curve25519-dalek icon indicating copy to clipboard operation
curve25519-dalek copied to clipboard

Published 20 hours ago verified publisher icon dalek-cryptography

`Scalar` gets copied when moved revealing the secret value.

Open RajeshRk18 opened this issue 1 year ago • 9 comments

Scalar holds array of elements that implement Copy trait. Thus, array gets copied when moved which reveals the value.

I have reproduced the issue here: https://gist.github.com/RajeshRk18/eb10e3506c83c196d69116e86e0910e5

I have made Scalar field to public to reproduce this issue.

Impact:

Whenever an user does operations with its private key, there is a high chance that the private key gets revealed.

Recommendation:

Wrap the byte array with Box as cloning the Box is cheap and now byte array won't be moved. Let the library user decide which Scalar type (Boxed/Unboxed) he will use according to the context.

RajeshRk18 avatar Oct 03 '23 03:10 RajeshRk18