Noise Protocol Question

z dzm at unexpl0.red
Sat Feb 11 15:39:12 UTC 2023


Hi,

I was reading over the source code for wireguard-go, and I noticed something in the device/noise-protocol.go file that I didn't understand.

There are six invocations of the sharedSecret() function, which performs the X25519 operation on a local private key and a remote public key as part of an ECDH key agreement. 

The first two invocations check for an all zero ECDH result.  a.la
ss := pk.sharedSecret(pubkey)
if isZero(ss) {
    return nil, errZeroECDHResult
}

If the result is zero, the operation is aborted.  The subsequent 4 invocations, however, don't check for zero on the output of sharedSecret(), and continue processing regardless.

In two of the 4 cases, I think I get why it isn't necessary, because the sharedSecret is used as input into an aead.Open, which would simply fail if the ECDH got zero'd out somehow.

However the remaining two calls are associated with an aead.Seal, which would succeed, no matter what the shared secret is.


TL;DR  Why is wireguard go not calling isZero() on the output of the ECDH key agreement every time?

Thanks,

dzm


More information about the WireGuard mailing list