diff options
| author | tb <> | 2020-12-04 08:55:30 +0000 |
|---|---|---|
| committer | tb <> | 2020-12-04 08:55:30 +0000 |
| commit | eba5b622a3ad6c48a28a09d15ca32cdfac91f91b (patch) | |
| tree | ca443fbe605894704c5097fc9a5a6d9acc5a1b63 /src/lib/libcrypto/ec/ec_oct.c | |
| parent | 4dd2176959a6cdcb7f7ea0d8e3883f1ea62b1e55 (diff) | |
| download | openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.tar.gz openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.tar.bz2 openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.zip | |
Move point-on-curve check to set_affine_coordinates
Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.
In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.
The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().
It's a mess.
Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.
ok jsing
Diffstat (limited to 'src/lib/libcrypto/ec/ec_oct.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ec_oct.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/lib/libcrypto/ec/ec_oct.c b/src/lib/libcrypto/ec/ec_oct.c index f44b174fd7..a285c81459 100644 --- a/src/lib/libcrypto/ec/ec_oct.c +++ b/src/lib/libcrypto/ec/ec_oct.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_oct.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */ | 1 | /* $OpenBSD: ec_oct.c,v 1.6 2020/12/04 08:55:30 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -98,7 +98,14 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP * group, EC_POINT * point | |||
| 98 | group, point, x, y_bit, ctx); | 98 | group, point, x, y_bit, ctx); |
| 99 | #endif | 99 | #endif |
| 100 | } | 100 | } |
| 101 | return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); | 101 | if (!group->meth->point_set_compressed_coordinates(group, point, x, |
| 102 | y_bit, ctx)) | ||
| 103 | return 0; | ||
| 104 | if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { | ||
| 105 | ECerror(EC_R_POINT_IS_NOT_ON_CURVE); | ||
| 106 | return 0; | ||
| 107 | } | ||
| 108 | return 1; | ||
| 102 | } | 109 | } |
| 103 | 110 | ||
| 104 | #ifndef OPENSSL_NO_EC2M | 111 | #ifndef OPENSSL_NO_EC2M |
| @@ -123,7 +130,14 @@ EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP * group, EC_POINT * poin | |||
| 123 | return ec_GF2m_simple_set_compressed_coordinates( | 130 | return ec_GF2m_simple_set_compressed_coordinates( |
| 124 | group, point, x, y_bit, ctx); | 131 | group, point, x, y_bit, ctx); |
| 125 | } | 132 | } |
| 126 | return group->meth->point_set_compressed_coordinates(group, point, x, y_bit, ctx); | 133 | if (!group->meth->point_set_compressed_coordinates(group, point, x, |
| 134 | y_bit, ctx)) | ||
| 135 | return 0; | ||
| 136 | if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { | ||
| 137 | ECerror(EC_R_POINT_IS_NOT_ON_CURVE); | ||
| 138 | return 0; | ||
| 139 | } | ||
| 140 | return 1; | ||
| 127 | } | 141 | } |
| 128 | #endif | 142 | #endif |
| 129 | 143 | ||