Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Auto merge of #4359 - str4d:2872-upgrade-libsodium, r=str4d
Upgrade libsodium to 1.0.18 Includes patches that maintain consensus compatibility with libsodium 1.0.15 for Ed25519 pubkey and signature validation. Replaces #4239. Closes #2872.
- Loading branch information
Showing
5 changed files
with
171 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
diff -ur libsodium-1.0.18-orig/src/libsodium/crypto_sign/ed25519/ref10/open.c libsodium-1.0.18/src/libsodium/crypto_sign/ed25519/ref10/open.c | ||
--- libsodium-1.0.18-orig/src/libsodium/crypto_sign/ed25519/ref10/open.c 2019-05-18 16:32:11.000000000 -0400 | ||
+++ libsodium-1.0.18/src/libsodium/crypto_sign/ed25519/ref10/open.c 2020-01-21 18:55:22.474233831 -0500 | ||
@@ -32,8 +32,11 @@ | ||
ge25519_has_small_order(sig) != 0) { | ||
return -1; | ||
} | ||
- if (ge25519_is_canonical(pk) == 0 || | ||
- ge25519_has_small_order(pk) != 0) { | ||
+ unsigned char d = 0; | ||
+ for (int i = 0; i < 32; ++i) { | ||
+ d |= pk[i]; | ||
+ } | ||
+ if (d == 0) { | ||
return -1; | ||
} | ||
#endif |
78 changes: 78 additions & 0 deletions
78
depends/patches/libsodium/1.0.15-signature-validation.diff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
diff -ur libsodium-1.0.18-orig/src/libsodium/crypto_sign/ed25519/ref10/open.c libsodium-1.0.18/src/libsodium/crypto_sign/ed25519/ref10/open.c | ||
--- libsodium-1.0.18-orig/src/libsodium/crypto_sign/ed25519/ref10/open.c 2019-05-18 21:32:11.000000000 +0100 | ||
+++ libsodium-1.0.18/src/libsodium/crypto_sign/ed25519/ref10/open.c 2020-02-18 00:00:08.544107613 +0000 | ||
@@ -10,6 +10,65 @@ | ||
#include "private/ed25519_ref10.h" | ||
#include "utils.h" | ||
|
||
+#ifndef ED25519_COMPAT | ||
+int | ||
+_crypto_sign_ed25519_small_order(const unsigned char p[32]) | ||
+{ | ||
+ CRYPTO_ALIGN(16) | ||
+ static const unsigned char blacklist[][32] = { | ||
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, | ||
+ { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, | ||
+ { 0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4, | ||
+ 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6, | ||
+ 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05 }, | ||
+ { 0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, | ||
+ 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, | ||
+ 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a }, | ||
+ { 0x13, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4, | ||
+ 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6, | ||
+ 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x85 }, | ||
+ { 0xb4, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, | ||
+ 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, | ||
+ 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0xfa }, | ||
+ { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, | ||
+ { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, | ||
+ { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, | ||
+ { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, | ||
+ { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, | ||
+ { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, | ||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } | ||
+ }; | ||
+ size_t i, j; | ||
+ unsigned char c; | ||
+ | ||
+ for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { | ||
+ c = 0; | ||
+ for (j = 0; j < 32; j++) { | ||
+ c |= p[j] ^ blacklist[i][j]; | ||
+ } | ||
+ if (c == 0) { | ||
+ return 1; | ||
+ } | ||
+ } | ||
+ return 0; | ||
+} | ||
+#endif | ||
+ | ||
int | ||
_crypto_sign_ed25519_verify_detached(const unsigned char *sig, | ||
const unsigned char *m, | ||
@@ -29,7 +88,7 @@ | ||
} | ||
#else | ||
if (sc25519_is_canonical(sig + 32) == 0 || | ||
- ge25519_has_small_order(sig) != 0) { | ||
+ _crypto_sign_ed25519_small_order(sig) != 0) { | ||
return -1; | ||
} | ||
if (ge25519_is_canonical(pk) == 0 || |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
#include <gtest/gtest.h> | ||
#include <sodium.h> | ||
|
||
#include "uint256.h" | ||
#include "utilstrencodings.h" | ||
|
||
void TestLibsodiumEd25519SignatureVerification( | ||
const std::string &scope, | ||
const std::string &msg, | ||
std::vector<unsigned char> pubkey, | ||
std::vector<unsigned char> sig) | ||
{ | ||
SCOPED_TRACE(scope); | ||
|
||
EXPECT_EQ( | ||
crypto_sign_verify_detached( | ||
sig.data(), | ||
(const unsigned char*)msg.data(), msg.size(), | ||
pubkey.data()), | ||
0); | ||
} | ||
|
||
TEST(ConsensusTests, LibsodiumPubkeyValidation) { | ||
// libsodium <= 1.0.15 accepts valid signatures for a non-zero pubkey with | ||
// small order; this is currently part of our consensus rules. | ||
// libsodium >= 1.0.16 rejects all pubkeys with small order. | ||
// | ||
// These test vectors were generated by finding pairs of points (A, P) both | ||
// in the eight-torsion subgroup such that R = B + P and R = [1] B - [k] A | ||
// (where SHA512(bytes(R) || bytes(A) || message) represents k in | ||
// little-endian order, as in Ed25519). | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Test vector 1", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("0100000000000000000000000000000000000000000000000000000000000000"), | ||
ParseHex("58666666666666666666666666666666666666666666666666666666666666660100000000000000000000000000000000000000000000000000000000000000")); | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Test vector 2", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("0000000000000000000000000000000000000000000000000000000000000080"), | ||
ParseHex("58666666666666666666666666666666666666666666666666666666666666660100000000000000000000000000000000000000000000000000000000000000")); | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Test vector 3", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85"), | ||
ParseHex("da99e28ba529cdde35a25fba9059e78ecaee239f99755b9b1aa4f65df00803e20100000000000000000000000000000000000000000000000000000000000000")); | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Test vector 4", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a"), | ||
ParseHex("95999999999999999999999999999999999999999999999999999999999999990100000000000000000000000000000000000000000000000000000000000000")); | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Test vector 5", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc85"), | ||
ParseHex("13661d745ad63221ca5da0456fa618713511dc60668aa464e55b09a20ff7fc1d0100000000000000000000000000000000000000000000000000000000000000")); | ||
|
||
// libsodium <= 1.0.15 contains a blocklist of small-order points that R is | ||
// checked against. However, it does not contain all canonical small-order | ||
// points; in particular, it is missing the negative of one of the points. | ||
// | ||
// This test case is the only pair of points (A, R) both in the eight-torsion | ||
// subgroup, that satisfies R = [0] B - [k] A and also evades the blocklist. | ||
TestLibsodiumEd25519SignatureVerification( | ||
"Small order R that is not rejected by libsodium <= 1.0.15", | ||
"zcash ed25519 libsodium compatibility", | ||
ParseHex("c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a"), | ||
ParseHex("26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc850000000000000000000000000000000000000000000000000000000000000000")); | ||
} |