Hi, I experienced some features of the OpenSSL API regarding elliptic curves that I find quite unusual and I want to ask whether that's intended.
It's regarding these functions to set curve coordinates: EC_POINT_set_affine_coordinates_GFp EC_POINT_set_compressed_coordinates_GFp It is possible to pass them a parameter for the coordinates that is larger than the curves p parameter. It will automatically reduce them modulo p. One may argue whether that's a wanted behavior by defining that coordinates > p are considered valid. However that might have unintended consequences, for example (I haven't tested this) it is probably possible to send values larger than p in a TLS ECDHE key exchange as the ephemeral key. This could be used as a fingerprinting mechanism (other crypto libs I've tested reject such coordinates). Another thing in general is that the API accepts invalid curve points. Invalid curve points are one of the major implementation pitfalls in ECC and can lead to attacks. OpenSSL properly validates points in the _oct2point functions, but I still find this risky. This looks like an API behavior that could easily lead to desasters if someone not aware of that behavior decided to implement a crypto protocol and use OpenSSL's EC_ functions for it. BoringSSL changed this recently [1]. I would recommend and find it generally a cleaner approach if the curve point setting functions would reject both invalid points and point coordinates larger than p. [1] https://boringssl.googlesource.com/boringssl/+/38feb990a183362397ebc62774cc07374d146c83%5E%21/#F0 -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpbFDbhMq0Sb.pgp
Description: OpenPGP digital signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
