DaGenix / rust-crypto

A (mostly) pure-Rust implementation of various cryptographic algorithms.
Apache License 2.0
1.39k stars 295 forks source link

ed25519: Using short seed in keypair breaks signature and verify invariants #428

Open realcr opened 6 years ago

realcr commented 6 years ago

Hi and thank you for writing this extraordinary crate!

Summary

When using a short seed as input to the function keypair of ed25519, signature and verification invariants are violated.

Example code

// This test will fail:
#[test]
fn test_rust_crypto_keypair_short_seed() {
    let seed: &[u8] = &[1,2,3,4,5];
    let (private_key, public_key) = keypair(seed);

    let message = b"This is my message!";
    let sig = signature(message, &private_key);
    assert!(verify(message, &public_key, &sig));

}

// This test will pass:
#[test]
fn test_rust_crypto_keypair_long_seed() {
    let seed: &[u8] = &[0x26, 0x27, 0xf6, 0x85, 0x97, 0x15, 0xad, 0x1d, 0xd2, 0x94, 0xdd, 0xc4, 0x76, 0x19, 0x39, 0x31,
        0xf1, 0xad, 0xb5, 0x58, 0xf0, 0x93, 0x97, 0x32, 0x19, 0x2b, 0xd1, 0xc0, 0xfd, 0x16, 0x8e, 0x4e];
    let (private_key, public_key) = keypair(seed);

    let message = b"This is my message!";
    let sig = signature(message, &private_key);
    assert!(verify(message, &public_key, &sig));

}

Current behaviour: When using a short seed the signing and verification invariants fail. This could lead to unexpected results if the user of the library doesn't know what is the expected size of seed length.

Expected behaviour: I expect that when using a short seed as input to keypair I will get correct sign and verify results, or get some error condition that says I can not continue.

System information

rustc 1.23.0-nightly (bd0e45a32 2017-11-06)
rust-crypto = "0.2.36"
niluxv commented 6 years ago

You are right. The seed has to be 32 bytes long. Added the assert to Rust-crypto-maintained. Thanks.