Per X9.62 4.4.1.b., the compressed representation of a point with
zero x coordinate on a binary curve must have y_bit unset. Error
out in that case of ec_GF2m_set_compressed_coordinates() instead
of ignoring y_bit.
ok jsing
-/* $OpenBSD: ec2_oct.c,v 1.15 2021/04/20 17:32:57 tb Exp $ */
+/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
if (!BN_GF2m_mod_arr(x, x_, group->poly))
goto err;
if (BN_is_zero(x)) {
+ if (y_bit != 0) {
+ ECerror(EC_R_INVALID_COMPRESSED_POINT);
+ goto err;
+ }
if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx))
goto err;
} else {