crypto/ecdh: ECDH method doesn't check curve [1.20 backport] #58498

gopherbot · 2023-02-13T20:09:11Z

@FiloSottile requested issue #58131 to be considered for backport to the next 1.20 minor release.

@gopherbot please backport to Go 1.20. This is a crasher in Go+BoringCrypto that we don't consider a security vulnerability (since Go+BoringCrypto is unsupported) but would be better not to leave laying around, and the patch is tiny and safe.

gopherbot · 2023-02-27T23:53:45Z

Change https://go.dev/cl/471602 mentions this issue: [release-branch.go1.20] crypto/ecdh: explicitly reject mismatched curves in ECDH

gopherbot · 2023-02-28T01:46:52Z

Closed by merging aaace6d to release-branch.go1.20.

…ves in ECDH Return an explicit error when PrivateKey.ECDH is called with a PublicKey which uses a different Curve. Also document this requirement, even though it is perhaps obvious. Updates #58131. Fixes #58498. Change-Id: I739181a3f1283bed14fb5ee7eb78658b854d28d8 Reviewed-on: https://go-review.googlesource.com/c/go/+/464335 Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> (cherry picked from commit 67d8916) Reviewed-on: https://go-review.googlesource.com/c/go/+/471602 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

…ves in ECDH Return an explicit error when PrivateKey.ECDH is called with a PublicKey which uses a different Curve. Also document this requirement, even though it is perhaps obvious. Updates golang#58131. Fixes golang#58498. Change-Id: I739181a3f1283bed14fb5ee7eb78658b854d28d8 Reviewed-on: https://go-review.googlesource.com/c/go/+/464335 Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> (cherry picked from commit 67d8916) Reviewed-on: https://go-review.googlesource.com/c/go/+/471602 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

gopherbot added the CherryPickCandidate label Feb 13, 2023

gopherbot mentioned this issue Feb 13, 2023

crypto/ecdh: ECDH method doesn't check curve #58131

Closed

gopherbot modified the milestones: Go1.20.1, Go1.20.2 Feb 13, 2023

prattmic added the CherryPickApproved label Feb 15, 2023

gopherbot removed the CherryPickCandidate label Feb 15, 2023

gopherbot closed this as completed Feb 28, 2023

golang locked and limited conversation to collaborators Feb 28, 2024

gopherbot added the FrozenDueToAge label Feb 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto/ecdh: ECDH method doesn't check curve [1.20 backport] #58498

crypto/ecdh: ECDH method doesn't check curve [1.20 backport] #58498

gopherbot commented Feb 13, 2023

gopherbot commented Feb 27, 2023

gopherbot commented Feb 28, 2023

crypto/ecdh: ECDH method doesn't check curve [1.20 backport] #58498

crypto/ecdh: ECDH method doesn't check curve [1.20 backport] #58498

Comments

gopherbot commented Feb 13, 2023

gopherbot commented Feb 27, 2023

gopherbot commented Feb 28, 2023