xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

libsec: move zero check to curve25519_dh_finish()

Browse source 
As checking for all zero has to be done in a timing-safe
way to avoid a side channel, it is best todo this here
instead of letting the caller deal with it.

This adds a return type of int to curve25519_dh_finish()
where returning 0 means we got a all zero shared key.

RFC7748 states:

The check for the all-zero value results from the fact
that the X25519 function produces that value if it
operates on an input corresponding to a point with small
order, where the order divides the cofactor of the curve.
This commit is contained in:
cinap_lenrek 2021-06-20 14:41:26 +00:00
parent 6dd2c638b6
commit 57d95c7325
5 changed files with 10 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
sys/include/libsec.h
View file

@ -575,7 +575,7 @@ void curve25519(uchar mypublic[32], uchar secret[32], uchar basepoint[32]);
/* Curve25519 diffie hellman */
void curve25519_dh_new(uchar x[32], uchar y[32]);
void curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32]);
int curve25519_dh_finish(uchar x[32], uchar y[32], uchar z[32]);
/* password-based key derivation function 2 (rfc2898) */
void pbkdf2_x(uchar *p, ulong plen, uchar *s, ulong slen, ulong rounds, uchar *d, ulong dlen,