summaryrefslogtreecommitdiff
path: root/usr.sbin/nsd/difffile.c
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2020-12-04 08:55:31 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2020-12-04 08:55:31 +0000
commitad1ab71a048d31559c9e321042c70ee4baf7045a (patch)
tree4adea8034dab507074f531dcfe1e0ca40d65d1ea /usr.sbin/nsd/difffile.c
parent38e111e802d8214ef215961c96a098752f0cabf4 (diff)
Move point-on-curve check to set_affine_coordinates
Bad API design makes it possible to set an EC_KEY public key to a point not on the curve. As a consequence, it was possible to have bogus ECDSA signatures validated. In practice, all software uses either EC_POINT_oct2point*() to unmarshal public keys or issues a call to EC_KEY_check_key() after setting it. This way, a point on curve check is performed and the problem is mitigated. In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia Kasper moved the point-on-curve check from EC_POINT_oct2point to EC_POINT_set_affine_coordinates_*, which results in more checking. In addition to this commit, we also check in the currently unused codepath of a user set callback for setting compressed coordinates, just in case this will be used at some point in the future. The documentation of EC_KEY_check_key() is very vague on what it checks and when checks are needed. It could certainly be improved a lot. It's also strange that EC_KEY_set_key() performs no checks, while EC_KEY_set_public_key_affine_coordinates() implicitly calls EC_KEY_check_key(). It's a mess. Issue found and reported by Guido Vranken who also tested an earlier version of this fix. ok jsing
Diffstat (limited to 'usr.sbin/nsd/difffile.c')
0 files changed, 0 insertions, 0 deletions