diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2021-05-03 14:42:46 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2021-05-03 14:42:46 +0000 |
| commit | c8c012af8102b78b23df16bfc842f050e09cc6f2 (patch) | |
| tree | 7a43159fc16410edb5b5c5fe79c421e4d727da1c /lib/libcrypto/ec | |
| parent | 420a6b079b80f9223c729a3e4d78243d9b967187 (diff) | |
Fix corner case for compressed points on binary curves
Per X9.62 4.4.1.b., the compressed representation of a point with
zero x coordinate on a binary curve must have y_bit unset. Error
out in that case of ec_GF2m_set_compressed_coordinates() instead
of ignoring y_bit.
ok jsing
Diffstat (limited to 'lib/libcrypto/ec')
| -rw-r--r-- | lib/libcrypto/ec/ec2_oct.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libcrypto/ec/ec2_oct.c b/lib/libcrypto/ec/ec2_oct.c index ad389914719..832083c628b 100644 --- a/lib/libcrypto/ec/ec2_oct.c +++ b/lib/libcrypto/ec/ec2_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_oct.c,v 1.15 2021/04/20 17:32:57 tb Exp $ */ +/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -121,6 +121,10 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err; if (BN_is_zero(x)) { + if (y_bit != 0) { + ECerror(EC_R_INVALID_COMPRESSED_POINT); + goto err; + } if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err; } else { |