diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-11-11 12:24:51 +0900 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-11-11 12:24:51 +0900 |
commit | 46f8cbc99734c77564a3b925a993fcba43da38be (patch) | |
tree | bcfdd56b8c5e13463229fa8e39c7fca45a1e9498 /src/crypto/curve25519.c | |
parent | tools: remove ioctl cruft (diff) | |
download | wireguard-monolithic-historical-46f8cbc99734c77564a3b925a993fcba43da38be.tar.xz wireguard-monolithic-historical-46f8cbc99734c77564a3b925a993fcba43da38be.zip |
curve25519: reject deriving from NULL private keys
These aren't actually valid 25519 points pre-normalization, and doing
this is required to make unsetting private keys based on all zeros.
Diffstat (limited to 'src/crypto/curve25519.c')
-rw-r--r-- | src/crypto/curve25519.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/crypto/curve25519.c b/src/crypto/curve25519.c index afc2a99..232c6d4 100644 --- a/src/crypto/curve25519.c +++ b/src/crypto/curve25519.c @@ -619,6 +619,10 @@ bool curve25519(u8 mypublic[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_P bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[CURVE25519_POINT_SIZE]) { static const u8 basepoint[CURVE25519_POINT_SIZE] __aligned(32) = { 9 }; + + if (unlikely(!crypto_memneq(secret, null_point, CURVE25519_POINT_SIZE))) + return false; + #ifdef CONFIG_X86_64 if (curve25519_use_avx && irq_fpu_usable()) { kernel_fpu_begin(); @@ -1676,6 +1680,9 @@ bool curve25519_generate_public(u8 pub[CURVE25519_POINT_SIZE], const u8 secret[C { static const u8 basepoint[CURVE25519_POINT_SIZE] __aligned(32) = { 9 }; + if (unlikely(!crypto_memneq(secret, null_point, CURVE25519_POINT_SIZE))) + return false; + return curve25519(pub, secret, basepoint); } #endif |