go-ethereum/crypto
Luke Champine 462ddce5b2
crypto/ecies: improve concatKDF (#20836)
This removes a bunch of weird code around the counter overflow check in
concatKDF and makes it actually work for different hash output sizes.

The overflow check worked as follows: concatKDF applies the hash function N
times, where N is roundup(kdLen, hashsize) / hashsize. N should not
overflow 32 bits because that would lead to a repetition in the KDF output.

A couple issues with the overflow check:

- It used the hash.BlockSize, which is wrong because the
  block size is about the input of the hash function. Luckily, all standard
  hash functions have a block size that's greater than the output size, so
  concatKDF didn't crash, it just generated too much key material.
- The check used big.Int to compare against 2^32-1.
- The calculation could still overflow before reaching the check.

The new code in concatKDF doesn't check for overflow. Instead, there is a
new check on ECIESParams which ensures that params.KeyLen is < 512. This
removes any possibility of overflow.

There are a couple of miscellaneous improvements bundled in with this
change:

- The key buffer is pre-allocated instead of appending the hash output
  to an initially empty slice.
- The code that uses concatKDF to derive keys is now shared between Encrypt
  and Decrypt.
- There was a redundant invocation of IsOnCurve in Decrypt. This is now removed
  because elliptic.Unmarshal already checks whether the input is a valid curve
  point since Go 1.5.

Co-authored-by: Felix Lange <fjl@twurst.com>
2020-04-03 11:57:24 +02:00
..
blake2b crypto/blake2b: fix 386, round 2 2019-08-22 12:24:11 +03:00
bn256 crypto/bn256: fix import line (#20723) 2020-02-27 13:59:00 +02:00
ecies crypto/ecies: improve concatKDF (#20836) 2020-04-03 11:57:24 +02:00
secp256k1 cmd, crypto, eth, internals: fix Typos (#19868) 2019-07-22 10:34:33 +03:00
crypto.go crypto: add SignatureLength constant and use it everywhere (#19996) 2019-08-22 15:14:06 +02:00
crypto_test.go crypto: replace ToECDSAPub with error-checking func UnmarshalPubkey (#16932) 2018-06-12 15:26:08 +02:00
signature_cgo.go crypto: add SignatureLength constant and use it everywhere (#19996) 2019-08-22 15:14:06 +02:00
signature_nocgo.go crypto: add SignatureLength constant and use it everywhere (#19996) 2019-08-22 15:14:06 +02:00
signature_test.go crypto: ensure that VerifySignature rejects malleable signatures (#15708) 2017-12-20 14:30:00 +02:00