diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-04 21:39:35 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-04 21:39:35 +0000 |
| commit | c3a9dc95fe01bd1955607a29fbf2a97291b51211 (patch) | |
| tree | f34a9e0521af14b307405a57bfffe1e1f2c1c1b7 | |
| parent | 4a265b0df2c9c2a7bc66ba3d3f9ba8cdb7b7cf0f (diff) | |
Enforce a lower bound of of EC group order so 80 bits for ECDSA
This makes sure that the elliptic curve is not completely stupid.
This is conservative enough: the smallest named groups that we support
have an order of 112 bits.
ok beck jsing
| -rw-r--r-- | lib/libcrypto/ecdsa/ecs_ossl.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/libcrypto/ecdsa/ecs_ossl.c b/lib/libcrypto/ecdsa/ecs_ossl.c index 6f45e173b8f..f169b06bd5d 100644 --- a/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/lib/libcrypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.27 2023/03/04 21:37:37 tb Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.28 2023/03/04 21:39:34 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -168,8 +168,13 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) goto err; } + /* Reject curves with an order that is smaller than 80 bits. */ + if ((order_bits = BN_num_bits(order)) < 80) { + ECDSAerror(EC_R_INVALID_GROUP_ORDER); + goto err; + } + /* Preallocate space. */ - order_bits = BN_num_bits(order); if (!BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) |