diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2018-09-02 17:20:32 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2018-09-02 17:20:32 +0000 |
commit | 93c32879e1f5f45e6393cc8976cff3ee8e3aaaca (patch) | |
tree | 4088ba3662d4b61b7c20954868d565d9b09273e2 /lib/libcrypto | |
parent | de95acb1cb4e5ba80533dec026a8fbbd3121560e (diff) |
Elliptic curve arithmetic only makes sense between points that belong to
the same curve. Some Wycheproof tests violate this assumption, making
ECDH_compute_key() compute and return garbage. Check that pub_key lies
on the curve of the private key so that the calculations make sense.
Most paths that get here have this checked (in particular those from
OpenSSH and libssl), but one might get here after using d2i_* or manual
computation.
discussed with & ok jsing;
"good catch!" markus
Diffstat (limited to 'lib/libcrypto')
-rw-r--r-- | lib/libcrypto/ecdh/ech_key.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libcrypto/ecdh/ech_key.c b/lib/libcrypto/ecdh/ech_key.c index 5c2dc70b632..6911f1e3419 100644 --- a/lib/libcrypto/ecdh/ech_key.c +++ b/lib/libcrypto/ecdh/ech_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_key.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ech_key.c,v 1.8 2018/09/02 17:20:31 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -125,6 +125,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, } group = EC_KEY_get0_group(ecdh); + + if (!EC_POINT_is_on_curve(group, pub_key, ctx)) + goto err; + if ((tmp = EC_POINT_new(group)) == NULL) { ECDHerror(ERR_R_MALLOC_FAILURE); goto err; |