Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use X25519 instead of ScalarMult for safety #43

Merged
merged 2 commits into from
Apr 22, 2021
Merged

Use X25519 instead of ScalarMult for safety #43

merged 2 commits into from
Apr 22, 2021

Conversation

titanous
Copy link
Contributor

In practice we should never encounter errors, and this does not appear to be a security issue, but the ScalarMult function is deprecated (see golang/go#32670).

@AxbB36 @nbrownus @rawdigits

@AxbB36
Copy link

AxbB36 commented Apr 21, 2021

The docs recommend also replacing curve25519.ScalarBaseMult(&pubkey, &privkey) in GenerateKeypair with pubkey = curve25519.X25519(privkey, curve25519.Basepoint) (untested syntax).

nbrownus
nbrownus approved these changes Apr 21, 2021
View reviewed changes
Copy link
Contributor

@nbrownus nbrownus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surface level looks good from my read but I can't authoritatively speak to the differences between curve25519.X25519 and curve25519.ScalarMult, I assume very smart crypto folks worked this out for us.

The new version appears to be safer, with more error checks. I believe rollback happens appropriately in both ReadMessage and WriteMessage so I am largely unconcerned about these new underlying error conditions. The added panic is a little troubling but so is the condition that causes it.

I don't see a reason to object right now.

edit: I loaded this branch into nebula and tested on my home network with most hosts running the old curve25519.ScalarMult version, I did not observe any issues.

@titanous
Copy link
Contributor Author

PTAL, I updated GenerateKeypair to use X25519 as well.

@titanous titanous merged commit fc2bb37 into master Apr 22, 2021
@titanous titanous deleted the x25519-safe branch April 22, 2021 17:00
Mygod pushed a commit to Mygod/dnstt that referenced this pull request Jul 13, 2021
Upgrade flynn/noise to v1.0.0.
326771c 
This upgrade takes care of issues UCB-02-003, UCB-02-004, and UCB-02-006
from the 2021 security audit of Turbo Tunnel by Cure53.

GHSA-g9mp-8g3h-3c5c

UCB-02-004
flynn/noise#43

UCB-02-003, UCB-02-006:
flynn/noise#44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nbrownus nbrownus nbrownus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@titanous @AxbB36 @nbrownus