Noise Protocol Question

Noise Protocol Question

[z]

Hi,

I was reading over the source code for wireguard-go, and I noticed something in the device/noise-protocol.go file that I didn't understand.

There are six invocations of the sharedSecret() function, which performs the X25519 operation on a local private key and a remote public key as part of an ECDH key agreement. 

The first two invocations check for an all zero ECDH result.  a.la
ss := pk.sharedSecret(pubkey)
if isZero(ss) {
    return nil, errZeroECDHResult
}

If the result is zero, the operation is aborted.  The subsequent 4 invocations, however, don't check for zero on the output of sharedSecret(), and continue processing regardless.

In two of the 4 cases, I think I get why it isn't necessary, because the sharedSecret is used as input into an aead.Open, which would simply fail if the ECDH got zero'd out somehow.

However the remaining two calls are associated with an aead.Seal, which would succeed, no matter what the shared secret is.


TL;DR  Why is wireguard go not calling isZero() on the output of the ECDH key agreement every time?

Thanks,

dzm

Re: Noise Protocol Question

[Jason A. Donenfeld]

On Sat, Feb 11, 2023 at 03:39:12PM +0000, z wrote:
> TL;DR  Why is wireguard go not calling isZero() on the output of the ECDH key agreement every time?

Good question. AFAICT, this was something I had noticed back when this
code was in development, but then zero checking only got added to the
initiation side, not the response side, in 8c34c4c ("First set of code
review patches"). I don't know whether this was a mistake or if there
was a rationale at the time.

Fortunately, there aren't really any real consequences. But I did fix it
up, so thanks very much for reporting this:
https://git.zx2c4.com/wireguard-go/commit/?id=c7b76d3d9ecdc2ffde80decadda88c0c7cdfeedf

Jason