coruus
commented
9 years ago Unmarshal now checks that points are on the curve, so this issue is effectively closed by d86b8d3
Closed Bren2010 closed 9 years ago
coruus
commented
9 years ago Unmarshal now checks that points are on the curve, so this issue is effectively closed by d86b8d3
Bren2010
commented
9 years ago @coruus It doesn't look like that code has been officially released and it probably won't be widely run until a few months after its release. We still need a security warning now and for people running older versions of Go.
coruus
commented
9 years ago I'm pretty sure that a point release for this issue is unlikely. If you want to contribute documentation about this, that would be helpful.
It really isn't that serious -- compared to the implementations of P384 and P521 not being constant-time -- for any of the curves included in the Go standard library, save P224. Does anyone actually use 224 for anything? On Tue, May 12, 2015 at 11:59 AM Brendan Mc. notifications@github.com wrote:
@coruus https://github.com/coruus It doesn't look like that code has been officially released and it probably won't be widely run until a few months after it has been. We still need a security warning now and for people running older versions of Go.
— Reply to this email directly or view it on GitHub https://github.com/golang/go/issues/10502#issuecomment-101388040.
ianlancetaylor
commented
9 years ago It sounds like this is fixed in Go 1.5, so closing the issue.
I don't know how to issue a security warning. That is something to discuss on the golang-dev mailing list.
This is a follow-up for issue #2445.
If there ever was a note in the
ellipticlibrary warning programmers to check if adversarially-chosen points are on the right curve or in the right subgroup, it's no longer there. Implementers often forget or assume thatUnmarshalorScalarMultdoes the checks for them, so stating that they don't somewhere conspicuous should help avoid lots of stupid vulnerabilities in production code.