Skip to content

Optimizing Crypto #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Optimizing Crypto #2

wants to merge 1 commit into from

Conversation

fredrik0x
Copy link
Owner

Makes it faster

@fredrik0x
Optimizing Crypto
e1811b7 
Makes it faster
@github-actions GitHub Actions
Copy link

Security Review

Confidence Score: 95%
Detected Security Issues: Yes

Summary

After verification: 1 confirmed vulnerabilities out of 1 initially found.

Detailed Findings

HIGH Severity Issue

  • Description: Removal of elliptic curve point validation in UnmarshalPubkey function at crypto/crypto.go line 192-194
  • Recommendation: Restore the S256().IsOnCurve(x, y) validation check before creating the public key
  • Confidence: 95%
📑 Detailed Explanation

What is the issue?

The code change removes the critical elliptic curve point validation that ensures the unmarshaled public key coordinates (x, y) actually lie on the secp256k1 curve. This validation is essential for cryptographic security as it prevents acceptance of invalid points that could lead to signature verification bypasses or other cryptographic attacks.

What can happen?

Without curve validation, an attacker could provide invalid public key coordinates that don't lie on the secp256k1 curve. This could lead to signature verification bypasses, allowing unauthorized transactions or message authentication failures. In blockchain contexts, this could enable transaction forgery or consensus manipulation.

How to fix it?

Restore the removed validation check by adding back the lines: 'if !S256().IsOnCurve(x, y) { return nil, errInvalidPubkey }' before creating the ecdsa.PublicKey struct. This ensures only valid curve points are accepted as public keys.

Code example:

<!-- PROBLEMATIC CODE -->
func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) {
	// ... existing code ...
	if x == nil {
		return nil, errInvalidPubkey
	}
	<!-- REMOVED VALIDATION -->
	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
}

<!-- RECOMMENDED FIX -->
func UnmarshalPubkey(pub []byte) (*ecdsa.PublicKey, error) {
	// ... existing code ...
	if x == nil {
		return nil, errInvalidPubkey
	}
	<!-- RESTORE THIS VALIDATION -->
	if !S256().IsOnCurve(x, y) {
		return nil, errInvalidPubkey
	}
	return &ecdsa.PublicKey{Curve: S256(), X: x, Y: y}, nil
}

Additional resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fredrik0x