[tor-bugs] #22006 [Core Tor/Tor]: prop224: Validate ed25519 pubkeys to remove torsion component

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jun 27 13:29:20 UTC 2017


#22006: prop224: Validate ed25519 pubkeys to remove torsion component
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  asn
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.2.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs, prop224, ed25519, review-    |  Actual Points:
  group-18                                       |
Parent ID:  #21888                               |         Points:
 Reviewer:  nickm, isis                          |        Sponsor:
                                                 |  SponsorR-can
-------------------------------------------------+-------------------------
Changes (by asn):

 * status:  needs_revision => needs_review


Comment:

 OK pushed a new branch here with the ambitious name `bug22006_final`!

 This branch:

 - Removes the old commit that validated all sorts of ed25519 pubkeys, and
 now only does it before keypinning on the dirauth side. This implements
 the behavior of comment:10.

   Note that we also need to do this check on our prop224 client-side code
 which was the original purpose of this ticket, but the prop224 code is not
 ready yet. I can make a ticket about this so we don't forget.

 - Based on isis' review, I'm now checking the retval of
 `ge25519_unpack_negative_vartime()` and also I removed the useless
 memwipes. I had to check the func signature to do the retval checking, so
 it's a non-trivial fixup commit but not hard to review.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22006#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list