You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See #50974 for background. tl;dr is that Marshal, Add, Double, and ScalarMult take a pair of big.Ints as inputs, which might not represent a valid point on the curve, and don't return an error value. The behavior is documented to be undefined.
I am fond of the idea of returning random points, like P-224, P-384, and P-521 do in Go 1.18, but it feels like it would be a pain to debug, and doesn't feel like the right answer for Marshal. Returning nil is definitely not the answer for Marshal, as that will get encoded as the empty string, which would be catastrophic for e.g. an ECDH shared secret, and anyway is likely to cause a panic. A panic is a DoS risk, but it would only occur where before there was a key leak risk.
The @golang/security team consensus is to move to triggering an explicit panic in Go 1.19. (Hopefully, we'll soon provide a better and safer API, too.)
The text was updated successfully, but these errors were encountered:
The next Go release call panic on elliptic.Marshal [1][2], which
affect the test case fail_ec_marshal on createPublicKey.
This changes fix this by initializing the P and B in test case
PublicKey CurveParams to prevent panic.
[1] golang/go#50975
[2] golang/go@a218b35
See #50974 for background. tl;dr is that
Marshal
,Add
,Double
, andScalarMult
take a pair ofbig.Int
s as inputs, which might not represent a valid point on the curve, and don't return an error value. The behavior is documented to be undefined.I am fond of the idea of returning random points, like P-224, P-384, and P-521 do in Go 1.18, but it feels like it would be a pain to debug, and doesn't feel like the right answer for
Marshal
. Returning nil is definitely not the answer forMarshal
, as that will get encoded as the empty string, which would be catastrophic for e.g. an ECDH shared secret, and anyway is likely to cause a panic. A panic is a DoS risk, but it would only occur where before there was a key leak risk.The @golang/security team consensus is to move to triggering an explicit panic in Go 1.19. (Hopefully, we'll soon provide a better and safer API, too.)
The text was updated successfully, but these errors were encountered: