Skip to content

Commit 362758d

Browse files
committed
SignatureEd25519: fix vulnerability in net.i2p.crypto:eddsa:0.3.0
net.i2p.crypto:eddsa:0.3.0 has a bug and omits a crucial check in signature verification. This was reported as CVE-2020-36843[1] (signature malleability). The problem affects signature verification, but luckily the missing check can also be performed outside of the library. With this commit we do so and verify that the second 32 bytes of the signature is actually in the range [0..L),[2] with L the order as given in RFC 7748.[3] This means that the use of net.i2p.crypto:eddsa:0.3.0, if used for ed25519 signatures via Apache MINA SSHD, is safe and **not** subject of CVE-2020-36843. Of course, vulnerability scanners will still report the vulnerability. Note that Apache MINA SSHD has only a completely optional dependency on net.i2p.crypto:eddsa:0.3.0. If that artifact is not present in the application using Apache MINA SSHD, Apache MINA SSHD will still work. In that case, ed25519 is supported via Bouncy Castle. [1] https://www.cve.org/CVERecord?id=CVE-2020-36843 [2] https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7 [3] https://www.rfc-editor.org/rfc/rfc7748.html#section-4.1
1 parent 084e69b commit 362758d

2 files changed

Lines changed: 42 additions & 0 deletions

File tree

CHANGES.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@
3434

3535
## New Features
3636

37+
* [GH-814](https://github.com/apache/mina-sshd/pull/814) Include a fix for CVE-2020-36843 in optional dependency net.i2p.crypto:eddsa:0.3.0: perform the missing range check in Apache MINA SSHD before delegating to the signature verification in net.i2p.crypto:eddsa:0.3.0. This means that using net.i2p.crypto:eddsa:0.3.0 in Apache MINA SSHD is
38+
safe despite that CVE in the dependency.
39+
3740
## Potential Compatibility Issues
3841

3942
## Major Code Re-factoring

sshd-common/src/main/java/org/apache/sshd/common/util/security/eddsa/SignatureEd25519.java

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
*/
1919
package org.apache.sshd.common.util.security.eddsa;
2020

21+
import java.security.SignatureException;
22+
2123
import net.i2p.crypto.eddsa.EdDSAEngine;
2224
import org.apache.sshd.common.util.security.eddsa.generic.GenericSignatureEd25519;
2325

@@ -27,7 +29,44 @@
2729
* @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
2830
*/
2931
public class SignatureEd25519 extends GenericSignatureEd25519 {
32+
33+
// See https://www.rfc-editor.org/rfc/rfc7748.html#section-4.1
34+
// 2^252 + 0x14def9dea2f79cd65812631a5cf5d3ed; little-endian
35+
private static final int[] ED25519_ORDER = { //
36+
0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, //
37+
0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, //
38+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //
39+
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 //
40+
};
41+
3042
public SignatureEd25519() {
3143
super(EdDSAEngine.SIGNATURE_ALGORITHM);
3244
}
45+
46+
@Override
47+
protected boolean doVerify(byte[] data) throws SignatureException {
48+
// Fix CVE 2020-36843 in net.i2p.crypto.eddsa 0.3.0: check that s is in the range [0 .. L), where
49+
// L is the order.
50+
//
51+
// Note: Wikipedia says 0 < S < L. https://en.wikipedia.org/w/index.php?title=EdDSA&oldid=1304068429
52+
// RFC 8032 says 0 <= S < L. https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7
53+
//
54+
// We stick to RFC 8032 here.
55+
if (data.length != 64 || !isValidFactor(data)) {
56+
return false;
57+
}
58+
return super.doVerify(data);
59+
}
60+
61+
private static boolean isValidFactor(byte[] sig) {
62+
// Must be strictly smaller than the field order (little-endian).
63+
for (int i = 31; i >= 0; i--) {
64+
int y = (sig[i + 32] & 0xFF) - ED25519_ORDER[i];
65+
if (y != 0) {
66+
return y < 0;
67+
}
68+
}
69+
return false;
70+
}
71+
3372
}

0 commit comments

Comments
 (0)