/main/java/net/vrallev/java/ecc/Ecc25519Helper.java#L102)
 
-* Perl: Crypt::Ed25519 (Marc Lehmann) <br />
+* Perl: Crypt::Ed25519 (Marc Lehmann) <br />
 [https://metacpan.org/release/MLEHMANN/Crypt-Ed25519-0.9/view/Ed25519.pm#$signature-=-Crypt::Ed25519::sign-$message,-$public_key,-$private_key](https://metacpan.org/release/MLEHMANN/Crypt-Ed25519-0.9/view/Ed25519.pm#$signature-=-Crypt::Ed25519::sign-$message,-$public_key,-$private_key)
 
-* Python: ed25519.py (Ed25519 authors) <br />
+* Python: ed25519.py (Ed25519 authors) <br />
 [https://ed25519.cr.yp.to/python/ed25519.py](https://ed25519.cr.yp.to/python/ed25519.py)
 
-* Python: ed25519 (Python Cryptographic Authority) <br />
+* Python: ed25519 (Python Cryptographic Authority) <br />
 [https://github.com/pyca/ed25519/blob/main/ed25519.py#L243](https://github.com/pyca/ed25519/blob/main/ed25519.py#L243)
 (*authors mention it’s unsafe against side channels anyway*)
 
-* Python: python-pure25519 (Brian Warner) <br />
+* Python: python-pure25519 (Brian Warner) <br />
 [https://github.com/warner/python-pure25519/blob/master/pure25519/eddsa.py#L21](https://github.com/warner/python-pure25519/blob/master/pure25519/eddsa.py#L21)
 
-* Python: nmed25519 (naturalmessage) <br />
+* Python: nmed25519 (naturalmessage) <br />
 [https://github.com/naturalmessage/nmed25519/blob/master/nmed25519.py#L150](https://github.com/naturalmessage/nmed25519/blob/master/nmed25519.py#L150)
 
-* Python: ed25519.py (Shiho Midorikawa) <br />
+* Python: ed25519.py (Shiho Midorikawa) <br />
 [https://gist.github.com/elliptic-shiho/f41fd75cc30646a61d7ad63043fdd56e#file-ed25519-py-L77](https://gist.github.com/elliptic-shiho/f41fd75cc30646a61d7ad63043fdd56e#file-ed25519-py-L77)
 
-* Rust: ed25519-dalek (Isis Agora Lovecruft) <br />
-[https://github.com/dalek-cryptography/ed25519-dalek/blob/main/src/secret.rs#L399](https://github.com/dalek-cryptography/ed25519-dalek/blob/main/src/secret.rs#L399)
-
-* Python: bindings for ed25519-dalek: py-ed25519-bindings <br />
+* Python: bindings for ed25519-dalek: py-ed25519-bindings <br />
 [https://github.com/polkascan/py-ed25519-bindings/blob/master/src/lib.rs#L111](https://github.com/polkascan/py-ed25519-bindings/blob/master/src/lib.rs#L111)
 
-* Swift: ed25519swift (pebble8888) <br />
+* Swift: ed25519swift (pebble8888) <br />
 [https://github.com/pebble8888/ed25519swift/blob/master/Ed25519ref/ed25519s.swift#L120](https://github.com/pebble8888/ed25519swift/blob/master/Ed25519ref/ed25519s.swift#L120)
 
 * JS: supercop.js (1p6 Flynx) <br />
@@ -211,6 +209,9 @@ Fixed in this PR: [https://github.com/Yawning/horse25519/pull/3](https://github.
 * Erlang: erlang-libdecaf <br />
 Fixed in this commit: [https://github.com/potatosalad/erlang-libdecaf/commit/16ba07ea122660e95f6cfa9107e28ed58bada713](https://github.com/potatosalad/erlang-libdecaf/commit/16ba07ea122660e95f6cfa9107e28ed58bada713). Logic addressed in this issue: [ed25519-unsafe-libs/issues/7](https://github.com/MystenLabs/ed25519-unsafe-libs/issues/7) *(Fix merged on August 28, 2022)*
 
+* Rust: ed25519-dalek (Isis Agora Lovecruft) <br />
+Fixed in this PR: [https://github.com/dalek-cryptography/ed25519-dalek/pull/205](https://github.com/dalek-cryptography/ed25519-dalek/pull/205) *(Fix merged on October 22, 2022)*
+
 * C: Monocypher (Loup Vaillant) <br />
 Fixed in this commit: [https://github.com/LoupVaillant/Monocypher/commit/da7b5407d20329f21a53ea993f516fb55e2f5e26](https://github.com/LoupVaillant/Monocypher/commit/da7b5407d20329f21a53ea993f516fb55e2f5e26) *(Fix merged on February 27, 2023)*