Public bug reported: The Opencryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow one to perform Invalid Curve Attacks.
Fix: https://github.com/opencryptoki/opencryptoki/commit/4e3b43c3d8844402c04a66b55c6c940f965109f0 (SOFT: Check the EC Key on C_CreateObject and C_DeriveKey) This commit should apply smooth on top of OCK 3.16.0, but also on OCK 3.15.0 or 3.15.1. EC support has been introduced in the Soft token with OCK 3.15.0. So all OCK versions >= 3.15.0 are affected. Earlier OCK releases are not affected. This problem need only to be fixed with 21.04 wherer 3.15.1 is included. ** Affects: opencryptoki (Ubuntu) Importance: Undecided Assignee: Skipper Bug Screeners (skipper-screen-team) Status: New ** Tags: architecture-s39064 bugnameltc-192742 severity-high targetmilestone-inin2104 ** Tags added: architecture-s39064 bugnameltc-192742 severity-high targetmilestone-inin2104 ** Changed in: ubuntu Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team) ** Package changed: ubuntu => opencryptoki (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1928780 Title: [UBUNTU 21.04] openCryptoki: Soft token does not check if an EC key is valid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
