The EC_POINT_* API functions accept invalid curve points and don't do point verification.
Invalid curve points are one of the major implementation pitfalls in ECC and can lead to attacks [1]. OpenSSL properly validates points in the _oct2point functions, but I still find this risky. This looks like an API behavior that could easily lead to desasters if someone not aware of that behavior decided to implement a crypto protocol and use OpenSSL's EC_ functions for it. BoringSSL changed this recently [2]. They now always do a check with EC_POINT_is_on_curve() when setting curve coordinates. I would recommend doing a similar change in OpenSSL and thus make the API more resistant to misuse that could lead to fatal security issues. [1] http://web-in-security.blogspot.dk/2015/09/practical-invalid-curve-attacks.html [2] https://boringssl.googlesource.com/boringssl/+/38feb990a183362397ebc62774cc07374d146c83%5E%21/#F0 _______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
