Security Announcement: Bugs in Noise Explorer’s Rust/WASM Code Generation

Noise Explorer is Symbolic Software’s online engine for reasoning about Noise Protocol Framework Handshake Patterns. It allows users to design Noise Handshake Patterns, generate formal verification models, explore pre-computed formal verification results, and generate secure software implementations in Go, Rust and WebAssembly.

We’ve updated Noise Explorer to address two bugs in its Rust and WebAssembly code generation templates. These bugs affected all Noise protocol implementations generated by Noise Explorer versions 1.0.4 and earlier. Users who have generated Rust or WebAssembly implementations using Noise Explorer should regenerate their code using version 1.0.5 or later.

A security advisory has been published: GHSA-6pc6-w328-gw8x.

Bug 1: Public Key Validation Bypass (Rust Only)

The first bug was located in the Rust code generation template (src/rs/1types.rs). The PublicKey::from_str() function bypassed small-order Curve25519 point validation, allowing an attacker to supply a low-order public key. A Diffie-Hellman operation with a small-order point produces a predictable all-zero shared secret, which could lead to a loss of message confidentiality.

This bug affected generated Rust implementations only. Go and WebAssembly implementations were not affected.

Bug 2: Incorrect Cipherstate Rekeying (Rust and WASM)

The second bug was located in the Rust and WebAssembly code generation templates (src/rs/6processes.rs and src/wasm/6processes.rs). The rekey_remote_cipherstate function incorrectly operated on the local cipherstate instead of the remote one. This caused desynchronization between peers: after a rekey operation, subsequent sent messages would use a doubly-rekeyed key, causing decryption failures on the receiving side.

This bug affected both generated Rust and WebAssembly implementations. Go implementations were not affected.

Unaffected Components

• All Go implementations generated by Noise Explorer.
• All ProVerif formal verification models generated by Noise Explorer.
• WebAssembly implementations (for the public key validation bug only).

Impact

The public key validation bypass could allow an attacker to force a predictable shared secret, undermining the confidentiality of messages encrypted under the resulting session keys. The cipherstate rekeying bug would cause communication failures between peers after a rekey operation. Neither bug affected the correctness of Noise Explorer’s formal verification models.

Resolution

Both bugs have been fixed in Noise Explorer v1.0.5. The Rust code generation templates have also been upgraded to the Rust 2024 edition with updated dependencies.

Users who have previously generated Rust or WebAssembly Noise protocol implementations using Noise Explorer should regenerate their implementations using version 1.0.5 or later.

Acknowledgements

We thank Elichai Turkel for identifying both issues through code review of a generated Noise-KK Rust implementation.