From 899e8679c4976f0da298bc0475377a74aa2f66e3 Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 4 Mar 2023 21:39:34 +0000 Subject: [PATCH] Enforce a lower bound of of EC group order so 80 bits for ECDSA This makes sure that the elliptic curve is not completely stupid. This is conservative enough: the smallest named groups that we support have an order of 112 bits. ok beck jsing --- lib/libcrypto/ecdsa/ecs_ossl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/libcrypto/ecdsa/ecs_ossl.c b/lib/libcrypto/ecdsa/ecs_ossl.c index 6f45e173b8f..f169b06bd5d 100644 --- a/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/lib/libcrypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.27 2023/03/04 21:37:37 tb Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.28 2023/03/04 21:39:34 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -168,8 +168,13 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) goto err; } + /* Reject curves with an order that is smaller than 80 bits. */ + if ((order_bits = BN_num_bits(order)) < 80) { + ECDSAerror(EC_R_INVALID_GROUP_ORDER); + goto err; + } + /* Preallocate space. */ - order_bits = BN_num_bits(order); if (!BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) -- 2.20.1