diff options
| author | Peter Grehan <grehan@FreeBSD.org> | 2021-02-03 09:05:09 +0000 |
|---|---|---|
| committer | Peter Grehan <grehan@FreeBSD.org> | 2021-02-03 09:05:09 +0000 |
| commit | 5aaea4b99e5cc724e97e24a68876e8768d3d8012 (patch) | |
| tree | 96fc6ce1d83ff381b3847b4c709f18dcdc68d288 | |
| parent | 9b131f1e51a00c8bbbda32672fb5db88010400f6 (diff) | |
| download | src-5aaea4b99e5cc724e97e24a68876e8768d3d8012.tar.gz src-5aaea4b99e5cc724e97e24a68876e8768d3d8012.zip | |
Always clamp curve25519 keys prior to use.
This fixes an issue where a private key contained bits that should
have been cleared by the clamping process, but were passed through
to the scalar multiplication routine and resulted in an invalid
public key.
Issue diagnosed (and an initial fix proposed) by shamaz.mazum in
PR 252894.
This fix suggested by Jason Donenfeld.
PR: 252894
Reported by: shamaz.mazum
Reviewed by: dch
MFC after: 3 days
| -rw-r--r-- | sys/dev/if_wg/module/curve25519.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/dev/if_wg/module/curve25519.c b/sys/dev/if_wg/module/curve25519.c index e21d00bd2818..16f0b0337eb6 100644 --- a/sys/dev/if_wg/module/curve25519.c +++ b/sys/dev/if_wg/module/curve25519.c @@ -767,6 +767,7 @@ void curve25519_generic(u8 out[CURVE25519_KEY_SIZE], u8 e[32]; memcpy(e, scalar, 32); + curve25519_clamp_secret(e); /* The following implementation was transcribed to Coq and proven to * correspond to unary scalar multiplication in affine coordinates given |