From 7e305519171ad382ff13c231764982a1341fcb76 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Fri, 9 Jan 2015 22:11:36 +0100 Subject: ec25519-fhmqvc: don't check group order of peers' public keys Skipping this check will significantly speed up startup with many peers. As we now do embedded group order verification, an attacker can't gain anything from small-subgroup attacks, so skipping the check isn't a security issue. --- src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c | 16 +--------------- src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h | 1 - src/protocols/ec25519_fhmqvc/handshake.c | 2 +- 3 files changed, 2 insertions(+), 17 deletions(-) diff --git a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c index 97cdb3d..2303938 100644 --- a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c +++ b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.c @@ -83,7 +83,7 @@ static fastd_protocol_key_t * protocol_read_key(const char *key) { if (read_key(ret->key.u8, key)) { if (ecc_25519_load_packed(&ret->unpacked, &ret->key.int256)) { - if (fastd_protocol_ec25519_fhmqvc_check_key(&ret->unpacked)) + if (!ecc_25519_is_identity(&ret->unpacked)) return ret; } } @@ -92,20 +92,6 @@ static fastd_protocol_key_t * protocol_read_key(const char *key) { return NULL; } -/** Checks if an ecc25519 work structure represents a valid curve point */ -bool fastd_protocol_ec25519_fhmqvc_check_key(const ecc_25519_work_t *key) { - ecc_25519_work_t work; - - if (ecc_25519_is_identity(key)) - return false; - - ecc_25519_scalarmult(&work, &ecc_25519_gf_order, key); - if (!ecc_25519_is_identity(&work)) - return false; - - return true; -} - /** Checks if a peer is configured using our own key */ static bool protocol_check_peer(const fastd_peer_t *peer) { diff --git a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h index e2034bd..b43774d 100644 --- a/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h +++ b/src/protocols/ec25519_fhmqvc/ec25519_fhmqvc.h @@ -121,7 +121,6 @@ fastd_peer_t * fastd_protocol_ec25519_fhmqvc_find_peer(const fastd_protocol_key_ void fastd_protocol_ec25519_fhmqvc_generate_key(void); void fastd_protocol_ec25519_fhmqvc_show_key(void); -bool fastd_protocol_ec25519_fhmqvc_check_key(const ecc_25519_work_t *key); void fastd_protocol_ec25519_fhmqvc_set_shell_env(fastd_shell_env_t *env, const fastd_peer_t *peer); bool fastd_protocol_ec25519_fhmqvc_describe_peer(const fastd_peer_t *peer, char *buf, size_t len); diff --git a/src/protocols/ec25519_fhmqvc/handshake.c b/src/protocols/ec25519_fhmqvc/handshake.c index b1c6242..2daa709 100644 --- a/src/protocols/ec25519_fhmqvc/handshake.c +++ b/src/protocols/ec25519_fhmqvc/handshake.c @@ -554,7 +554,7 @@ static fastd_peer_t * add_dynamic(fastd_socket_t *sock, const fastd_peer_address memcpy(&peer_key.key, key, PUBLICKEYBYTES); if (!ecc_25519_load_packed(&peer_key.unpacked, &peer_key.key.int256) - || !fastd_protocol_ec25519_fhmqvc_check_key(&peer_key.unpacked)) { + || ecc_25519_is_identity(&peer_key.unpacked)) { pr_debug("ignoring handshake from %I (invalid key)", addr); return NULL; } -- cgit v1.2.3