wip: add EC point validation

openwsn-berkeley · Sep 18, 2023 · ed5d895 · ed5d895
1 parent 7b00268
commit ed5d895
Show file tree

Hide file tree

Showing 6 changed files with 83 additions and 32 deletions.
diff --git a/consts/src/lib.rs b/consts/src/lib.rs
@@ -30,10 +30,11 @@ mod common {
         MacVerificationFailed = 2,
         UnsupportedMethod = 3,
         UnsupportedCipherSuite = 4,
-        ParsingError = 5,
-        WrongState = 6,
-        EADError = 7,
-        UnknownError = 8,
+        InvalidPublicKey = 5,
+        ParsingError = 6,
+        WrongState = 7,
+        EADError = 8,
+        UnknownError = 9,
     }
 
     #[repr(C)]

diff --git a/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs b/crypto/edhoc-crypto-cryptocell310-sys/src/lib.rs
@@ -327,6 +327,10 @@ mod hacspec {
         let result_2 = hmac_sha256(&mut MESSAGE_2, KEY).to_public_array();
         assert_eq!(result_2, RESULT_2_TV);
     }
+
+    pub fn p256_validate_compact_public_key(public_key: &BytesP256ElemLen) -> bool {
+        true
+    }
 }
 
 #[cfg(feature = "rust")]
@@ -608,4 +612,8 @@ mod rust {
 
         (private_key, public_key)
     }
+
+    pub fn p256_validate_compact_public_key(public_key: &BytesP256ElemLen) -> bool {
+        true
+    }
 }
diff --git a/crypto/edhoc-crypto-hacspec/src/lib.rs b/crypto/edhoc-crypto-hacspec/src/lib.rs
@@ -120,6 +120,15 @@ pub fn p256_generate_key_pair() -> (BytesP256ElemLen, BytesP256ElemLen) {
     (private_key, public_key)
 }
 
+pub fn p256_validate_compact_public_key(public_key: &BytesP256ElemLen) -> bool {
+    let point = (
+        P256FieldElement::from_byte_seq_be(public_key),
+        p256_calculate_w(P256FieldElement::from_byte_seq_be(public_key)),
+    );
+
+    p256_validate_public_key(point)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

diff --git a/crypto/edhoc-crypto-psa/src/lib.rs b/crypto/edhoc-crypto-psa/src/lib.rs
@@ -301,6 +301,10 @@ mod hacspec {
 
         (private_key, public_key)
     }
+
+    pub fn p256_validate_compact_public_key(public_key: &BytesP256ElemLen) -> bool {
+        true
+    }
 }
 
 #[cfg(feature = "rust")]
@@ -561,6 +565,10 @@ mod rust {
 
         (private_key, public_key)
     }
+
+    pub fn p256_validate_compact_public_key(public_key: &BytesP256ElemLen) -> bool {
+        true
+    }
 }
 
 #[cfg(test)]

diff --git a/hacspec/src/lib.rs b/hacspec/src/lib.rs
@@ -130,36 +130,40 @@ pub fn r_process_message_1(
                 if suites_i[suites_i_len - 1].declassify()
                     == EDHOC_SUPPORTED_SUITES[0u8].declassify()
                 {
-                    // Step 3: If EAD is present make it available to the application
-                    let ead_success = if let Some(ead_1) = ead_1 {
-                        r_process_ead_1(ead_1.to_public_item()).is_ok()
-                    } else {
-                        true
-                    };
-                    if ead_success {
-                        // hash message_1 and save the hash to the state to avoid saving the whole message
-                        h_message_1 = sha256_digest(
-                            &BytesMaxBuffer::from_slice(&message_1.content, 0, message_1.len),
-                            message_1.len,
-                        );
+                    if p256_validate_compact_public_key(&g_x) {
+                        // Step 3: If EAD is present make it available to the application
+                        let ead_success = if let Some(ead_1) = ead_1 {
+                            r_process_ead_1(ead_1.to_public_item()).is_ok()
+                        } else {
+                            true
+                        };
+                        if ead_success {
+                            // hash message_1 and save the hash to the state to avoid saving the whole message
+                            h_message_1 = sha256_digest(
+                                &BytesMaxBuffer::from_slice(&message_1.content, 0, message_1.len),
+                                message_1.len,
+                            );
 
-                        error = EDHOCError::Success;
-                        current_state = EDHOCState::ProcessedMessage1;
-
-                        state = construct_state(
-                            current_state,
-                            _y,
-                            c_i,
-                            g_x,
-                            _prk_3e2m,
-                            _prk_4e3m,
-                            _prk_out,
-                            _prk_exporter,
-                            h_message_1,
-                            _th_3,
-                        );
+                            error = EDHOCError::Success;
+                            current_state = EDHOCState::ProcessedMessage1;
+
+                            state = construct_state(
+                                current_state,
+                                _y,
+                                c_i,
+                                g_x,
+                                _prk_3e2m,
+                                _prk_4e3m,
+                                _prk_out,
+                                _prk_exporter,
+                                h_message_1,
+                                _th_3,
+                            );
+                        } else {
+                            error = EDHOCError::EADError;
+                        }
                     } else {
-                        error = EDHOCError::EADError;
+                        error = EDHOCError::InvalidPublicKey;
                     }
                 } else {
                     error = EDHOCError::UnsupportedCipherSuite;

diff --git a/lib/src/lib.rs b/lib/src/lib.rs
@@ -743,6 +743,10 @@ mod test {
     const MESSAGE_1_TV: &str =
         "0382060258208af6f430ebe18d34184017a9a11bf511c8dff8f834730b96c1b7c8dbca2fc3b637";
 
+    // invalid test vectors, crypto-related
+    const MESSAGE_1_INVALID_G_X_NOT_ON_P256_CURVE_TV: &str =
+        "03025820a04e73601df544a70ba7ea1e57030f7d4b4eb7f673924e58d54ca77a5e7d4d4a0e";
+
     #[test]
     fn test_new_initiator() {
         let state: EdhocState = Default::default();
@@ -783,6 +787,23 @@ mod test {
         assert!(error.is_ok());
     }
 
+    #[test]
+    fn test_process_message_1_invalid_traces_crypto() {
+        let message_1_tv = EdhocMessageBuffer::from_hex(MESSAGE_1_INVALID_G_X_NOT_ON_P256_CURVE_TV);
+        let mut responder = EdhocResponder::new(
+            Default::default(),
+            R,
+            G_I,
+            ID_CRED_I,
+            CRED_I,
+            ID_CRED_R,
+            CRED_R,
+        );
+        let error = responder.process_message_1(&message_1_tv);
+        assert!(error.is_err());
+        assert_eq!(error.unwrap_err(), EDHOCError::InvalidPublicKey);
+    }
+
     #[test]
     fn test_generate_connection_identifier() {
         let conn_id = generate_connection_identifier();