webpush-go icon indicating copy to clipboard operation
webpush-go copied to clipboard

Published 20 hours ago verified publisher icon SherClockHolmes

ECDH output on P-256 curve must be always 32 bytes

Open sorah opened this issue 5 years ago • 1 comments

big.Int Bytes() returns dynamically length byte string, while SEC1 ECDH procedure is defined to output a fixed length byte string (in big-endian).

https://www.secg.org/sec1-v2.pdf SEC1: 6.1.3. Key Agreement Operation Action 2. Convert $$ z $$ to an octet string the conversion routine specified in Section 2.3.5. Section 2.3.5. Field-Element-to-Octet-String Conversion where $$ mlen = log_2q/8 $$ Section 2.3.7. Integer-to-Octet-String Conversion

sorah avatar Oct 04 '20 14:10 sorah

@SherClockHolmes when ECDH secret is derived with a point less than 32-bit integer, the message payload considered invalid due to wrong derivation process; this patch should fix the problem that we discovered.

sorah avatar Oct 08 '20 16:10 sorah