2018-05-26 09:46 CEST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005328GNUnetutil librarypublic2018-05-22 13:26
ReporterChristian Grothoff 
Assigned To 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product VersionSVN HEAD 
Target Version0.10.2Fixed in Version 
Summary0005328: GNUNET_CRYPTO_eddsa_ecdh() fails "randomly"
DescriptionThe routine is supposed to do a DH between an EdDSA key and an ECDHE key. It usually works fine, but sometimes the derived secrets differ. The chance is more like 1:100, and so far we see it _always_ happen for 1% of the EdDSA keys (and then seemingly with any ECDHE key).

The very low failure rate suggests it is not a simple bit-flip error, as the chance for this seems to be a bit too low. Jeff suspects it may be a bug on an obscure code path in libgcrypt.
Steps To ReproduceChange the #define CRYPTO_BUG to 0 in crypto_bug.c to disable the mitigation in Git. Then run test_crypto_ecdh_eddsa. It may not fail every time, but given the new number of iterations should fail most of the time.
Additional InformationThe crypto_bug code adds a mitigation to GNUnet which tests if an EdDSA key is affected by the bug and then simply creates a fresh one (if possible). For peers where a previously generated hostkey is affected, the mitigation will prevent it from even starting up properly, and users will have to manually delete them using:

$ rm `gnunet-config -f -s peer -o private_key`

(mind the BACK-ticks).
TagsNo tags attached.
Attached Files

-Relationships Relation Graph ] Dependency Graph ]



Christian Grothoff (manager)

This was seen using libgcrypt 1.7.6 (gnunet.org) and 1.8.2 (Julius).


ng0 (developer)

Same for lgcrypt 1.8.2 here.

-Issue History
Date Modified Username Field Change
2018-05-17 13:14 Christian Grothoff New Issue
2018-05-17 13:40 Christian Grothoff Note Added: 0012929
2018-05-22 13:26 ng0 Note Added: 0012946
+Issue History