Comment by CiPHPerCoder

1 day ago

I found several libraries that simply didn't implement the check, but none that implemented in incorrectly in the same way as the vulnerability discussed above.

If you didn't receive an email from me, either your implementation isn't listed on https://ianix.com/pub/ed25519-deployment.html, I somehow missed it, or you're safe.

3 comments

CiPHPerCoder

pseudohadamard 10 hours ago

Did you also check all of the libraries that implement the check differently to libsodium? That's one problem with the near-universal cargo-culting of ref10, it never did any of the checking so everyone has to reinvent it themselves in different ways. It might be useful to have a single known-good check for both x25519 and ed25519 that people could integrate into their own ref10-derived code.

For people not familiar with the size of the mess we're in here, see https://hdevalence.ca/blog/2020-10-04-its-25519am/. There was another study published before then which found that no two implementations used the same checks, and none of them were compliant with RFC 8032, the alleged standard for Ed25519.

CiPHPerCoder 7 hours ago

> Did you also check all of the libraries that implement the check differently to libsodium?
Yes, but it was a breadth-first search sourced from the ianix webpage, so I certainly missed some details somewhere. I'll continue to search over the coming weeks in my spare time (if I can get any).

F3nd0 1 day ago

Thank you for your work on free software.