search

RubyCrypto / rbnacl

Ruby FFI binding to the Networking and Cryptography (NaCl) library (a.k.a. libsodium)
MIT License
982 stars 85 forks source link

Curve25519.mult() supports degenerate public-keys (insecure) #152

Closed veorq closed 7 years ago

veorq commented 7 years ago

Currently Curve25519.mult() accepts all-zero public keys, for which the result (DH shared secret) will always be zero regardless of the private key used.

Against this, libsodium's crypto_scalarmult_curve25519() returns a non-zero value if it encounters such degenerate keys. You should therefore check its return value when calling self.class.scalarmult_curve25519(result, integer, @point).

Code concerned at https://github.com/cryptosphere/rbnacl/blob/d443d94fc7addc35d7ad519830b9380523551d88/lib/rbnacl/group_elements/curve25519.rb#L59

This is a similar issue as just reported to sodiumoxide https://github.com/dnaq/sodiumoxide/issues/154

tarcieri commented 7 years ago

I'll try to get #153 closed out this weekend. Thanks for pointing this out @veorq, it was sadly overlooked (my bad).

tarcieri commented 7 years ago

Fixed in #157

tarcieri commented 7 years ago

Fix released as 4.0.2