crypto/tls: check curve equation in ECDHE.

This change causes a TLS client and server to verify that received
elliptic curve points are on the expected curve. This isn't actually
necessary in the Go TLS stack, but Watson Ladd has convinced me that
it's worthwhile because it's pretty cheap and it removes the
possibility that some change in the future (e.g. tls-unique) will
depend on it without the author checking that precondition.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/115290046

diff --git a/src/pkg/crypto/tls/key_agreement.go b/src/pkg/crypto/tls/key_agreement.go
index f38b701f1bab5a6a8fbb64d2a2375f9ccd404930..0974fc6e0f4add7a51627ea2bb1675d569a582c4 100644 (file)
--- a/src/pkg/crypto/tls/key_agreement.go
+++ b/src/pkg/crypto/tls/key_agreement.go
@@ -292,6 +292,9 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
        if x == nil {
                return nil, errClientKeyExchange
        }
+       if !ka.curve.IsOnCurve(x, y) {
+               return nil, errClientKeyExchange
+       }
        x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)
        preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)
        xBytes := x.Bytes()
@@ -322,6 +325,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
        if ka.x == nil {
                return errServerKeyExchange
        }
+       if !ka.curve.IsOnCurve(ka.x, ka.y) {
+               return errServerKeyExchange
+       }
        serverECDHParams := skx.key[:4+publicLen]
 
        sig := skx.key[4+publicLen:]