diff options
author | David Benjamin <davidben@google.com> | 2017-10-26 15:48:18 -0400 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2017-10-28 08:02:50 +0000 |
commit | cb16f17b36d9ee9528a06d2e520374a4f177af4d (patch) | |
tree | ffc8e63bee532b8c6995b93324bcfb02959bc9fd /include/openssl/ec.h | |
parent | 2a768d04c697a10f1c0a8116c38ade9e8bf2a5d0 (diff) | |
download | boringssl-cb16f17b36d9ee9528a06d2e520374a4f177af4d.zip boringssl-cb16f17b36d9ee9528a06d2e520374a4f177af4d.tar.gz boringssl-cb16f17b36d9ee9528a06d2e520374a4f177af4d.tar.bz2 |
Check EC_POINT/EC_GROUP compatibility more accurately.
Currently we only check that the underlying EC_METHODs match, which
avoids the points being in different forms, but not that the points are
on the same curves. (We fixed the APIs early on so off-curve EC_POINTs
cannot be created.)
In particular, this comes up with folks implementating Java's crypto
APIs with ECDH_compute_key. These APIs are both unfortunate and should
not be mimicked, as they allow folks to mismatch the groups on the two
multiple EC_POINTs. Instead, ECDH APIs should take the public value as a
byte string.
Thanks also to Java's poor crypto APIs, we must support custom curves,
which makes this particularly gnarly. This CL makes EC_GROUP_cmp work
with custom curves and adds an additional subtle requirement to
EC_GROUP_set_generator.
Annoyingly, this change is additionally subtle because we now have a
reference cycle to hack around.
Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9
Reviewed-on: https://boringssl-review.googlesource.com/22245
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Diffstat (limited to 'include/openssl/ec.h')
-rw-r--r-- | include/openssl/ec.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/openssl/ec.h b/include/openssl/ec.h index f866ae9..dee41b7 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -302,7 +302,7 @@ OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, // EC_GROUP_set_generator sets the generator for |group| to |generator|, which // must have the given order and cofactor. It may only be used with |EC_GROUP| // objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on -// each group. +// each group. |generator| must have been created using |group|. OPENSSL_EXPORT int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, |