From 257ad9c7d6b34795dd956323184b4d7ebf5c2694 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Fri, 26 May 2017 11:33:49 +0200 Subject: [PATCH] crypto/tls: don't check whether an ec point is on a curve twice The processClientKeyExchange and processServerKeyExchange functions unmarshal an encoded EC point and explicitly check whether the point is on the curve. The explicit check can be omitted because elliptic.Unmarshal fails if the point is not on the curve and the returned error would always be the same. Fixes #20496 Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb Reviewed-on: https://go-review.googlesource.com/44311 Reviewed-by: Adam Langley Reviewed-by: Avelino Run-TryBot: Adam Langley --- key_agreement.go | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/key_agreement.go b/key_agreement.go index 1b27c04..cf30b43 100644 --- a/key_agreement.go +++ b/key_agreement.go @@ -319,13 +319,10 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert if !ok { panic("internal error") } - x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) + x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve if x == nil { return nil, errClientKeyExchange } - if !curve.IsOnCurve(x, y) { - return nil, errClientKeyExchange - } x, _ = curve.ScalarMult(x, y, ka.privateKey) preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3) xBytes := x.Bytes() @@ -365,14 +362,10 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell if !ok { return errors.New("tls: server selected unsupported curve") } - - ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) + ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve if ka.x == nil { return errServerKeyExchange } - if !curve.IsOnCurve(ka.x, ka.y) { - return errServerKeyExchange - } } sigAndHash := signatureAndHash{signature: ka.sigType}