CVE-2022-0778 - Impact of ECC cipher with valid server ECC certificate

Viktor Dukhovni openssl-users at dukhovni.org
Sat Mar 26 07:22:51 UTC 2022


On Sat, Mar 26, 2022 at 12:32:03PM +0530, Vipul Mehta wrote:

> If we consider ECDHE_ECDSA cipher based TLS handshake, then it is possible
> that the client can send invalid public session key to the server causing
> the vulnerability. Is this assumption correct ?

The CVE only affects situations in which the untrusted peer can specify
malign "explicit" curve *parameters*, not just the public point.

> If yes, then I think disabling ECC cipher suites should prevent the
> vulnerability if we don't want to upgrade openssl considering there is no
> other cryptographic operation except w.r.t. TLS.

Unless I'm missing something, there's no need to disable ECC ciphers,
since with TLS 1.0 through 1.2 the curve parameters are chosen by the
server.

With the TLS 1.3, the client typically sends a key share first, which
consists of a named group and again a public point.  There is no
mechanism for conveying "explicit" ECC parameters

    https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
    https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2

So either way, TLS servers are safe if they don't solicit client
certificates, or otherwise in some form consume X.509 SPKI public keys
(which with ECC do signal either a named group or provide explicit
parameters).

-- 
    Viktor.


More information about the openssl-users mailing list