Medium severity6.5NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026
CVE-2017-1000168
CVE-2017-1000168
Description
sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate public keys
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sodiumoxidecrates.io | < 0.0.14 | 0.0.14 |
Affected products
1- cpe:2.3:a:sodiumoxide_project:sodiumoxide:*:*:*:*:*:*:*:*Range: <=0.0.13
Patches
124c7a5550807Check the return value of `scalarmult()`. Closes #154
1 file changed · +55 −46
src/crypto/scalarmult/curve25519.rs+55 −46 modified@@ -23,14 +23,20 @@ new_type! { /// `scalarmult()` multiplies a group element `p` /// by an integer `n`. It returns the resulting group element -/// `q`. +/// `Ok(q)`. +/// If the the `GroupElement` is all zero, `scalarmult()` returns `Err(())` since +/// the resulting `GroupElement` would be all zero, no matter the `Scalar`. pub fn scalarmult(&Scalar(ref n): &Scalar, - &GroupElement(ref p): &GroupElement) -> GroupElement { + &GroupElement(ref p): &GroupElement) + -> Result<GroupElement, ()> { let mut q = [0; GROUPELEMENTBYTES]; unsafe { - ffi::crypto_scalarmult_curve25519(&mut q, n, p); + if ffi::crypto_scalarmult_curve25519(&mut q, n, p) != 0 { + Err(()) + } else { + Ok(GroupElement(q)) + } } - GroupElement(q) } /// `scalarmult_base()` computes the scalar product of a standard @@ -47,74 +53,77 @@ pub fn scalarmult_base(&Scalar(ref n): &Scalar) -> GroupElement { #[cfg(test)] mod test { use super::*; + use randombytes::randombytes_into; #[test] fn test_vector_1() { // corresponding to tests/scalarmult.c and tests/scalarmult3.cpp from NaCl - let alicesk = Scalar([0x77,0x07,0x6d,0x0a,0x73,0x18,0xa5,0x7d - ,0x3c,0x16,0xc1,0x72,0x51,0xb2,0x66,0x45 - ,0xdf,0x4c,0x2f,0x87,0xeb,0xc0,0x99,0x2a - ,0xb1,0x77,0xfb,0xa5,0x1d,0xb9,0x2c,0x2a]); - let alicepk_expected = [0x85,0x20,0xf0,0x09,0x89,0x30,0xa7,0x54 - ,0x74,0x8b,0x7d,0xdc,0xb4,0x3e,0xf7,0x5a - ,0x0d,0xbf,0x3a,0x0d,0x26,0x38,0x1a,0xf4 - ,0xeb,0xa4,0xa9,0x8e,0xaa,0x9b,0x4e,0x6a]; + let alicesk = Scalar([0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 0x3c, 0x16, 0xc1, + 0x72, 0x51, 0xb2, 0x66, 0x45, 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, + 0x99, 0x2a, 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a]); + let alicepk_expected = [0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 0x74, 0x8b, 0x7d, + 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, + 0x1a, 0xf4, 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a]; let GroupElement(alicepk) = scalarmult_base(&alicesk); assert!(alicepk == alicepk_expected); } #[test] fn test_vector_2() { // corresponding to tests/scalarmult2.c and tests/scalarmult4.cpp from NaCl - let bobsk = Scalar([0x5d,0xab,0x08,0x7e,0x62,0x4a,0x8a,0x4b - ,0x79,0xe1,0x7f,0x8b,0x83,0x80,0x0e,0xe6 - ,0x6f,0x3b,0xb1,0x29,0x26,0x18,0xb6,0xfd - ,0x1c,0x2f,0x8b,0x27,0xff,0x88,0xe0,0xeb]); - let bobpk_expected = [0xde,0x9e,0xdb,0x7d,0x7b,0x7d,0xc1,0xb4 - ,0xd3,0x5b,0x61,0xc2,0xec,0xe4,0x35,0x37 - ,0x3f,0x83,0x43,0xc8,0x5b,0x78,0x67,0x4d - ,0xad,0xfc,0x7e,0x14,0x6f,0x88,0x2b,0x4f]; + let bobsk = Scalar([0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 0x79, 0xe1, 0x7f, + 0x8b, 0x83, 0x80, 0x0e, 0xe6, 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, + 0xb6, 0xfd, 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb]); + let bobpk_expected = [0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, 0xd3, 0x5b, 0x61, + 0xc2, 0xec, 0xe4, 0x35, 0x37, 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, + 0x67, 0x4d, 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f]; let GroupElement(bobpk) = scalarmult_base(&bobsk); assert!(bobpk == bobpk_expected); } #[test] fn test_vector_3() { // corresponding to tests/scalarmult5.c and tests/scalarmult7.cpp from NaCl - let alicesk = Scalar([0x77,0x07,0x6d,0x0a,0x73,0x18,0xa5,0x7d - ,0x3c,0x16,0xc1,0x72,0x51,0xb2,0x66,0x45 - ,0xdf,0x4c,0x2f,0x87,0xeb,0xc0,0x99,0x2a - ,0xb1,0x77,0xfb,0xa5,0x1d,0xb9,0x2c,0x2a]); - let bobpk = GroupElement([0xde,0x9e,0xdb,0x7d,0x7b,0x7d,0xc1,0xb4 - ,0xd3,0x5b,0x61,0xc2,0xec,0xe4,0x35,0x37 - ,0x3f,0x83,0x43,0xc8,0x5b,0x78,0x67,0x4d - ,0xad,0xfc,0x7e,0x14,0x6f,0x88,0x2b,0x4f]); - let k_expected = [0x4a,0x5d,0x9d,0x5b,0xa4,0xce,0x2d,0xe1 - ,0x72,0x8e,0x3b,0xf4,0x80,0x35,0x0f,0x25 - ,0xe0,0x7e,0x21,0xc9,0x47,0xd1,0x9e,0x33 - ,0x76,0xf0,0x9b,0x3c,0x1e,0x16,0x17,0x42]; - let GroupElement(k) = scalarmult(&alicesk, &bobpk); + let alicesk = Scalar([0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d, 0x3c, 0x16, 0xc1, + 0x72, 0x51, 0xb2, 0x66, 0x45, 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, + 0x99, 0x2a, 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a]); + let bobpk = GroupElement([0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4, 0xd3, 0x5b, + 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37, 0x3f, 0x83, 0x43, 0xc8, + 0x5b, 0x78, 0x67, 0x4d, 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, + 0x2b, 0x4f]); + let k_expected = [0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 0x72, 0x8e, 0x3b, 0xf4, + 0x80, 0x35, 0x0f, 0x25, 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, + 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42]; + let GroupElement(k) = scalarmult(&alicesk, &bobpk).unwrap(); assert!(k == k_expected); } #[test] fn test_vector_4() { // corresponding to tests/scalarmult6.c from NaCl - let bobsk = Scalar([0x5d,0xab,0x08,0x7e,0x62,0x4a,0x8a,0x4b - ,0x79,0xe1,0x7f,0x8b,0x83,0x80,0x0e,0xe6 - ,0x6f,0x3b,0xb1,0x29,0x26,0x18,0xb6,0xfd - ,0x1c,0x2f,0x8b,0x27,0xff,0x88,0xe0,0xeb]); - let alicepk = GroupElement([0x85,0x20,0xf0,0x09,0x89,0x30,0xa7,0x54 - ,0x74,0x8b,0x7d,0xdc,0xb4,0x3e,0xf7,0x5a - ,0x0d,0xbf,0x3a,0x0d,0x26,0x38,0x1a,0xf4 - ,0xeb,0xa4,0xa9,0x8e,0xaa,0x9b,0x4e,0x6a]); - let k_expected = [0x4a,0x5d,0x9d,0x5b,0xa4,0xce,0x2d,0xe1 - ,0x72,0x8e,0x3b,0xf4,0x80,0x35,0x0f,0x25 - ,0xe0,0x7e,0x21,0xc9,0x47,0xd1,0x9e,0x33 - ,0x76,0xf0,0x9b,0x3c,0x1e,0x16,0x17,0x42]; - let GroupElement(k) = scalarmult(&bobsk, &alicepk); + let bobsk = Scalar([0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b, 0x79, 0xe1, 0x7f, + 0x8b, 0x83, 0x80, 0x0e, 0xe6, 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, + 0xb6, 0xfd, 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb]); + let alicepk = GroupElement([0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54, 0x74, 0x8b, + 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a, 0x0d, 0xbf, 0x3a, 0x0d, + 0x26, 0x38, 0x1a, 0xf4, 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, + 0x4e, 0x6a]); + let k_expected = [0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1, 0x72, 0x8e, 0x3b, 0xf4, + 0x80, 0x35, 0x0f, 0x25, 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33, + 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42]; + let GroupElement(k) = scalarmult(&bobsk, &alicepk).unwrap(); assert!(k == k_expected); } + + #[test] + #[should_panic] + fn test_all_zero() { + let mut sk = [0; SCALARBYTES]; + randombytes_into(&mut sk); + let sk = Scalar(sk); + let pk = GroupElement([0; GROUPELEMENTBYTES]); + let _ = scalarmult(&sk, &pk).unwrap(); + } } #[cfg(feature = "benchmarks")]
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2wc6-2rcj-8v76ghsaADVISORY
- github.com/dnaq/sodiumoxide/issues/154nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-1000168ghsaADVISORY
- github.com/sodiumoxide/sodiumoxide/commit/24c7a5550807ac8a09648b5878f19d14c3a69135ghsaWEB
- rustsec.org/advisories/RUSTSEC-2017-0001.htmlghsaWEB
News mentions
0No linked articles in our index yet.