-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secret connection check all zeroes #3347
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
1c14653
reject the shared secret if is all zeros in case the blacklist was not
liamsi f802a10
Add test that verifies lower order pub-keys are rejected at the DH step
liamsi ce0fba7
Update changelog
liamsi 66acbb8
Merge branch 'develop' into ismail/secret_conn_check_all_zeros
liamsi 08192fb
fix typo in test-comment
liamsi File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -29,7 +29,10 @@ const aeadSizeOverhead = 16 // overhead of poly 1305 authentication tag | |||||
const aeadKeySize = chacha20poly1305.KeySize | ||||||
const aeadNonceSize = chacha20poly1305.NonceSize | ||||||
|
||||||
var ErrSmallOrderRemotePubKey = errors.New("detected low order point from remote peer") | ||||||
var ( | ||||||
ErrSmallOrderRemotePubKey = errors.New("detected low order point from remote peer") | ||||||
ErrSharedSecretIsZero = errors.New("shared secret is all zeroes") | ||||||
) | ||||||
|
||||||
// SecretConnection implements net.Conn. | ||||||
// It is an implementation of the STS protocol. | ||||||
|
@@ -90,7 +93,10 @@ func MakeSecretConnection(conn io.ReadWriteCloser, locPrivKey crypto.PrivKey) (* | |||||
locIsLeast := bytes.Equal(locEphPub[:], loEphPub[:]) | ||||||
|
||||||
// Compute common diffie hellman secret using X25519. | ||||||
dhSecret := computeDHSecret(remEphPub, locEphPriv) | ||||||
dhSecret, err := computeDHSecret(remEphPub, locEphPriv) | ||||||
if err != nil { | ||||||
return nil, err | ||||||
} | ||||||
|
||||||
// generate the secret used for receiving, sending, challenge via hkdf-sha2 on dhSecret | ||||||
recvSecret, sendSecret, challenge := deriveSecretAndChallenge(dhSecret, locIsLeast) | ||||||
|
@@ -230,9 +236,12 @@ func (sc *SecretConnection) SetWriteDeadline(t time.Time) error { | |||||
|
||||||
func genEphKeys() (ephPub, ephPriv *[32]byte) { | ||||||
var err error | ||||||
// TODO: Probably not a problem but ask Tony: different from the rust implementation (uses x25519-dalek), | ||||||
// we do not "clamp" the private key scalar: | ||||||
// see: https://github.com/dalek-cryptography/x25519-dalek/blob/34676d336049df2bba763cc076a75e47ae1f170f/src/x25519.rs#L56-L74 | ||||||
ephPub, ephPriv, err = box.GenerateKey(crand.Reader) | ||||||
if err != nil { | ||||||
panic("Could not generate ephemeral keypairs") | ||||||
panic("Could not generate ephemeral key-pair") | ||||||
} | ||||||
return | ||||||
} | ||||||
|
@@ -349,9 +358,20 @@ func deriveSecretAndChallenge(dhSecret *[32]byte, locIsLeast bool) (recvSecret, | |||||
return | ||||||
} | ||||||
|
||||||
func computeDHSecret(remPubKey, locPrivKey *[32]byte) (shrKey *[32]byte) { | ||||||
// computeDHSecret computes a shared secret Diffie-Hellman secret | ||||||
// from a the own local private key and the others public key. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ouch 🙈 Will submit a mini-followup PR |
||||||
// | ||||||
// It returns an error if the computed shared secret is all zeroes. | ||||||
func computeDHSecret(remPubKey, locPrivKey *[32]byte) (shrKey *[32]byte, err error) { | ||||||
shrKey = new([32]byte) | ||||||
curve25519.ScalarMult(shrKey, locPrivKey, remPubKey) | ||||||
|
||||||
// reject if the returned shared secret is all zeroes | ||||||
// related to: https://github.com/tendermint/tendermint/issues/3010 | ||||||
zero := new([32]byte) | ||||||
if subtle.ConstantTimeCompare(shrKey[:], zero[:]) == 1 { | ||||||
return nil, ErrSharedSecretIsZero | ||||||
} | ||||||
return | ||||||
} | ||||||
|
||||||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tarcieri:
box.GenerateKey
does not "clamp" the private key. Does this pose a problem? Or should we just ignore this as we will switch to noise soon anyways?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curve25519 canonical scalars are always unclamped. Clamping is performed immediately prior to scalar multiplication (which avoids your exact worry about canonical scalars being "pre-clamped" or not):
https://github.com/golang/crypto/blob/master/curve25519/curve25519.go#L789