From f33d478c46b7874cde9f7ac7b80478879830bf63 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 3 May 2021 14:42:45 +0000 Subject: [PATCH] Fix corner case for compressed points on binary curves Per X9.62 4.4.1.b., the compressed representation of a point with zero x coordinate on a binary curve must have y_bit unset. Error out in that case of ec_GF2m_set_compressed_coordinates() instead of ignoring y_bit. ok jsing --- lib/libcrypto/ec/ec2_oct.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/libcrypto/ec/ec2_oct.c b/lib/libcrypto/ec/ec2_oct.c index ad389914719..832083c628b 100644 --- a/lib/libcrypto/ec/ec2_oct.c +++ b/lib/libcrypto/ec/ec2_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_oct.c,v 1.15 2021/04/20 17:32:57 tb Exp $ */ +/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -121,6 +121,10 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point if (!BN_GF2m_mod_arr(x, x_, group->poly)) goto err; if (BN_is_zero(x)) { + if (y_bit != 0) { + ECerror(EC_R_INVALID_COMPRESSED_POINT); + goto err; + } if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) goto err; } else { -- 2.20.1