[openssl-dev] Behavior of OpenSSL EC API regarding point setting

[Hanno Böck]

Hi,

I experienced some features of the OpenSSL API regarding elliptic
curves that I find quite unusual and I want to ask whether that's
intended.

It's regarding these functions to set curve coordinates:
EC_POINT_set_affine_coordinates_GFp
EC_POINT_set_compressed_coordinates_GFp

It is possible to pass them a parameter for the coordinates that is
larger than the curves p parameter. It will automatically reduce them
modulo p.

One may argue whether that's a wanted behavior by defining that
coordinates > p are considered valid. However that might have
unintended consequences, for example (I haven't tested this) it is
probably possible to send values larger than p in a TLS ECDHE key
exchange as the ephemeral key. This could be used as a fingerprinting
mechanism (other crypto libs I've tested reject such coordinates).


Another thing in general is that the API accepts invalid curve points.
Invalid curve points are one of the major implementation pitfalls in
ECC and can lead to attacks. OpenSSL properly validates points in the
_oct2point functions, but I still find this risky. This looks like an
API behavior that could easily lead to desasters if someone not aware
of that behavior decided to implement a crypto protocol and use
OpenSSL's EC_ functions for it.

BoringSSL changed this recently [1].

I would recommend and find it generally a cleaner approach if the curve
point setting functions would reject both invalid points and point
coordinates larger than p.


[1]
https://boringssl.googlesource.com/boringssl/+/38feb990a183362397ebc62774cc07374d146c83%5E%21/#F0

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/192f00c6/attachment.sig>