Libsodium Elliptic Curve Point Validation Vulnerability in Crypto Core Ed25519

A vulnerability exists in Libsodium's low-level function 'crypto_core_ed25519_is_valid_point' prior to the ad3004e commit. This vulnerability allows certain invalid elliptic curve points to be accepted, specifically points not in the main cryptographic group. The issue arises in custom cryptography implementations that rely on this validation function to check points from untrusted sources.

Impact

The vulnerability can lead to the acceptance of invalid elliptic curve points in the Ed25519 signature scheme, potentially undermining the correctness of cryptographic operations that depend on this validation.

Reproduction

The vulnerability can be reproduced by using a version of Libsodium prior to the ad3004e commit and calling the 'crypto_core_ed25519_is_valid_point' function with a point that is invalid but not correctly rejected by the validation logic. This can be done by adding a low-order point to a valid main subgroup point, which would then be incorrectly accepted as valid.

Remediation

Users can update to the latest version of Libsodium, where this vulnerability has been fixed. Instructions for downloading the latest version can be found on the Libsodium GitHub releases page.