Added checks for zero shared-secret

To mirror the behavior from the kernel module, as per private correspondence with Jason.
6 years ago · ded348d586
4 changed files with 42 additions and 13 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "wireguard-rs"
-version = "0.1.2"
+version = "0.1.3"
 authors = ["Mathias Hall-Andersen <mathias@hall-andersen.dk>"]
 edition = "2018"

--- a/src/wireguard/handshake/noise.rs
+++ b/src/wireguard/handshake/noise.rs
@ -1,8 +1,7 @@
 use std::time::Instant;

 // DH
-use x25519_dalek::PublicKey;
-use x25519_dalek::StaticSecret;
+use x25519_dalek::{PublicKey, StaticSecret, SharedSecret};

 // HASH & MAC
 use blake2::Blake2s;
@ -215,6 +214,21 @@ mod tests {
    }
 }

+// Computes an X25519 shared secret.
+// 
+// This function wraps dalek to add a zero-check.
+// This is not recommended by the Noise specification,
+// but implemented in the kernel with which we strive for absolute equivalent behavior.
+#[inline(always)]
+fn shared_secret(sk: &StaticSecret, pk: &PublicKey) -> Result<SharedSecret, HandshakeError> {
+    let ss = sk.diffie_hellman(pk);
+    if ss.as_bytes().ct_eq(&[0u8; 32]).into() {
+        Err(HandshakeError::InvalidSharedSecret)
+    } else {
+        Ok(ss)
+    }
+}
+
 pub(super) fn create_initiation<R: RngCore + CryptoRng, O>(
    rng: &mut R,
    keyst: &KeyState,
@ -224,6 +238,12 @@ pub(super) fn create_initiation<R: RngCore + CryptoRng, O>(
    msg: &mut NoiseInitiation,
 ) -> Result<(), HandshakeError> {
    log::debug!("create initiation");
+
+    // check for zero shared-secret (see "shared_secret" note).
+    if peer.ss.ct_eq(&[0u8; 32]).into() {
+        return Err(HandshakeError::InvalidSharedSecret);
+    }
+
    clear_stack_on_return(CLEAR_PAGES, || {
        // initialize state

@ -253,7 +273,7 @@ pub(super) fn create_initiation<R: RngCore + CryptoRng, O>(

        // (C, k) := Kdf2(C, DH(E_priv, S_pub))

-        let (ck, key) = KDF2!(&ck, eph_sk.diffie_hellman(&pk).as_bytes());
+        let (ck, key) = KDF2!(&ck, shared_secret(&eph_sk, &pk)?.as_bytes());

        // msg.static := Aead(k, 0, S_pub, H)

@ -270,6 +290,7 @@ pub(super) fn create_initiation<R: RngCore + CryptoRng, O>(

        // (C, k) := Kdf2(C, DH(S_priv, S_pub))

+
        let (ck, key) = KDF2!(&ck, &peer.ss);

        // msg.timestamp := Aead(k, 0, Timestamp(), H)
@ -304,6 +325,7 @@ pub(super) fn consume_initiation<'a, O>(
    msg: &NoiseInitiation,
 ) -> Result<(&'a Peer<O>, PublicKey, TemporaryState), HandshakeError> {
    log::debug!("consume initiation");
+
    clear_stack_on_return(CLEAR_PAGES, || {
        // initialize new state

@ -322,7 +344,7 @@ pub(super) fn consume_initiation<'a, O>(
        // (C, k) := Kdf2(C, DH(E_priv, S_pub))

        let eph_r_pk = PublicKey::from(msg.f_ephemeral);
-        let (ck, key) = KDF2!(&ck, keyst.sk.diffie_hellman(&eph_r_pk).as_bytes());
+        let (ck, key) = KDF2!(&ck, shared_secret(&keyst.sk, &eph_r_pk)?.as_bytes());

        // msg.static := Aead(k, 0, S_pub, H)

@ -337,6 +359,12 @@ pub(super) fn consume_initiation<'a, O>(

        let peer = device.lookup_pk(&PublicKey::from(pk))?;

+        // check for zero shared-secret (see "shared_secret" note).
+        
+        if peer.ss.ct_eq(&[0u8; 32]).into() {
+            return Err(HandshakeError::InvalidSharedSecret);
+        }
+
        // reset initiation state

        *peer.state.lock() = State::Reset;
@ -415,11 +443,11 @@ pub(super) fn create_response<R: RngCore + CryptoRng, O>(

        // C := Kdf1(C, DH(E_priv, E_pub))

-        let ck = KDF1!(&ck, eph_sk.diffie_hellman(&eph_r_pk).as_bytes());
+        let ck = KDF1!(&ck, shared_secret(&eph_sk, &eph_r_pk)?.as_bytes());

        // C := Kdf1(C, DH(E_priv, S_pub))

-        let ck = KDF1!(&ck, eph_sk.diffie_hellman(&pk).as_bytes());
+        let ck = KDF1!(&ck, shared_secret(&eph_sk, &pk)?.as_bytes());

        // (C, tau, k) := Kdf3(C, Q)

@ -497,11 +525,11 @@ pub(super) fn consume_response<'a, O>(
        // C := Kdf1(C, DH(E_priv, E_pub))

        let eph_r_pk = PublicKey::from(msg.f_ephemeral);
-        let ck = KDF1!(&ck, eph_sk.diffie_hellman(&eph_r_pk).as_bytes());
+        let ck = KDF1!(&ck, shared_secret(&eph_sk, &eph_r_pk)?.as_bytes());

        // C := Kdf1(C, DH(E_priv, S_pub))

-        let ck = KDF1!(&ck, keyst.sk.diffie_hellman(&eph_r_pk).as_bytes());
+        let ck = KDF1!(&ck, shared_secret(&keyst.sk, &eph_r_pk)?.as_bytes());

        // (C, tau, k) := Kdf3(C, Q)

--- a/src/wireguard/handshake/peer.rs
+++ b/src/wireguard/handshake/peer.rs
@ -18,10 +18,9 @@ use super::types::*;

 const TIME_BETWEEN_INITIATIONS: Duration = Duration::from_millis(20);

-/* Represents the recomputation and state of a peer.
- *
- * This type is only for internal use and not exposed.
- */
+// Represents the state of a peer.
+//
+// This type is only for internal use and not exposed.
 pub(super) struct Peer<O> {
    // opaque type which identifies a peer
    pub opaque: O,
--- a/src/wireguard/handshake/types.rs
+++ b/src/wireguard/handshake/types.rs
@ -40,6 +40,7 @@ pub enum HandshakeError {
    UnknownPublicKey,
    UnknownReceiverId,
    InvalidMessageFormat,
+    InvalidSharedSecret,
    OldTimestamp,
    InvalidState,
    InvalidMac1,
@ -50,6 +51,7 @@ pub enum HandshakeError {
 impl fmt::Display for HandshakeError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
+            HandshakeError::InvalidSharedSecret => write!(f, "Zero shared secret"),
            HandshakeError::DecryptionFailure => write!(f, "Failed to AEAD:OPEN"),
            HandshakeError::UnknownPublicKey => write!(f, "Unknown public key"),
            HandshakeError::UnknownReceiverId => {