Skip to content

Latest commit

 

History

History
46 lines (40 loc) · 6.54 KB

crypto-defects.md

File metadata and controls

46 lines (40 loc) · 6.54 KB

Here is an incomplete list of defects in cryptographic implementations. We should make sure our verification rules out the possibility of similar mistakes appearing in our code.

Reference Specification Implementation Defect
openssl#3607 P256 field element squaring 64-bit Montgomery form, AMD64 limb overflow
go#13515 Modular exponentiation uintptr-sized Montgomery form, Go carry handling
NaCl ed25519 (p. 2) F25519 mul, square 64-bit pseudo-Mersenne, AMD64 carry handling
openssl#0c687d7e Poly1305 32-bit pseudo-Mersenne, x86 and ARM bad truncation
openssl#ef5c9b11 Modular exponentiation 64-bit Montgomery form, AMD64 carry handling
nettle#09e3ce4d secp-256r1 modular reduction carry handling
socat#7 DH in Z*p irrelevant non-prime p
invalid-curve NIST ECDH irrelevant not onCurve
donna#8edc799f F25519 internal to wire 32-bit pseudo-Mersenne, C non-canonical
end-to-end#340 Curve25519 library twisted Edwards coordinates (0, 1) = ∞
CVE-2006-4339 RSA-PKCS-1 sig. verification irrelevant padding check
CVE-2014-3570 Bignum squaring asm limb overflow
ic#237002094 Barrett reduction for p256 1 conditional subtraction instead of 2 unkown if ok
openssl#1593 P384 modular reduction carry handling exploitable
go#fa09811d poly1305 reduction AMD64 asm, missing subtraction of 3 found quickly
jose-adobe ECDH-ES 5 libraries not onCurve
tweetnacl-m[15] GF(2^255-19) freeze bit-twiddly C bounds? typo?
tweetnacl-U32 irrelevant bit-twiddly C sizeof(long)!=32
CVE-2017-3732 x^2 mod m Montgomery form, AMD64 assembly carry, exploitable
openssl#c2633b8f a + b mod p256 Montgomery form, AMD64 assembly non-canonical
openssl#59dfcabf Weier. affine <-> Jacobian Montgomery form, AMD64 and C ∞ confusion
openssl#a970db05 Poly1305 Lazy reduction in x86 asm lost bit 59
openssl#6825d74b Poly1305 AVX2 addition and reduction bounds?
openssl#74acf42c Poly1305 multiple implementations incorrect carrying
ed25519.py Ed25519 accepts signatures other impls reject missing h mod l
CryptoNote Anti-double-spending tag additive curve25519 curve point need order(P) = l
bitcoin#eed71d85 ECDSA-secp256k1 x*B mixed addition Jacobian+Affine missing case
openjdk#01781d7e EC scalarmult mixed addition Jacobian+Affine missing case
openssl/openssl#6687 Ed25519 64-bit pseudo-Mersenne, x86 incorrect handling of partially reduced values
go#43786 / CVE-2021-3114 P224 confusion of > with >=?; underflow

Not a bug, but still relevant:

Reference Specification Implementation Defect
ref/sc25519.c:84 x mod (order of Curve25519) Barrett reduction (code is likely correct) "XXX" comment

Not covered in the above list: memory mismanagement (buffer overrun, use-after-free, uninitialized read, null dereference), timing attacks (branch, cache, instruction). While these issues are very important, there are good programming disciplines for avoiding them without verifying intricate details of the computation.