I wanted to report a behavior of the OpenSSL API that I find at least
highly unusual and unexpected and I suggest to change.
It's regarding these functions to set curve coordinates:
EC_POINT_set_affine_coordinates_GFp
EC_POINT_set_compressed_coordinates_GFp
It is possible to pass them a parameter for the coordinates that is
larger than the curves p parameter. It will automatically reduce them
modulo p. (See code example attached.)
One may argue whether that's a wanted behavior by defining that
coordinates > p are considered valid. However that might have
unintended consequences, for example (I haven't tested this) it is
probably possible to send values larger than p in a TLS ECDHE key
exchange as the ephemeral key. This could be used as a fingerprinting
mechanism (other crypto libs I've tested reject such coordinates).
I find it unlikely that any code relies on this behavior and I suggest
changing it so that curve parameters outside the modulus p of the given
curve are rejected with an error.
#include <stdio.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
int main() {
EC_GROUP *nistp256;
EC_POINT *p1;
BN_CTX *ctx = BN_CTX_new();
BIGNUM *x1 = BN_new();
nistp256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
p1 = EC_POINT_new(nistp256);
/* p for this curve is ffffffff00000001000000000000000000000000ffffffffffffffffffffffff */
BN_hex2bn(&x1, "ffffffffffffff00000000000000000000000000000000000000000000000000");
printf("%s\n",BN_bn2hex(x1));
EC_POINT_set_compressed_coordinates_GFp(nistp256, p1, x1, 1, ctx);
EC_POINT_get_affine_coordinates_GFp(nistp256, p1, x1, 0, ctx);
printf("%s\n",BN_bn2hex(x1));
return 0;
}
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
