From owner-dev-commits-src-branches@freebsd.org Sat Feb 6 06:10:06 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C778B53BA25; Sat, 6 Feb 2021 06:10:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DXhht5G5gz3Prp; Sat, 6 Feb 2021 06:10:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A612147D9; Sat, 6 Feb 2021 06:10:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1166A6tf085681; Sat, 6 Feb 2021 06:10:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1166A6hq085678; Sat, 6 Feb 2021 06:10:06 GMT (envelope-from git) Date: Sat, 6 Feb 2021 06:10:06 GMT Message-Id: <202102060610.1166A6hq085678@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Peter Grehan Subject: git: 6136a10e355a - stable/13 - Always clamp curve25519 keys prior to use. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: grehan X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 6136a10e355a7a837edecbccbed04c34b4bc32c9 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2021 06:10:06 -0000 The branch stable/13 has been updated by grehan: URL: https://cgit.FreeBSD.org/src/commit/?id=6136a10e355a7a837edecbccbed04c34b4bc32c9 commit 6136a10e355a7a837edecbccbed04c34b4bc32c9 Author: Peter Grehan AuthorDate: 2021-02-03 09:05:09 +0000 Commit: Peter Grehan CommitDate: 2021-02-06 04:01:18 +0000 Always clamp curve25519 keys prior to use. This fixes an issue where a private key contained bits that should have been cleared by the clamping process, but were passed through to the scalar multiplication routine and resulted in an invalid public key. Issue diagnosed (and an initial fix proposed) by shamaz.mazum in PR 252894. This fix suggested by Jason Donenfeld. PR: 252894 Reported by: shamaz.mazum (cherry picked from commit 5aaea4b99e5cc724e97e24a68876e8768d3d8012) --- sys/dev/if_wg/module/curve25519.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/dev/if_wg/module/curve25519.c b/sys/dev/if_wg/module/curve25519.c index e21d00bd2818..16f0b0337eb6 100644 --- a/sys/dev/if_wg/module/curve25519.c +++ b/sys/dev/if_wg/module/curve25519.c @@ -767,6 +767,7 @@ void curve25519_generic(u8 out[CURVE25519_KEY_SIZE], u8 e[32]; memcpy(e, scalar, 32); + curve25519_clamp_secret(e); /* The following implementation was transcribed to Coq and proven to * correspond to unary scalar multiplication in affine coordinates given