Commit 30fbcc75 authored by Adam Langley's avatar Adam Langley

crypto/tls: check curve equation in ECDHE.

This change causes a TLS client and server to verify that received
elliptic curve points are on the expected curve. This isn't actually
necessary in the Go TLS stack, but Watson Ladd has convinced me that
it's worthwhile because it's pretty cheap and it removes the
possibility that some change in the future (e.g. tls-unique) will
depend on it without the author checking that precondition.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/115290046
parent 8332112d
...@@ -292,6 +292,9 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert ...@@ -292,6 +292,9 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
if x == nil { if x == nil {
return nil, errClientKeyExchange return nil, errClientKeyExchange
} }
if !ka.curve.IsOnCurve(x, y) {
return nil, errClientKeyExchange
}
x, _ = ka.curve.ScalarMult(x, y, ka.privateKey) x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)
preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3) preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)
xBytes := x.Bytes() xBytes := x.Bytes()
...@@ -322,6 +325,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell ...@@ -322,6 +325,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
if ka.x == nil { if ka.x == nil {
return errServerKeyExchange return errServerKeyExchange
} }
if !ka.curve.IsOnCurve(ka.x, ka.y) {
return errServerKeyExchange
}
serverECDHParams := skx.key[:4+publicLen] serverECDHParams := skx.key[:4+publicLen]
sig := skx.key[4+publicLen:] sig := skx.key[4+publicLen:]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment