Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security]: Rename ExpandedSecretKey::sign_with_pubkey to dangerous_sign_with_pubkey #4154

Merged
merged 3 commits into from
Dec 11, 2024
Merged

[Security]: Rename ExpandedSecretKey::sign_with_pubkey to dangerous_sign_with_pubkey #4154

merged 3 commits into from
Dec 11, 2024

Conversation

satoshiotomakan
Copy link
Collaborator

Description

The function sign_with_pubkey used in tw_keypair/src/ed25519 is vulnerable to Chalkias attack, this vulnerability allows an attacker to use the signing function with arbitrary public keys leading to the extraction of the private key.
This PR makes ExpandedSecretKey::sign_with_pubkey unsafe to require maintainers to pay extra attention when using it.

Ref: GHSA-7g72-jxww-q9vq

How to test

Types of changes

Checklist

  • Create pull request as draft initially, unless its complete.
  • Add tests to cover changes as needed.
  • Update documentation as needed.
  • If there is a related Issue, mention it in the description.

If you're adding a new blockchain

  • I have read the guidelines for adding a new blockchain.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 6, 2024
edited
Loading

Binary size comparison

➡️ aarch64-apple-ios: 12.30 MB

➡️ aarch64-apple-ios-sim:

- 12.31 MB
+ 12.31 MB 	 +1 KB

➡️ aarch64-linux-android: 15.83 MB

➡️ armv7-linux-androideabi:

- 13.50 MB
+ 13.50 MB 	 +1 KB

➡️ wasm32-unknown-emscripten:

- 11.22 MB
+ 11.23 MB 	 +1 KB

@satoshiotomakan satoshiotomakan changed the title [Security]: Make ExpandedSecretKey::sign_with_pubkey unsafe [Security]: Rename ExpandedSecretKey::sign_with_pubkey to dangerous_sign_with_pubkey Dec 6, 2024
@satoshiotomakan satoshiotomakan merged commit a3372c9 into master Dec 11, 2024
14 checks passed
@satoshiotomakan satoshiotomakan deleted the s/ed25519-key-exposure-attack branch December 11, 2024 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@10gic 10gic 10gic left review comments

@Milerius Milerius Awaiting requested review from Milerius Milerius is a code owner

@ar-g ar-g Awaiting requested review from ar-g

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@satoshiotomakan @10gic