Merge pull request #1301 from cryspen/jonas/psq-fix-clamp-check

jschneider-bensch · web-flow · commit a09022c5811c · 2026-01-28T17:02:36.000Z
[PSQ] Fix broken clamping check
diff --git a/crates/algorithms/curve25519/CHANGELOG.md b/crates/algorithms/curve25519/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+- [#1301](https://github.com/cryspen/libcrux/pull/1301): Expose scalar clamping and provide check for clamped-ness
+
 ## [0.0.5] (2026-01-22)
 
 - [#1297](https://github.com/cryspen/libcrux/pull/1297): Update dependencies
diff --git a/crates/algorithms/curve25519/src/lib.rs b/crates/algorithms/curve25519/src/lib.rs
@@ -74,9 +74,18 @@ impl libcrux_traits::kem::arrayref::Kem<DK_LEN, EK_LEN, EK_LEN, SS_LEN, DK_LEN,
 libcrux_traits::kem::slice::impl_trait!(X25519 => EK_LEN, DK_LEN, EK_LEN, EK_LEN, DK_LEN, DK_LEN);
 
 /// Clamp a scalar.
-fn clamp(scalar: &mut [u8; DK_LEN]) {
+pub fn clamp(scalar: &mut [u8; DK_LEN]) {
     // We clamp the key already to make sure it can't be misused.
     scalar[0] &= 248u8;
     scalar[31] &= 127u8;
     scalar[31] |= 64u8;
 }
+
+/// Test whether a scalar is already clamped, error indicating that it is not.
+pub fn is_clamped(scalar: &[u8; DK_LEN]) -> Result<(), Error> {
+    if scalar[0] & 7 != 0 || scalar[31] & 128 != 0 || scalar[31] & 64 != 64 {
+        Err(Error)
+    } else {
+        Ok(())
+    }
+}
diff --git a/libcrux-ecdh/CHANGELOG.md b/libcrux-ecdh/CHANGELOG.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+- [#1301](https://github.com/cryspen/libcrux/pull/1301): Check length and clamping in X25519 secret validation
+
 ## [0.0.5] (2026-01-22)
 
 - [#1297](https://github.com/cryspen/libcrux/pull/1297): Update dependencies
diff --git a/libcrux-ecdh/src/ecdh.rs b/libcrux-ecdh/src/ecdh.rs
@@ -125,7 +125,12 @@ pub fn secret_to_public(alg: Algorithm, scalar: impl AsRef<[u8]>) -> Result<Vec<
 pub fn validate_scalar(alg: Algorithm, s: impl AsRef<[u8]>) -> Result<(), Error> {
     match alg {
         Algorithm::X25519 => {
-            if s.as_ref().iter().all(|&b| b == 0) {
+            if s.as_ref().iter().all(|&b| b == 0)
+                || libcrux_curve25519::is_clamped(
+                    s.as_ref().try_into().map_err(|_| Error::InvalidScalar)?,
+                )
+                .is_err()
+            {
                 Err(Error::InvalidScalar)
             } else {
                 Ok(())
diff --git a/libcrux-psq/CHANGELOG.md b/libcrux-psq/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- [#1301](https://github.com/cryspen/libcrux/pull/1301): Fix broken clamping check for imported X25519 secret keys
 - [#1307](https://github.com/cryspen/libcrux/pull/1307): Expose additional functionalities on the DHKEM (https://github.com/jstuczyn)
 - [#1298](https://github.com/cryspen/libcrux/pull/1298): Propagate import/export functions from CMC crate (https://github.com/georgio)
 
diff --git a/libcrux-psq/src/handshake/dhkem.rs b/libcrux-psq/src/handshake/dhkem.rs
@@ -97,7 +97,7 @@ impl DHPrivateKey {
     /// Import a Diffie-Hellman private key from raw bytes.
     pub fn from_bytes(value: &[u8; 32]) -> Result<Self, Error> {
         // Test whether the key is already clamped to make sure it can't be misused.
-        if value[0] & 7 != 0 || value[31] & 128 != 0 || value[31] & 64 != 1 {
+        if !libcrux_ecdh::validate_scalar(libcrux_ecdh::Algorithm::X25519, value).is_ok() {
             Err(Error::InvalidDHSecret)
         } else {
             Ok(Self(Vec::from(value)))
diff --git a/libcrux-psq/src/session.rs b/libcrux-psq/src/session.rs
@@ -291,7 +291,7 @@ impl Session {
                     &self.session_key,
                     initiator_authenticator,
                     responder_ecdh_pk,
-                    &responder_pq_pk,
+                    responder_pq_pk,
                 )? != pk_binder
                 {
                     return Err(SessionError::Import);

Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,7 @@ impl Session {`
`291`	`291`	`&self.session_key,`
`292`	`292`	`initiator_authenticator,`
`293`	`293`	`responder_ecdh_pk,`
`294`		`- &responder_pq_pk,`
	`294`	`+ responder_pq_pk,`
`295`	`295`	`)? != pk_binder`
`296`	`296`	`{`
`297`	`297`	`return Err(SessionError::Import);`