crypto/tls: don't check whether an ec point is on a curve twice

The processClientKeyExchange and processServerKeyExchange functions unmarshal an
encoded EC point and explicitly check whether the point is on the curve. The explicit
check can be omitted because elliptic.Unmarshal fails if the point is not on the curve
and the returned error would always be the same.

Fixes #20496

Change-Id: I5231a655eace79acee2737dd036a0c255ed42dbb
Reviewed-on: https://go-review.googlesource.com/44311
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Avelino <t@avelino.xxx>
Run-TryBot: Adam Langley <agl@golang.org>
This commit is contained in:
Andreas Auernhammer 2017-05-26 11:33:49 +02:00 committed by Adam Langley
parent 95bebf2e8e
commit 257ad9c7d6

View File

@ -319,13 +319,10 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert
if !ok { if !ok {
panic("internal error") panic("internal error")
} }
x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve
if x == nil { if x == nil {
return nil, errClientKeyExchange return nil, errClientKeyExchange
} }
if !curve.IsOnCurve(x, y) {
return nil, errClientKeyExchange
}
x, _ = curve.ScalarMult(x, y, ka.privateKey) x, _ = curve.ScalarMult(x, y, ka.privateKey)
preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3) preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3)
xBytes := x.Bytes() xBytes := x.Bytes()
@ -365,14 +362,10 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell
if !ok { if !ok {
return errors.New("tls: server selected unsupported curve") return errors.New("tls: server selected unsupported curve")
} }
ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve
ka.x, ka.y = elliptic.Unmarshal(curve, publicKey)
if ka.x == nil { if ka.x == nil {
return errServerKeyExchange return errServerKeyExchange
} }
if !curve.IsOnCurve(ka.x, ka.y) {
return errServerKeyExchange
}
} }
sigAndHash := signatureAndHash{signature: ka.sigType} sigAndHash := signatureAndHash{signature: ka.sigType}