disable elliptic curves P-384 and P-521 for TLS. (#5845)

This change disables the non-constant-time implementations of P-384 and P-521. As a consequence a client using just these curves cannot connect to the server. This should be no real issues because (all) clients at least support P-256. Further this change also rejects ECDSA private keys of P-384 and P-521. While non-constant-time implementations for the ECDHE exchange don't expose an obvious vulnerability, using P-384 or P-521 keys for the ECDSA signature may allow pratical timing attacks. Fixes #5844
2025-11-09 21:49:46 -05:00 · 2018-04-25 00:47:30 +02:00
parent c733fe87ce
commit 21a3c0f482
3 changed files with 19 additions and 0 deletions
--- a/cmd/certs.go
+++ b/cmd/certs.go
@@ -17,6 +17,8 @@
 package cmd

 import (
+	"crypto"
+	"crypto/ecdsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@@ -142,6 +144,16 @@ func getSSLConfig() (x509Certs []*x509.Certificate, rootCAs *x509.CertPool, tlsC
 	if cert, err = loadX509KeyPair(getPublicCertFile(), getPrivateKeyFile()); err != nil {
 		return nil, nil, nil, false, err
 	}
+	// Ensure that the private key is not a P-384 or P-521 EC key.
+	// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
+	if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
+		if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
+			if name := pub.Params().Name; name == "P-384" || name == "P-521" { // unfortunately there is no cleaner way to check
+				return nil, nil, nil, false, fmt.Errorf("TLS: the ECDSA curve '%s' is not supported", name)
+			}
+		}
+
+	}

 	tlsCert = &cert