]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0a1a65c)
crypto/tls: don't check whether an ec point is on a curve twice
authorAndreas Auernhammer <aead@mail.de>
Fri, 26 May 2017 09:33:49 +0000 (11:33 +0200)
committerAdam Langley <agl@golang.org>
Tue, 15 Aug 2017 18:44:20 +0000 (18:44 +0000)
The processClientKeyExchange and processServerKeyExchange functions unmarshal an
encoded EC point and explicitly check whether the point is on the curve. The explicit
check can be omitted because elliptic.Unmarshal fails if the point is not on the curve
and the returned error would always be the same.

Fixes #20496

Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb
Reviewed-on: https://go-review.googlesource.com/44311
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Avelino <t@avelino.xxx>
Run-TryBot: Adam Langley <agl@golang.org>

src/crypto/tls/key_agreement.go patch | blob | history

diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go
index 1b27c049ed3d56154cbfc82614610d617e9d1286..cf30b43b5bfe90e70d1a86d234fbc5322af8453e 100644 (file)
--- a/src/crypto/tls/key_agreement.go
+++ b/src/crypto/tls/key_agreement.go
@@ -319,13 +319,10 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
        if !ok {
                panic("internal error")
        }
-       x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:])
+       x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve
        if x == nil {
                return nil, errClientKeyExchange
        }
-       if !curve.IsOnCurve(x, y) {
-               return nil, errClientKeyExchange
-       }
        x, _ = curve.ScalarMult(x, y, ka.privateKey)
        preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3)
        xBytes := x.Bytes()
@@ -365,14 +362,10 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
                if !ok {
                        return errors.New("tls: server selected unsupported curve")
                }
-
-               ka.x, ka.y = elliptic.Unmarshal(curve, publicKey)
+               ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve
                if ka.x == nil {
                        return errServerKeyExchange
                }
-               if !curve.IsOnCurve(ka.x, ka.y) {
-                       return errServerKeyExchange
-               }
        }
 
        sigAndHash := signatureAndHash{signature: ka.sigType}
Go GOST TLS 1.3