summaryrefslogtreecommitdiff
path: root/lib/libcrypto
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2018-09-02 17:20:32 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2018-09-02 17:20:32 +0000
commit93c32879e1f5f45e6393cc8976cff3ee8e3aaaca (patch)
tree4088ba3662d4b61b7c20954868d565d9b09273e2 /lib/libcrypto
parentde95acb1cb4e5ba80533dec026a8fbbd3121560e (diff)
Elliptic curve arithmetic only makes sense between points that belong to
the same curve. Some Wycheproof tests violate this assumption, making ECDH_compute_key() compute and return garbage. Check that pub_key lies on the curve of the private key so that the calculations make sense. Most paths that get here have this checked (in particular those from OpenSSH and libssl), but one might get here after using d2i_* or manual computation. discussed with & ok jsing; "good catch!" markus
Diffstat (limited to 'lib/libcrypto')
-rw-r--r--lib/libcrypto/ecdh/ech_key.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libcrypto/ecdh/ech_key.c b/lib/libcrypto/ecdh/ech_key.c
index 5c2dc70b632..6911f1e3419 100644
--- a/lib/libcrypto/ecdh/ech_key.c
+++ b/lib/libcrypto/ecdh/ech_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ech_key.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ech_key.c,v 1.8 2018/09/02 17:20:31 tb Exp $ */
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
@@ -125,6 +125,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
}
group = EC_KEY_get0_group(ecdh);
+
+ if (!EC_POINT_is_on_curve(group, pub_key, ctx))
+ goto err;
+
if ((tmp = EC_POINT_new(group)) == NULL) {
ECDHerror(ERR_R_MALLOC_FAILURE);
goto err;