Google Git
Sign in
pigweed/third_party/github/google/boringssl/38feb990a183362397ebc62774cc07374d146c83^!/./include/openssl
commit
38feb990a183362397ebc62774cc07374d146c83
[log]
author
Adam Langley <agl@google.com>
Tue Sep 15 17:28:55 2015 -0700
committer
Adam Langley <agl@google.com>
Fri Nov 06 19:35:42 2015 +0000
tree
73ab20469ed88f267315ea8fc62859cee2d6a5f0
parent
ef793f4b6f061eee565beb7e72e20ea5739adbe6 [diff]
Require that EC points are on the curve.

This removes a sharp corner in the API where |ECDH_compute_key| assumed
that callers were either using ephemeral keys, or else had already
checked that the public key was on the curve.

A public key that's not on the curve can be in a small subgroup and thus
the result can leak information about the private key.

This change causes |EC_POINT_set_affine_coordinates_GFp| to require that
points are on the curve. |EC_POINT_oct2point| already does this.

Change-Id: I77d10ce117b6efd87ebb4a631be3a9630f5e6636
Reviewed-on: https://boringssl-review.googlesource.com/5861
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index fe1c89e..ac36a32 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h

@@ -220,8 +220,10 @@
                                                        BIGNUM *x, BIGNUM *y,
                                                        BN_CTX *ctx);
 
-/* EC_POINT_set_affine_coordinates_GFp sets the value of |p| to be (|x|, |y|). The
- * |ctx| argument may be used if not NULL. */
+/* EC_POINT_set_affine_coordinates_GFp sets the value of |p| to be (|x|, |y|).
+ * The |ctx| argument may be used if not NULL. It returns one on success or
+ * zero on error. Note that, unlike with OpenSSL, it's considered an error if
+ * the point is not on the curve. */
 OPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
                                                        EC_POINT *point,
                                                        const BIGNUM *x,