commit fe5a9db1e6d32f6d706140a6ddda6b40db80434a
parent 399518da022ea94bd0644082e29012a51aec5697
Author: George Kadianakis <desnacked@riseup.net>
Date: Fri, 30 Jul 2021 16:35:48 +0300
Disable ed25519-donna's batch verification.
Fixes bug 40078.
As reported by hdevalence our batch verification logic can cause an assert
crash.
The assert happens because when the batch verification of ed25519-donna fails,
the code in `ed25519_checksig_batch()` falls back to doing a single
verification for each signature.
The crash occurs because batch verification failed, but then all signatures
individually verified just fine.
That's because batch verification and single verification use a different
equation which means that there are sigs that can pass single verification
but fail batch verification.
Fixing this would require modding ed25519-donna which is not in scope for
this ticket, and will be soon deprecated in favor of arti and
ed25519-dalek, so my branch instead removes batch verification.
Diffstat:
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/changes/bug40078 b/changes/bug40078
@@ -0,0 +1,3 @@
+ o Minor bugfix (crypto):
+ - Disable the unused batch verification feature of ed25519-donna. Fixes
+ bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
+\ No newline at end of file
diff --git a/src/lib/crypt_ops/crypto_ed25519.c b/src/lib/crypt_ops/crypto_ed25519.c
@@ -102,7 +102,7 @@ static const ed25519_impl_t impl_donna = {
ed25519_donna_open,
ed25519_donna_sign,
- ed25519_sign_open_batch_donna,
+ NULL, /* Don't use donna's batching code because of #40078 */
ed25519_donna_blind_secret_key,
ed25519_donna_blind_public_key,
