Move clamping fix back into the curve22519 crypto routine.

This reverts b5f7915 and is broader. Based on a suggestion from Jason Donenfeld. The calls to the clamping routine now match the OpenBSD curve22519 code.
honeybaj0 · Jan 27, 2021 · b6caeef · b6caeef
1 parent 4a7a2c1
commit b6caeef
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/sys/dev/if_wg/module/curve25519.c b/sys/dev/if_wg/module/curve25519.c
@@ -767,6 +767,7 @@ void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
 	u8 e[32];
 
 	memcpy(e, scalar, 32);
+	curve25519_clamp_secret(e);
 
 	/* The following implementation was transcribed to Coq and proven to
 	 * correspond to unary scalar multiplication in affine coordinates given

diff --git a/sys/dev/if_wg/module/wg_noise.c b/sys/dev/if_wg/module/wg_noise.c
@@ -108,7 +108,7 @@ noise_local_set_private(struct noise_local *l, uint8_t private[NOISE_KEY_SIZE])
 
 	memcpy(l->l_private, private, NOISE_KEY_SIZE);
 	curve25519_clamp_secret(l->l_private);
-	l->l_has_identity = curve25519_generate_public(l->l_public, l->l_private);
+	l->l_has_identity = curve25519_generate_public(l->l_public, private);
 
 	return l->l_has_identity ? 0 : ENXIO;
 }