[crypto] Check for all-zeros result from X25519 key exchange

RFC7748 states that it is entirely optional for X25519 Diffie-Hellman
implementations to check whether or not the result is the all-zero
value (indicating that an attacker sent a malicious public key with a
small order).  RFC8422 states that implementations in TLS must abort
the handshake if the all-zero value is obtained.

Return an error if the all-zero value is obtained, so that the TLS
code will not require knowledge specific to the X25519 curve.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/x25519.c b/src/crypto/x25519.c
index 750a2a71c43935e1632d459edd9c9e74bf0d9387..d3a19bc8e02a94f29e1540f176cbd270fcdee8a0 100644 (file)
--- a/src/crypto/x25519.c
+++ b/src/crypto/x25519.c
@@ -59,6 +59,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <stdint.h>
 #include <string.h>
 #include <assert.h>
+#include <errno.h>
 #include <ipxe/init.h>
 #include <ipxe/x25519.h>
 
@@ -781,10 +782,11 @@ static void x25519_reverse ( struct x25519_value *value ) {
  * @v base             Base point
  * @v scalar           Scalar multiple
  * @v result           Point to hold result (may overlap base point)
+ * @ret rc             Return status code
  */
-void x25519_key ( const struct x25519_value *base,
-                 const struct x25519_value *scalar,
-                 struct x25519_value *result ) {
+int x25519_key ( const struct x25519_value *base,
+                const struct x25519_value *scalar,
+                struct x25519_value *result ) {
        struct x25519_value *tmp = result;
        union x25519_quad257 point;
 
@@ -805,4 +807,7 @@ void x25519_key ( const struct x25519_value *base,
        /* Reverse result */
        bigint_done ( &point.value, result->raw, sizeof ( result->raw ) );
        x25519_reverse ( result );
+
+       /* Fail if result was all zeros (as required by RFC8422) */
+       return ( bigint_is_zero ( &point.value ) ? -EPERM : 0 );
 }

diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index 320835a3439d3eb611ce3b88583c9cf3b2400c39..060a42a33d018ff072600a184c9f06e296dc59ba 100644 (file)
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -407,6 +407,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #define ERRFILE_efi_rng                      ( ERRFILE_OTHER | 0x005c0000 )
 #define ERRFILE_efi_shim             ( ERRFILE_OTHER | 0x005d0000 )
 #define ERRFILE_efi_settings         ( ERRFILE_OTHER | 0x005e0000 )
+#define ERRFILE_x25519               ( ERRFILE_OTHER | 0x005f0000 )
 
 /** @} */
 

diff --git a/src/include/ipxe/x25519.h b/src/include/ipxe/x25519.h
index 7a86c11347e34096f72e04454b3a21e8a8d5ff0e..6524abb7ddf4a0053160a67bbcf88a93b930002b 100644 (file)
--- a/src/include/ipxe/x25519.h
+++ b/src/include/ipxe/x25519.h
@@ -84,8 +84,8 @@ extern void x25519_multiply ( const union x25519_oct258 *multiplicand,
 extern void x25519_invert ( const union x25519_oct258 *invertend,
                            union x25519_quad257 *result );
 extern void x25519_reduce ( union x25519_quad257 *value );
-extern void x25519_key ( const struct x25519_value *base,
-                        const struct x25519_value *scalar,
-                        struct x25519_value *result );
+extern int x25519_key ( const struct x25519_value *base,
+                       const struct x25519_value *scalar,
+                       struct x25519_value *result );
 
 #endif /* _IPXE_X25519_H */

diff --git a/src/tests/x25519_test.c b/src/tests/x25519_test.c
index 3d781f9137ba45b0e0947347454c76a463c19ed0..3dfbd3393e5417dc3635fa88cd97a474f62946e4 100644 (file)
--- a/src/tests/x25519_test.c
+++ b/src/tests/x25519_test.c
@@ -136,6 +136,8 @@ struct x25519_key_test {
        struct x25519_value expected;
        /** Number of iterations */
        unsigned int count;
+       /** Key exchange is expected to fail (i.e. produce all-zeroes) */
+       int fail;
 };
 
 /**
@@ -143,14 +145,16 @@ struct x25519_key_test {
  *
  * @v name             Test name
  * @v COUNT            Number of iterations
+ * @v FAIL             Expected failure status
  * @v BASE             Base point
  * @v SCALAR           Scalar multiple
  * @v EXPECTED         Expected result
  * @ret test           X25519 key exchange test
  */
-#define X25519_KEY_TEST( name, COUNT, BASE, SCALAR, EXPECTED )         \
+#define X25519_KEY_TEST( name, COUNT, FAIL, BASE, SCALAR, EXPECTED )   \
        static struct x25519_key_test name = {                          \
                .count = COUNT,                                         \
+               .fail = FAIL,                                           \
                .base = { .raw = BASE },                                \
                .scalar = { .raw = SCALAR },                            \
                .expected = { .raw = EXPECTED },                        \
@@ -259,6 +263,7 @@ static void x25519_key_okx ( struct x25519_key_test *test,
        struct x25519_value scalar;
        struct x25519_value actual;
        unsigned int i;
+       int rc;
 
        /* Construct input values */
        memcpy ( &base, &test->base, sizeof ( test->base ) );
@@ -272,7 +277,12 @@ static void x25519_key_okx ( struct x25519_key_test *test,
 
        /* Calculate key */
        for ( i = 0 ; i < test->count ; i++ ) {
-               x25519_key ( &base, &scalar, &actual );
+               rc = x25519_key ( &base, &scalar, &actual );
+               if ( test->fail ) {
+                       okx ( rc != 0, file, line );
+               } else {
+                       okx ( rc == 0, file, line );
+               }
                memcpy ( &base, &scalar, sizeof ( base ) );
                memcpy ( &scalar, &actual, sizeof ( scalar ) );
        }
@@ -461,7 +471,7 @@ X25519_INVERT_TEST ( invert_5,
  * Scalar: 0xa546e36bf0527c9d3b16154b82465edd62144c0ac1fc5a18506a2244ba449ac4
  * Result: 0xc3da55379de9c6908e94ea4df28d084f32eccf03491c71f754b4075577a28552
  */
-X25519_KEY_TEST ( rfc7748_1, 1,
+X25519_KEY_TEST ( rfc7748_1, 1, 0,
        BASE ( 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb, 0x35, 0x94,
               0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c, 0x72, 0x66, 0x24, 0xec,
               0x26, 0xb3, 0x35, 0x3b, 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab,
@@ -479,7 +489,7 @@ X25519_KEY_TEST ( rfc7748_1, 1,
  * Scalar: 0x4b66e9d4d1b4673c5ad22691957d6af5c11b6421e0ea01d42ca4169e7918ba0d
  * Result: 0x95cbde9476e8907d7aade45cb4b873f88b595a68799fa152e6f8f7647aac7957
  */
-X25519_KEY_TEST ( rfc7748_2, 1,
+X25519_KEY_TEST ( rfc7748_2, 1, 0,
        BASE ( 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3, 0xf4, 0xb7,
               0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c, 0x31, 0xdb, 0xe7, 0x10,
               0x6f, 0xc0, 0x3c, 0x3e, 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15,
@@ -497,7 +507,7 @@ X25519_KEY_TEST ( rfc7748_2, 1,
  * Scalar: 0x0900000000000000000000000000000000000000000000000000000000000000
  * Result: 0x422c8e7a6227d7bca1350b3e2bb7279f7897b87bb6854b783c60e80311ae3079
  */
-X25519_KEY_TEST ( rfc7748_3, 1,
+X25519_KEY_TEST ( rfc7748_3, 1, 0,
        BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -521,7 +531,7 @@ X25519_KEY_TEST ( rfc7748_3, 1,
  * to avoid a pointlessly slow test cycle in the common case of
  * running tests under Valgrind.
  */
-X25519_KEY_TEST ( rfc7748_4_100, 100,
+X25519_KEY_TEST ( rfc7748_4_100, 100, 0,
        BASE ( 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
               0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -535,6 +545,24 @@ X25519_KEY_TEST ( rfc7748_4_100, 100,
                   0x1d, 0x26, 0x09, 0xc9, 0x2e, 0x5a, 0x8f, 0x1d, 0xeb, 0xe2,
                   0x15, 0x0a ) );
 
+/* Base:   2^255 - 19 + 1 (deliberately malicious public key)
+ * Scalar: 0x000102030405060708090a0b0c0d0e0f000102030405060708090a0b0c0d0e0f
+ * Result: Failure (all zeros)
+ */
+X25519_KEY_TEST ( malicious, 1, 1,
+       BASE ( 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+              0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+              0xff, 0x7f ),
+       SCALAR ( 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+                0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, 0x02, 0x03,
+                0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d,
+                0x0e, 0x0f ),
+       EXPECTED ( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                  0x00, 0x00 ) );
+
 /**
  * Perform X25519 self-tests
  *
@@ -562,6 +590,7 @@ static void x25519_test_exec ( void ) {
        x25519_key_ok ( &rfc7748_2 );
        x25519_key_ok ( &rfc7748_3 );
        x25519_key_ok ( &rfc7748_4_100 );
+       x25519_key_ok ( &malicious );
 }
 
 /** X25519 self-test */