mirror of
https://github.com/golang/go
synced 2024-11-19 08:44:39 -07:00
crypto/tls: check curve equation in ECDHE.
This change causes a TLS client and server to verify that received elliptic curve points are on the expected curve. This isn't actually necessary in the Go TLS stack, but Watson Ladd has convinced me that it's worthwhile because it's pretty cheap and it removes the possibility that some change in the future (e.g. tls-unique) will depend on it without the author checking that precondition. LGTM=bradfitz R=bradfitz CC=golang-codereviews https://golang.org/cl/115290046
This commit is contained in:
parent
8332112d0a
commit
30fbcc7576
@ -292,6 +292,9 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
|
|||||||
if x == nil {
|
if x == nil {
|
||||||
return nil, errClientKeyExchange
|
return nil, errClientKeyExchange
|
||||||
}
|
}
|
||||||
|
if !ka.curve.IsOnCurve(x, y) {
|
||||||
|
return nil, errClientKeyExchange
|
||||||
|
}
|
||||||
x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)
|
x, _ = ka.curve.ScalarMult(x, y, ka.privateKey)
|
||||||
preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)
|
preMasterSecret := make([]byte, (ka.curve.Params().BitSize+7)>>3)
|
||||||
xBytes := x.Bytes()
|
xBytes := x.Bytes()
|
||||||
@ -322,6 +325,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
|
|||||||
if ka.x == nil {
|
if ka.x == nil {
|
||||||
return errServerKeyExchange
|
return errServerKeyExchange
|
||||||
}
|
}
|
||||||
|
if !ka.curve.IsOnCurve(ka.x, ka.y) {
|
||||||
|
return errServerKeyExchange
|
||||||
|
}
|
||||||
serverECDHParams := skx.key[:4+publicLen]
|
serverECDHParams := skx.key[:4+publicLen]
|
||||||
|
|
||||||
sig := skx.key[4+publicLen:]
|
sig := skx.key[4+publicLen:]
|
||||||
|
Loading…
Reference in New Issue
Block a user