From 0c462cff112589fc52d13da6c919f881cb6d3f8c Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Thu, 1 Sep 2016 13:35:23 +0100 Subject: Fix Ed25519 keypair generation Ed25519 private keys, it turns out, have 64 bytes, not 32. We were previously generating only 32 bytes (which is all that is required to generate the public key), and then using the public key as the upper 32 bytes when generating the per-message session key. This meant that everything appeared to work, but the security of the private key was severely compromised. By way of fixes: * Use the correct algorithm for generating the Ed25519 private key, and store all 512 bits of it. * Update the account pickle format and refuse to load the old format (since we should consider it compromised). * Bump the library version, and add a function to retrieve the library version, so that applications can verify that they are linked against a fixed version of the library. * Remove the curve25519_{sign, verify} functions which were unused and of dubious quality. --- tests/test_crypto.cpp | 29 ----------------------------- tests/test_olm.cpp | 27 +++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 29 deletions(-) (limited to 'tests') diff --git a/tests/test_crypto.cpp b/tests/test_crypto.cpp index 1041538..175f66f 100644 --- a/tests/test_crypto.cpp +++ b/tests/test_crypto.cpp @@ -83,35 +83,6 @@ assert_equals(expected_agreement, actual_agreement, 32); } /* Curve25529 Test Case 1 */ -{ /* Curve25519 Signature Test Case 1 */ -TestCase test_case("Curve25519 Signature Test Case 1"); - -std::uint8_t private_key[33] = "This key is a string of 32 bytes"; -std::uint8_t message[] = "message"; -std::size_t message_length = sizeof(message) - 1; - -olm::Curve25519KeyPair key_pair; -olm::curve25519_generate_key(private_key, key_pair); - -std::uint8_t signature[64]; - -olm::curve25519_sign( - key_pair, message, message_length, signature -); - -bool result = olm::curve25519_verify( - key_pair, message, message_length, signature -); -assert_equals(true, result); - -message[0] = 'n'; -result = olm::curve25519_verify( - key_pair, message, message_length, signature -); -assert_equals(false, result); - -} /* Curve25519 Signature Test Case 1 */ - { TestCase test_case("Ed25519 Signature Test Case 1"); std::uint8_t private_key[33] = "This key is a string of 32 bytes"; diff --git a/tests/test_olm.cpp b/tests/test_olm.cpp index de7e236..af2c9f7 100644 --- a/tests/test_olm.cpp +++ b/tests/test_olm.cpp @@ -65,6 +65,33 @@ assert_equals(pickle1, pickle2, pickle_length); } + +{ + TestCase test_case("Old account unpickle test"); + + // this uses the old pickle format, which did not use enough space + // for the Ed25519 key. We should reject it. + std::uint8_t pickle[] = + "x3h9er86ygvq56pM1yesdAxZou4ResPQC9Rszk/fhEL9JY/umtZ2N/foL/SUgVXS" + "v0IxHHZTafYjDdzJU9xr8dQeBoOTGfV9E/lCqDGBnIlu7SZndqjEKXtzGyQr4sP4" + "K/A/8TOu9iK2hDFszy6xETiousHnHgh2ZGbRUh4pQx+YMm8ZdNZeRnwFGLnrWyf9" + "O5TmXua1FcU"; + + std::uint8_t account_buffer[::olm_account_size()]; + ::OlmAccount *account = ::olm_account(account_buffer); + assert_equals( + std::size_t(-1), + ::olm_unpickle_account( + account, "", 0, pickle, sizeof(pickle)-1 + ) + ); + assert_equals( + std::string("BAD_LEGACY_ACCOUNT_PICKLE"), + std::string(::olm_account_last_error(account)) + ); +} + + { /** Pickle session test */ TestCase test_case("Pickle session test"); -- cgit v1.2.3