diff options
| author | tb <> | 2020-12-04 08:55:30 +0000 |
|---|---|---|
| committer | tb <> | 2020-12-04 08:55:30 +0000 |
| commit | eba5b622a3ad6c48a28a09d15ca32cdfac91f91b (patch) | |
| tree | ca443fbe605894704c5097fc9a5a6d9acc5a1b63 /src/regress/lib/libc/stdio_threading/fwrite | |
| parent | 4dd2176959a6cdcb7f7ea0d8e3883f1ea62b1e55 (diff) | |
| download | openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.tar.gz openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.tar.bz2 openbsd-eba5b622a3ad6c48a28a09d15ca32cdfac91f91b.zip | |
Move point-on-curve check to set_affine_coordinates
Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.
In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.
The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().
It's a mess.
Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.
ok jsing
Diffstat (limited to 'src/regress/lib/libc/stdio_threading/fwrite')
0 files changed, 0 insertions, 0 deletions