espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(esp_srp): reject SRP client public key when A mod N is zero

Browse Source
This commit is contained in:
Ashish Sharma
2026-04-08 18:15:00 +08:00
parent 37e7f60dcf
commit 14731c19f0
6 changed files with 136 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/protocomm/src/crypto/srp6a/esp_srp.c
+22
View File
@@ -651,6 +651,28 @@ esp_err_t esp_srp_get_session_key(esp_srp_handle_t *hd, char *bytes_A, int len_A
if (! hd->A) {
goto error;
}
/* RFC 5054 Section 2.5.4: abort if A % N == 0
* This prevents an attacker from sending A=0 (or A=k*N) which would
* force the shared secret S to zero, yielding a deterministic session
* key regardless of the password. */
esp_mpi_t *a_mod_n = esp_mpi_new();
if (!a_mod_n) {
goto error;
}
if (esp_mpi_a_mod_b(a_mod_n, hd->A, hd->n) != 0) {
esp_mpi_free(a_mod_n);
ESP_LOGE(TAG, "Failed to compute A mod N");
goto error;
}
int a_mod_n_is_zero = (esp_mpi_cmp_int(a_mod_n, 0) == 0);
esp_mpi_free(a_mod_n);
if (a_mod_n_is_zero) {
ESP_LOGE(TAG, "Rejected client public key: A mod N == 0 (RFC 5054 Section 2.5.4)");
ret = ESP_ERR_INVALID_ARG;
goto error;
}
u = calculate_u(hd, bytes_A, len_A);
if (! u) {
goto error;
components/protocomm/src/crypto/srp6a/esp_srp_mpi.c
+11 -1
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -129,6 +129,16 @@ int esp_mpi_a_mul_b_mod_c(esp_mpi_t *result, esp_mpi_t *a, esp_mpi_t *b, esp_mpi
return res;
}
int esp_mpi_a_mod_b(esp_mpi_t *result, const esp_mpi_t *a, const esp_mpi_t *b)
{
return mbedtls_mpi_mod_mpi(result, a, b);
}
int esp_mpi_cmp_int(const esp_mpi_t *a, int value)
{
return mbedtls_mpi_cmp_int(a, value);
}
int esp_mpi_a_add_b_mod_c(esp_mpi_t *result, esp_mpi_t *a, esp_mpi_t *b, esp_mpi_t *c, esp_mpi_ctx_t *ctx)
{
(void) ctx;
components/protocomm/src/crypto/srp6a/esp_srp_mpi.h
+4
View File
@@ -45,6 +45,10 @@ int esp_mpi_a_mul_b_mod_c(esp_mpi_t *result, esp_mpi_t *a, esp_mpi_t *b, esp_mpi
int esp_mpi_a_add_b_mod_c(esp_mpi_t *result, esp_mpi_t *a, esp_mpi_t *b, esp_mpi_t *c, esp_mpi_ctx_t *ctx);
int esp_mpi_a_mod_b(esp_mpi_t *result, const esp_mpi_t *a, const esp_mpi_t *b);
int esp_mpi_cmp_int(const esp_mpi_t *a, int value);
#ifdef __cplusplus
}
#endif
components/protocomm/test_apps/main/CMakeLists.txt
+1 -1
View File
@@ -1,4 +1,4 @@
idf_component_register(SRC_DIRS "."
PRIV_INCLUDE_DIRS "."
PRIV_REQUIRES cmock mbedtls protocomm protobuf-c test_utils unity
PRIV_REQUIRES cmock mbedtls nvs_flash protocomm protobuf-c test_utils unity
WHOLE_ARCHIVE)
components/protocomm/test_apps/main/app_main.c
+10 -1
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -9,6 +9,7 @@
#include "test_utils.h"
#include "memory_checks.h"
#include "esp_newlib.h"
#include "nvs_flash.h"
#include "psa/crypto.h"
// #include "mbedtls/aes.h"
#if SOC_SHA_SUPPORT_PARALLEL_ENG
@@ -105,5 +106,13 @@ static void test_task(void *pvParameters)
void app_main(void)
{
/* Initialize NVS — required by PSA crypto's ITS backend */
esp_err_t ret = nvs_flash_init();
if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) {
ESP_ERROR_CHECK(nvs_flash_erase());
ret = nvs_flash_init();
}
ESP_ERROR_CHECK(ret);
xTaskCreatePinnedToCore(test_task, "testTask", CONFIG_UNITY_FREERTOS_STACK_SIZE, NULL, CONFIG_UNITY_FREERTOS_PRIORITY, NULL, CONFIG_UNITY_FREERTOS_CPU);
}
components/protocomm/test_apps/main/test_srp.c
+88 -1
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -323,3 +323,90 @@ TEST_CASE("SRP public key randomness test", "[SRP]")
{
test_srp_pubkey_randomness();
}
/* RFC 5054 Section 2.5.4: server MUST abort if A % N == 0
* Helper to set up a server-side SRP handle ready for session key derivation */
static esp_srp_handle_t *setup_srp_server(void)
{
esp_srp_handle_t *handle = esp_srp_init(ESP_NG_3072);
TEST_ASSERT_NOT_NULL(handle);
char *bytes_B = NULL;
int len_B = 0;
char *bytes_salt = NULL;
esp_err_t err = esp_srp_srv_pubkey(handle, username, strlen(username),
password, strlen(password), 16,
&bytes_B, &len_B, &bytes_salt);
TEST_ASSERT_EQUAL(ESP_OK, err);
return handle;
}
static void test_srp_reject_A_zero(void)
{
esp_srp_handle_t *handle = setup_srp_server();
/* A = 0: attacker sends all-zero public key */
char zero_A[384] = {0};
char *bytes_key = NULL;
uint16_t len_key = 0;
esp_err_t err = esp_srp_get_session_key(handle, zero_A, sizeof(zero_A),
&bytes_key, &len_key);
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, err);
TEST_ASSERT_NULL(bytes_key);
esp_srp_free(handle);
}
/* SRP 3072-bit prime N (same as N_3072 in esp_srp.c) */
static const char test_N_3072[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
static void test_srp_reject_A_equal_N(void)
{
esp_srp_handle_t *handle = setup_srp_server();
/* A = N: attacker sends the prime itself (N mod N == 0) */
char *bytes_key = NULL;
uint16_t len_key = 0;
esp_err_t err = esp_srp_get_session_key(handle, (char *)test_N_3072,
sizeof(test_N_3072),
&bytes_key, &len_key);
TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, err);
TEST_ASSERT_NULL(bytes_key);
esp_srp_free(handle);
}
TEST_CASE("SRP reject A=0 (RFC 5054 2.5.4)", "[SRP]")
{
test_srp_reject_A_zero();
}
TEST_CASE("SRP reject A=N (RFC 5054 2.5.4)", "[SRP]")
{
test_srp_reject_A_equal_N();
}