Update deprecated curve25519 functions and defend against low-order point attacks

2020-12-21 16:37:33 +00:00 · 2020-12-21 16:37:33 +00:00 · de0daac123
parent 0d3f8dd27f
commit de0daac123
5 changed files with 29 additions and 11 deletions
--- a/internal/client/auth.go
+++ b/internal/client/auth.go
@ -4,6 +4,7 @@ import (
 	"encoding/binary"
 	"github.com/cbeuw/Cloak/internal/common"
 	"github.com/cbeuw/Cloak/internal/ecdh"
+	log "github.com/sirupsen/logrus"
 )

 const (
@ -26,7 +27,10 @@ func makeAuthenticationPayload(authInfo AuthInfo) (ret authenticationPayload, sh
 		| 16 bytes | 12 bytes       | 1 byte              | 8 bytes     | 4 bytes      | 1 byte | 6 bytes    |
 		+----------+----------------+---------------------+-------------+--------------+--------+------------+
 	*/
-	ephPv, ephPub, _ := ecdh.GenerateKey(authInfo.WorldState.Rand)
+	ephPv, ephPub, err := ecdh.GenerateKey(authInfo.WorldState.Rand)
+	if err != nil {
+		log.Panicf("failed to generate ephemeral key pair: %v", err)
+	}
 	copy(ret.randPubKey[:], ecdh.Marshal(ephPub))

 	plaintext := make([]byte, 48)
@ -40,7 +44,11 @@ func makeAuthenticationPayload(authInfo AuthInfo) (ret authenticationPayload, sh
 		plaintext[41] |= UNORDERED_FLAG
 	}

-	copy(sharedSecret[:], ecdh.GenerateSharedSecret(ephPv, authInfo.ServerPubKey))
+	secret, err := ecdh.GenerateSharedSecret(ephPv, authInfo.ServerPubKey)
+	if err != nil {
+		log.Panicf("error in generating shared secret: %v", err)
+	}
+	copy(sharedSecret[:], secret)
 	ciphertextWithTag, _ := common.AESGCMEncrypt(ret.randPubKey[:12], sharedSecret[:], plaintext)
 	copy(ret.ciphertextWithTag[:], ciphertextWithTag[:])
 	return
--- a/internal/ecdh/curve25519.go
+++ b/internal/ecdh/curve25519.go
@ -68,13 +68,11 @@ func Unmarshal(data []byte) (crypto.PublicKey, bool) {
 	return &pub, true
 }

-func GenerateSharedSecret(privKey crypto.PrivateKey, pubKey crypto.PublicKey) []byte {
-	var priv, pub, secret *[32]byte
+func GenerateSharedSecret(privKey crypto.PrivateKey, pubKey crypto.PublicKey) ([]byte, error) {
+	var priv, pub *[32]byte

 	priv = privKey.(*[32]byte)
 	pub = pubKey.(*[32]byte)
-	secret = new([32]byte)

-	curve25519.ScalarMult(secret, priv, pub)
-	return secret[:]
+	return curve25519.X25519(priv[:], pub[:])
 }
--- a/internal/ecdh/curve25519_test.go
+++ b/internal/ecdh/curve25519_test.go
@ -90,11 +90,11 @@ func testECDH(t testing.TB) {
 		t.Fatalf("Unmarshal does not work")
 	}

-	secret1 = GenerateSharedSecret(privKey1, pubKey2)
+	secret1, err = GenerateSharedSecret(privKey1, pubKey2)
 	if err != nil {
 		t.Error(err)
 	}
-	secret2 = GenerateSharedSecret(privKey2, pubKey1)
+	secret2, err = GenerateSharedSecret(privKey2, pubKey1)
 	if err != nil {
 		t.Error(err)
 	}
--- a/internal/server/TLS.go
+++ b/internal/server/TLS.go
@ -79,7 +79,13 @@ func (TLS) unmarshalClientHello(ch *ClientHello, staticPv crypto.PrivateKey) (fr
 		return
 	}

-	copy(fragments.sharedSecret[:], ecdh.GenerateSharedSecret(staticPv, ephPub))
+	var sharedSecret []byte
+	sharedSecret, err = ecdh.GenerateSharedSecret(staticPv, ephPub)
+	if err != nil {
+		return
+	}
+
+	copy(fragments.sharedSecret[:], sharedSecret)
 	var keyShare []byte
 	keyShare, err = parseKeyShare(ch.extensions[[2]byte{0x00, 0x33}])
 	if err != nil {
--- a/internal/server/websocket.go
+++ b/internal/server/websocket.go
@ -84,7 +84,13 @@ func (WebSocket) unmarshalHidden(hidden []byte, staticPv crypto.PrivateKey) (fra
 		return
 	}

-	copy(fragments.sharedSecret[:], ecdh.GenerateSharedSecret(staticPv, ephPub))
+	var sharedSecret []byte
+	sharedSecret, err = ecdh.GenerateSharedSecret(staticPv, ephPub)
+	if err != nil {
+		return
+	}
+
+	copy(fragments.sharedSecret[:], sharedSecret)

 	if len(hidden[32:]) != 64 {
 		err = fmt.Errorf("%v: %v", ErrCiphertextLength, len(hidden[32:]))