Noise Protocol Question

z dzm at
Sat Feb 11 15:39:12 UTC 2023


I was reading over the source code for wireguard-go, and I noticed something in the device/noise-protocol.go file that I didn't understand.

There are six invocations of the sharedSecret() function, which performs the X25519 operation on a local private key and a remote public key as part of an ECDH key agreement. 

The first two invocations check for an all zero ECDH result.
ss := pk.sharedSecret(pubkey)
if isZero(ss) {
    return nil, errZeroECDHResult

If the result is zero, the operation is aborted.  The subsequent 4 invocations, however, don't check for zero on the output of sharedSecret(), and continue processing regardless.

In two of the 4 cases, I think I get why it isn't necessary, because the sharedSecret is used as input into an aead.Open, which would simply fail if the ECDH got zero'd out somehow.

However the remaining two calls are associated with an aead.Seal, which would succeed, no matter what the shared secret is.

TL;DR  Why is wireguard go not calling isZero() on the output of the ECDH key agreement every time?



More information about the WireGuard mailing list