Closed Bren2010 closed 9 years ago
Unmarshal now checks that points are on the curve, so this issue is effectively closed by d86b8d3
@coruus It doesn't look like that code has been officially released and it probably won't be widely run until a few months after its release. We still need a security warning now and for people running older versions of Go.
I'm pretty sure that a point release for this issue is unlikely. If you want to contribute documentation about this, that would be helpful.
It really isn't that serious -- compared to the implementations of P384 and P521 not being constant-time -- for any of the curves included in the Go standard library, save P224. Does anyone actually use 224 for anything? On Tue, May 12, 2015 at 11:59 AM Brendan Mc. notifications@github.com wrote:
@coruus https://github.com/coruus It doesn't look like that code has been officially released and it probably won't be widely run until a few months after it has been. We still need a security warning now and for people running older versions of Go.
— Reply to this email directly or view it on GitHub https://github.com/golang/go/issues/10502#issuecomment-101388040.
It sounds like this is fixed in Go 1.5, so closing the issue.
I don't know how to issue a security warning. That is something to discuss on the golang-dev mailing list.
This is a follow-up for issue #2445.
If there ever was a note in the
elliptic
library warning programmers to check if adversarially-chosen points are on the right curve or in the right subgroup, it's no longer there. Implementers often forget or assume thatUnmarshal
orScalarMult
does the checks for them, so stating that they don't somewhere conspicuous should help avoid lots of stupid vulnerabilities in production code.