From 30fbcc7576b969994231498e88518f9c321adf8d Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 28 Jul 2014 15:46:27 -0700 Subject: [PATCH] crypto/tls: check curve equation in ECDHE. This change causes a TLS client and server to verify that received elliptic curve points are on the expected curve. This isn't actually necessary in the Go TLS stack, but Watson Ladd has convinced me that it's worthwhile because it's pretty cheap and it removes the possibility that some change in the future (e.g. tls-unique) will depend on it without the author checking that precondition. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/115290046 --- src/pkg/crypto/tls/key_agreement.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pkg/crypto/tls/key_agreement.go b/src/pkg/crypto/tls/key_agreement.go index f38b701f1b..0974fc6e0f 100644 --- a/src/pkg/crypto/tls/key_agreement.go +++ b/src/pkg/crypto/tls/key_agreement.go @@ -292,6 +292,9 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert if x == nil { return nil, errClientKeyExchange } + if !ka.curve.IsOnCurve(x, y) { + return nil, errClientKeyExchange + } x, _ = ka.curve.ScalarMult(x, y, ka.privateKey) preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3) xBytes := x.Bytes() @@ -322,6 +325,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell if ka.x == nil { return errServerKeyExchange } + if !ka.curve.IsOnCurve(ka.x, ka.y) { + return errServerKeyExchange + } serverECDHParams := skx.key[:4+publicLen] sig := skx.key[4+publicLen:] -- 2.48.1