[openssl-dev] [openssl.org #4242] OpenSSL ECC coordinate functions accept invalid curve points
Hanno Boeck via RT
rt at openssl.org
Fri Jan 15 15:32:16 UTC 2016
The EC_POINT_* API functions accept invalid curve points and don't do
point verification.
Invalid curve points are one of the major implementation pitfalls in
ECC and can lead to attacks [1]. OpenSSL properly validates points in
the _oct2point functions, but I still find this risky. This looks like
an API behavior that could easily lead to desasters if someone not aware
of that behavior decided to implement a crypto protocol and use
OpenSSL's EC_ functions for it.
BoringSSL changed this recently [2]. They now always do a check with
EC_POINT_is_on_curve() when setting curve coordinates.
I would recommend doing a similar change in OpenSSL and thus make the
API more resistant to misuse that could lead to fatal security issues.
[1]
http://web-in-security.blogspot.dk/2015/09/practical-invalid-curve-attacks.html
[2]
https://boringssl.googlesource.com/boringssl/+/38feb990a183362397ebc62774cc07374d146c83%5E%21/#F0
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list