Elliptic curve arithmetic only makes sense between points that belong to

the same curve. Some Wycheproof tests violate this assumption, making
ECDH_compute_key() compute and return garbage. Check that pub_key lies
on the curve of the private key so that the calculations make sense.
Most paths that get here have this checked (in particular those from
OpenSSH and libssl), but one might get here after using d2i_* or manual
computation.

discussed with & ok jsing;
"good catch!" markus

1 files changed, 5 insertions, 1 deletions

diff --git a/src/lib/libcrypto/ecdh/ech_key.c b/src/lib/libcrypto/ecdh/ech_key.c
index 5c2dc70b63..6911f1e341 100644
--- a/src/lib/libcrypto/ecdh/ech_key.c
+++ b/src/lib/libcrypto/ecdh/ech_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ech_key.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ech_key.c,v 1.8 2018/09/02 17:20:31 tb Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -125,6 +125,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
         }
 
         group = EC_KEY_get0_group(ecdh);
+
+        if (!EC_POINT_is_on_curve(group, pub_key, ctx))
+                goto err;
+
         if ((tmp = EC_POINT_new(group)) == NULL) {
                 ECDHerror(ERR_R_MALLOC_FAILURE);
                 goto err;