diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2020-12-04 08:55:31 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2020-12-04 08:55:31 +0000 |
commit | ad1ab71a048d31559c9e321042c70ee4baf7045a (patch) | |
tree | 4adea8034dab507074f531dcfe1e0ca40d65d1ea /usr.sbin/nsd/difffile.c | |
parent | 38e111e802d8214ef215961c96a098752f0cabf4 (diff) |
Move point-on-curve check to set_affine_coordinates
Bad API design makes it possible to set an EC_KEY public key to
a point not on the curve. As a consequence, it was possible to
have bogus ECDSA signatures validated. In practice, all software
uses either EC_POINT_oct2point*() to unmarshal public keys or
issues a call to EC_KEY_check_key() after setting it. This way,
a point on curve check is performed and the problem is mitigated.
In OpenSSL commit 1e2012b7ff4a5f12273446b281775faa5c8a1858, Emilia
Kasper moved the point-on-curve check from EC_POINT_oct2point to
EC_POINT_set_affine_coordinates_*, which results in more checking.
In addition to this commit, we also check in the currently unused
codepath of a user set callback for setting compressed coordinates,
just in case this will be used at some point in the future.
The documentation of EC_KEY_check_key() is very vague on what it
checks and when checks are needed. It could certainly be improved
a lot. It's also strange that EC_KEY_set_key() performs no checks,
while EC_KEY_set_public_key_affine_coordinates() implicitly calls
EC_KEY_check_key().
It's a mess.
Issue found and reported by Guido Vranken who also tested an earlier
version of this fix.
ok jsing
Diffstat (limited to 'usr.sbin/nsd/difffile.c')
0 files changed, 0 insertions, 0 deletions