Date: Sat, 6 Feb 2021 06:10:06 GMT From: Peter Grehan <grehan@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 6136a10e355a - stable/13 - Always clamp curve25519 keys prior to use. Message-ID: <202102060610.1166A6hq085678@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by grehan: URL: https://cgit.FreeBSD.org/src/commit/?id=6136a10e355a7a837edecbccbed04c34b4bc32c9 commit 6136a10e355a7a837edecbccbed04c34b4bc32c9 Author: Peter Grehan <grehan@FreeBSD.org> AuthorDate: 2021-02-03 09:05:09 +0000 Commit: Peter Grehan <grehan@FreeBSD.org> CommitDate: 2021-02-06 04:01:18 +0000 Always clamp curve25519 keys prior to use. This fixes an issue where a private key contained bits that should have been cleared by the clamping process, but were passed through to the scalar multiplication routine and resulted in an invalid public key. Issue diagnosed (and an initial fix proposed) by shamaz.mazum in PR 252894. This fix suggested by Jason Donenfeld. PR: 252894 Reported by: shamaz.mazum (cherry picked from commit 5aaea4b99e5cc724e97e24a68876e8768d3d8012) --- sys/dev/if_wg/module/curve25519.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/dev/if_wg/module/curve25519.c b/sys/dev/if_wg/module/curve25519.c index e21d00bd2818..16f0b0337eb6 100644 --- a/sys/dev/if_wg/module/curve25519.c +++ b/sys/dev/if_wg/module/curve25519.c @@ -767,6 +767,7 @@ void curve25519_generic(u8 out[CURVE25519_KEY_SIZE], u8 e[32]; memcpy(e, scalar, 32); + curve25519_clamp_secret(e); /* The following implementation was transcribed to Coq and proven to * correspond to unary scalar multiplication in affine coordinates given
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102060610.1166A6hq085678>