Fix OPRF group for serde and Fix Group validity check (#36)

* fix wrong group deserializer to use correct OPRF group * add group bounds check to avoid unsupported groups land in config * separate infinity point checks * add go fmt to formatting * add fuzzing corpus Signed-off-by: bytemare <[email protected]>
bytemare · Apr 26, 2022 · 7522ea3 · 7522ea3
1 parent a1ae7e2
commit 7522ea3
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 16 deletions.
diff --git a/Makefile b/Makefile
@@ -18,6 +18,7 @@ update:
 fmt:
 	@echo "Formatting ..."
 	@go mod tidy
+	@go fmt ./...
 	@golines -m 120 -t 4 -w .
 	@gofumpt -w -extra .
 	@gci write --Section Standard --Section Default --Section "Prefix($(shell go list -m))" .

diff --git a/deserializer.go b/deserializer.go
@@ -106,11 +106,23 @@ func (d *Deserializer) RegistrationRecord(record []byte) (*message.RegistrationR
 	}, nil
 }
 
+func (d *Deserializer) deserializeCredentialRequest(input []byte) (*message.CredentialRequest, error) {
+	blindedMessage, err := d.conf.OPRF.Group().NewElement().Decode(input[:d.conf.OPRFPointLength])
+	if err != nil {
+		return nil, errInvalidBlindedData
+	}
+
+	return &message.CredentialRequest{
+		C:              d.conf.OPRF,
+		BlindedMessage: blindedMessage,
+	}, nil
+}
+
 func (d *Deserializer) deserializeCredentialResponse(
 	input []byte,
 	maxResponseLength int,
 ) (*message.CredentialResponse, error) {
-	data, err := d.conf.Group.NewElement().Decode(input[:d.conf.OPRFPointLength])
+	data, err := d.conf.OPRF.Group().NewElement().Decode(input[:d.conf.OPRFPointLength])
 	if err != nil {
 		return nil, errInvalidEvaluatedData
 	}
@@ -133,9 +145,9 @@ func (d *Deserializer) KE1(ke1 []byte) (*message.KE1, error) {
 		return nil, errInvalidMessageLength
 	}
 
-	blindedMessage, err := d.conf.Group.NewElement().Decode(ke1[:d.conf.OPRFPointLength])
+	request, err := d.deserializeCredentialRequest(ke1)
 	if err != nil {
-		return nil, errInvalidBlindedData
+		return nil, err
 	}
 
 	nonceU := ke1[d.conf.OPRFPointLength : d.conf.OPRFPointLength+d.conf.NonceLen]
@@ -146,13 +158,10 @@ func (d *Deserializer) KE1(ke1 []byte) (*message.KE1, error) {
 	}
 
 	return &message.KE1{
-		G: d.conf.Group,
-		CredentialRequest: &message.CredentialRequest{
-			C:              d.conf.OPRF,
-			BlindedMessage: blindedMessage,
-		},
-		NonceU: nonceU,
-		EpkU:   epku,
+		G:                 d.conf.Group,
+		CredentialRequest: request,
+		NonceU:            nonceU,
+		EpkU:              epku,
 	}, nil
 }
 

diff --git a/opaque.go b/opaque.go
@@ -49,10 +49,19 @@ const (
 
 	// Curve25519Sha512 identifies a group over Curve25519 with SHA2-512 hash-to-group hashing.
 	// Curve25519Sha512 = Group(group.Curve25519Sha512).
-
-	confLength = 6
 )
 
+// Available returns whether the Group byte is recognized in this implementation. This allows to fail early when
+// working with multiple versions not using the same configuration and Group.
+func (g Group) Available() bool {
+	return g == RistrettoSha512 ||
+		g == P256Sha256 ||
+		g == P384Sha512 ||
+		g == P521Sha512
+}
+
+const confLength = 6
+
 var (
 	errInvalidOPRFid = errors.New("invalid OPRF group id")
 	errInvalidKDFid  = errors.New("invalid KDF id")
@@ -123,7 +132,7 @@ func (c *Configuration) KeyGen() (secretKey, publicKey []byte) {
 
 // verify returns an error on the first non-compliant parameter, nil otherwise.
 func (c *Configuration) verify() error {
-	if !oprf.Ciphersuite(c.OPRF).Available() {
+	if !c.OPRF.Available() || !oprf.Ciphersuite(c.OPRF).Available() {
 		return errInvalidOPRFid
 	}
 
@@ -143,7 +152,7 @@ func (c *Configuration) verify() error {
 		return errInvalidKSFid
 	}
 
-	if !group.Group(c.AKE).Available() {
+	if !c.AKE.Available() || !group.Group(c.AKE).Available() {
 		return errInvalidAKEid
 	}
 

diff --git a/tests/fuzz_test.go b/tests/fuzz_test.go
@@ -366,7 +366,11 @@ func FuzzDeserializeKE1(f *testing.F) {
 
 func isValidAKEPoint(conf *internal.Configuration, input []byte, err error) error {
 	e, _err := conf.Group.NewElement().Decode(input)
-	if _err == nil && !e.IsIdentity() {
+	if _err == nil {
+		if e.IsIdentity() {
+			return errors.New("point is identity/infinity")
+		}
+
 		return fmt.Errorf("got %q but point is valid", err)
 	}
 
@@ -375,7 +379,11 @@ func isValidAKEPoint(conf *internal.Configuration, input []byte, err error) erro
 
 func isValidOPRFPoint(conf *internal.Configuration, input []byte, err error) error {
 	e, _err := conf.OPRF.Group().NewElement().Decode(input)
-	if _err == nil && !e.IsIdentity() {
+	if _err == nil {
+		if e.IsIdentity() {
+			return errors.New("point is identity/infinity")
+		}
+
 		return fmt.Errorf("got %q but point is valid", err)
 	}
 

diff --git a/tests/testdata/fuzz/FuzzDeserializeKE1/fuzzbuzz-a1ae7e291f3d65e6ffdc8acb9f39f3538e3e0ab4 b/tests/testdata/fuzz/FuzzDeserializeKE1/fuzzbuzz-a1ae7e291f3d65e6ffdc8acb9f39f3538e3e0ab4
@@ -0,0 +1,9 @@
+go test fuzz v1
+[]byte("000000000x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+[]byte("0")
+uint(7)
+uint(7)
+uint(6)
+byte('\x01')
+byte('\x00')
+byte('\x06')
diff --git a/tests/testdata/fuzz/FuzzDeserializeKE2/fuzzbuzz-a1ae7e291f3d65e6ffdc8acb9f39f3538e3e0ab4 b/tests/testdata/fuzz/FuzzDeserializeKE2/fuzzbuzz-a1ae7e291f3d65e6ffdc8acb9f39f3538e3e0ab4
@@ -0,0 +1,9 @@
+go test fuzz v1
+[]byte("20000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+[]byte("0")
+uint(7)
+uint(7)
+uint(7)
+byte('\x01')
+byte('\x00')
+byte('\x06')