Commit fe5a9db1 authored Jul 30, 2021 by George Kadianakis Committed by Alexander Hansen Færøy Aug 11, 2021

Disable ed25519-donna's batch verification.

Fixes bug 40078.

As reported by hdevalence our batch verification logic can cause an assert
crash.

The assert happens because when the batch verification of ed25519-donna fails,
the code in `ed25519_checksig_batch()` falls back to doing a single
verification for each signature.

The crash occurs because batch verification failed, but then all signatures
individually verified just fine.

That's because batch verification and single verification use a different
equation which means that there are sigs that can pass single verification
but fail batch verification.

Fixing this would require modding ed25519-donna which is not in scope for
this ticket, and will be soon deprecated in favor of arti and
ed25519-dalek, so my branch instead removes batch verification.

parent 399518da

changes/bug40078

0 → 100644

+3 −0

Original line number	Original line	Diff line number	Diff line
			o Minor bugfix (crypto):
			- Disable the unused batch verification feature of ed25519-donna. Fixes
			bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
			No newline at end of file

src/lib/crypt_ops/crypto_ed25519.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -102,7 +102,7 @@ static const ed25519_impl_t impl_donna = {

	ed25519_donna_open,		ed25519_donna_open,
	ed25519_donna_sign,		ed25519_donna_sign,
	ed25519_sign_open_batch_donna,		NULL, /* Don't use donna's batching code because of #40078 */

	ed25519_donna_blind_secret_key,		ed25519_donna_blind_secret_key,
	ed25519_donna_blind_public_key,		ed25519_donna_blind_public_key,