device: uniformly check ECDH output for zeros

For some reason, this was omitted for response messages. Reported-by: z <dzm@unexpl0.red> Fixes: 8c34c4c ("First set of code review patches") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
author: Jason A. Donenfeld <Jason@zx2c4.com> 2023-02-16 15:51:30 +0100
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2023-02-16 16:33:14 +0100
commit: c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf (patch)
tree: 801fe59cc2d9c203de1dd69bf5cf15bf5d097186 /device/noise-helpers.go
parent: 1e2c3e5a3c1463cb8c7ec92d74aa739587b6642f (diff)
download: wireguard-go-c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf.tar.gz
wireguard-go-c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/device/noise-helpers.go b/device/noise-helpers.go
index 729f8b0..c2f356b 100644
--- a/device/noise-helpers.go
+++ b/device/noise-helpers.go
@@ -9,6 +9,7 @@ import (
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/subtle"
+	"errors"
 	"hash"
 
 	"golang.org/x/crypto/blake2s"
@@ -94,9 +95,14 @@ func (sk *NoisePrivateKey) publicKey() (pk NoisePublicKey) {
 	return
 }
 
-func (sk *NoisePrivateKey) sharedSecret(pk NoisePublicKey) (ss [NoisePublicKeySize]byte) {
+var errInvalidPublicKey = errors.New("invalid public key")
+
+func (sk *NoisePrivateKey) sharedSecret(pk NoisePublicKey) (ss [NoisePublicKeySize]byte, err error) {
 	apk := (*[NoisePublicKeySize]byte)(&pk)
 	ask := (*[NoisePrivateKeySize]byte)(sk)
 	curve25519.ScalarMult(&ss, ask, apk)
-	return ss
+	if isZero(ss[:]) {
+		return ss, errInvalidPublicKey
+	}
+	return ss, nil
 }
author	Jason A. Donenfeld <Jason@zx2c4.com>	2023-02-16 15:51:30 +0100
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2023-02-16 16:33:14 +0100
commit	c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf (patch)
tree	801fe59cc2d9c203de1dd69bf5cf15bf5d097186 /device/noise-helpers.go
parent	1e2c3e5a3c1463cb8c7ec92d74aa739587b6642f (diff)
download	wireguard-go-c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf.tar.gz wireguard-go-c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf.zip