Skip to content

Commit 0fb2d2e

Browse files
committed
ecc: fix invalid-curve attack via missing on-curve validation
wc_ecc_import_x963_ex2 only checked whether an imported public point lies on the intended curve when both USE_ECC_B_PARAM was compiled in and the caller passed untrusted=1. In a default ./configure build, USE_ECC_B_PARAM is not defined, so the check was compiled out entirely. Additionally, the legacy wrapper wc_ecc_import_x963_ex unconditionally passed untrusted=0, meaning ECIES (wc_ecc_decrypt), PKCS#7 KARI, and the EVP ECDH layer never triggered the check even when the macro was present. In the OpenSSL compatibility layer, wolfSSL_ECPoint_d2i guarded its on-curve check behind !wolfSSL_BN_is_one(point->Z), but wc_ecc_import_point_der_ex always sets Z=1 for uncompressed points, making the check dead code. An attacker who can supply an EC public key (e.g. via an ECIES ciphertext, PKCS#7 enveloped-data, EVP_PKEY_derive, or EC_POINT_oct2point + ECDH_compute_key) can choose a point on a twist of the target curve with a smooth-order subgroup. Each ECDH query leaks the victim's static private scalar modulo a small prime; CRT reconstruction across enough queries recovers the full key (Biehl-Meyer-Müller invalid-curve attack). Static-key ECIES and PKCS#7 KARI are directly affected; TLS is affected in default builds because the USE_ECC_B_PARAM gate defeated the untrusted=1 flag that the handshake does pass. Four changes close the attack: 1. Remove the USE_ECC_B_PARAM gate completely in the code base so that wc_ecc_point_is_on_curve() is compiled in all builds, not only those with HAVE_COMP_KEY or OPENSSL_EXTRA (only set for legacy FIPS builds in settings.h). 2. wc_ecc_import_x963_ex: pass untrusted=1 to wc_ecc_import_x963_ex2 so that ECIES, PKCS#7 KARI, and EVP callers that go through the four-argument wrapper always validate the imported point. 3. wc_ecc_import_x963_ex2: use the lightweight sp_ecc_is_point_NNN helpers (curve-equation check only) instead of sp_ecc_check_key_NNN (which additionally performs a full point*order scalar multiply). For prime-order curves (P-256, P-384, P-521, SM2) the on-curve equation check y^2 = x^3 + ax + b is sufficient to defeat invalid-curve attacks — every non-identity point on a prime-order curve has the full group order, so the expensive order-multiply check is unnecessary. This avoids the ~50% ECDH performance regression caused by the redundant scalar multiplication. 4. wolfSSL_ECPoint_d2i (pk_ec.c): add unconditional on-curve validation via wolfSSL_EC_POINT_is_on_curve after import. The existing check was gated on !wolfSSL_BN_is_one(point->Z) and therefore dead code for all uncompressed-point imports. This closes the OpenSSL compat layer attack path (EC_POINT_oct2point followed by ECDH_compute_key). Non-SP curves fall back to wc_ecc_point_is_on_curve which performs the same equation check using mp_int arithmetic. Reported by: Nicholas Carlini (Anthropic) & Thai Duong (Calif.io)
1 parent 1cd8edb commit 0fb2d2e

File tree

7 files changed

+103
-97
lines changed

7 files changed

+103
-97
lines changed

src/pk_ec.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1532,7 +1532,7 @@ int wolfSSL_ECPoint_d2i(const unsigned char *in, unsigned int len,
15321532
ret = 0;
15331533
}
15341534

1535-
/* wolfSSL_EC_POINT_set_affine_coordinates_GFp check that the point is
1535+
/* wolfSSL_EC_POINT_set_affine_coordinates_GFp checks that the point is
15361536
* on the curve. */
15371537
if (ret == 1 && wolfSSL_EC_POINT_set_affine_coordinates_GFp(group,
15381538
point, x, y, NULL) != 1) {
@@ -1544,6 +1544,18 @@ int wolfSSL_ECPoint_d2i(const unsigned char *in, unsigned int len,
15441544
"operations later on.");
15451545
#endif
15461546
}
1547+
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
1548+
/* Validate that the imported point lies on the curve. The Z!=1 path
1549+
* above validates via set_affine_coordinates_GFp, but for affine
1550+
* imports (Z==1), the common case for uncompressed points, that
1551+
* block is skipped. Check unconditionally so no import path can
1552+
* bypass validation. */
1553+
if (ret == 1 && wolfSSL_EC_POINT_is_on_curve(group,
1554+
(WOLFSSL_EC_POINT *)point, NULL) != 1) {
1555+
WOLFSSL_MSG("wolfSSL_ECPoint_d2i: point not on curve");
1556+
ret = 0;
1557+
}
1558+
#endif
15471559

15481560
if (ret == 1) {
15491561
/* Dump new point. */
@@ -1750,8 +1762,7 @@ WOLFSSL_BIGNUM *wolfSSL_EC_POINT_point2bn(const WOLFSSL_EC_GROUP* group,
17501762
return ret;
17511763
}
17521764

1753-
#if defined(USE_ECC_B_PARAM) && !defined(HAVE_SELFTEST) && \
1754-
(!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
1765+
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
17551766
/* Check if EC point is on the the curve defined by the EC group.
17561767
*
17571768
* @param [in] group EC group defining curve.
@@ -1792,7 +1803,7 @@ int wolfSSL_EC_POINT_is_on_curve(const WOLFSSL_EC_GROUP *group,
17921803
/* Return boolean of on curve. No error means on curve. */
17931804
return !err;
17941805
}
1795-
#endif /* USE_ECC_B_PARAM && !HAVE_SELFTEST && !(FIPS_VERSION <= 2) */
1806+
#endif /* !HAVE_SELFTEST && !(HAVE_FIPS && FIPS_VERSION <= 2) */
17961807

17971808
#if !defined(WOLFSSL_SP_MATH) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)
17981809
/* Convert Jacobian ordinates to affine.
@@ -1985,8 +1996,7 @@ int wolfSSL_EC_POINT_set_affine_coordinates_GFp(const WOLFSSL_EC_GROUP* group,
19851996
ret = 0;
19861997
}
19871998

1988-
#if defined(USE_ECC_B_PARAM) && !defined(HAVE_SELFTEST) && \
1989-
(!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
1999+
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
19902000
/* Check that the point is valid. */
19912001
if ((ret == 1) && (wolfSSL_EC_POINT_is_on_curve(group,
19922002
(WOLFSSL_EC_POINT *)point, ctx) != 1)) {

tests/api/test_ecc.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1314,6 +1314,7 @@ int test_wc_ecc_encryptDecrypt(void)
13141314

13151315
#ifdef WOLFSSL_ECIES_OLD
13161316
tmpKey.dp = cliKey.dp;
1317+
tmpKey.idx = cliKey.idx;
13171318
ExpectIntEQ(wc_ecc_copy_point(&cliKey.pubkey, &tmpKey.pubkey), 0);
13181319
#endif
13191320

@@ -1445,15 +1446,13 @@ int test_wc_ecc_pointFns(void)
14451446

14461447
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
14471448
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)))
1448-
#ifdef USE_ECC_B_PARAM
14491449
/* On curve if ret == 0 */
14501450
ExpectIntEQ(wc_ecc_point_is_on_curve(point, idx), 0);
14511451
/* Test bad args. */
14521452
ExpectIntEQ(wc_ecc_point_is_on_curve(NULL, idx),
14531453
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
14541454
ExpectIntEQ(wc_ecc_point_is_on_curve(point, 1000),
14551455
WC_NO_ERR_TRACE(ECC_BAD_ARG_E));
1456-
#endif /* USE_ECC_B_PARAM */
14571456
#endif /* !HAVE_SELFTEST && (!HAVE_FIPS || HAVE_FIPS_VERSION > 2) */
14581457

14591458
/* Free */

tests/api/test_ossl_ec.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -476,8 +476,7 @@ int test_wolfSSL_EC_POINT(void)
476476
/* check if point X coordinate is zero */
477477
ExpectIntEQ(BN_is_zero(new_point->X), 0);
478478

479-
#if defined(USE_ECC_B_PARAM) && !defined(HAVE_SELFTEST) && \
480-
(!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
479+
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0))
481480
ExpectIntEQ(EC_POINT_is_on_curve(group, new_point, ctx), 1);
482481
#endif
483482

wolfcrypt/src/ecc.c

Lines changed: 76 additions & 74 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,6 @@ Possible ECC enable options:
5050
* SECP160K1 and SECP224K1. These do not work with scalars
5151
* that are the length of the order when the order is
5252
* longer than the prime. Use wc_ecc_fp_free to free cache.
53-
* USE_ECC_B_PARAM: Enable ECC curve B param default: off
54-
* (on for HAVE_COMP_KEY)
5553
* WOLFSSL_ECC_CURVE_STATIC: default off (on for windows)
5654
* For the ECC curve parameters `ecc_set_type` use fixed
5755
* array for hex string
@@ -1522,19 +1520,15 @@ typedef struct ecc_curve_spec {
15221520

15231521
mp_int* prime;
15241522
mp_int* Af;
1525-
#ifdef USE_ECC_B_PARAM
1526-
mp_int* Bf;
1527-
#endif
1523+
mp_int* Bf;
15281524
mp_int* order;
15291525
mp_int* Gx;
15301526
mp_int* Gy;
15311527

15321528
#ifdef ECC_CACHE_CURVE
15331529
mp_int prime_lcl;
15341530
mp_int Af_lcl;
1535-
#ifdef USE_ECC_B_PARAM
1536-
mp_int Bf_lcl;
1537-
#endif
1531+
mp_int Bf_lcl;
15381532
mp_int order_lcl;
15391533
mp_int Gx_lcl;
15401534
mp_int Gy_lcl;
@@ -1554,19 +1548,12 @@ typedef struct ecc_curve_spec {
15541548
#define ECC_CURVE_FIELD_NONE 0x00
15551549
#define ECC_CURVE_FIELD_PRIME 0x01
15561550
#define ECC_CURVE_FIELD_AF 0x02
1557-
#ifdef USE_ECC_B_PARAM
15581551
#define ECC_CURVE_FIELD_BF 0x04
1559-
#endif
15601552
#define ECC_CURVE_FIELD_ORDER 0x08
15611553
#define ECC_CURVE_FIELD_GX 0x10
15621554
#define ECC_CURVE_FIELD_GY 0x20
1563-
#ifdef USE_ECC_B_PARAM
15641555
#define ECC_CURVE_FIELD_ALL 0x3F
15651556
#define ECC_CURVE_FIELD_COUNT 6
1566-
#else
1567-
#define ECC_CURVE_FIELD_ALL 0x3B
1568-
#define ECC_CURVE_FIELD_COUNT 5
1569-
#endif
15701557

15711558
#if defined(WOLFSSL_XILINX_CRYPT_VERSAL)
15721559
static const u32 xil_curve_type[ECC_CURVE_MAX] = {
@@ -1710,10 +1697,8 @@ static void wc_ecc_curve_cache_free_spec(ecc_curve_spec* curve)
17101697
wc_ecc_curve_cache_free_spec_item(curve, curve->prime, ECC_CURVE_FIELD_PRIME);
17111698
if (curve->load_mask & ECC_CURVE_FIELD_AF)
17121699
wc_ecc_curve_cache_free_spec_item(curve, curve->Af, ECC_CURVE_FIELD_AF);
1713-
#ifdef USE_ECC_B_PARAM
17141700
if (curve->load_mask & ECC_CURVE_FIELD_BF)
17151701
wc_ecc_curve_cache_free_spec_item(curve, curve->Bf, ECC_CURVE_FIELD_BF);
1716-
#endif
17171702
if (curve->load_mask & ECC_CURVE_FIELD_ORDER)
17181703
wc_ecc_curve_cache_free_spec_item(curve, curve->order, ECC_CURVE_FIELD_ORDER);
17191704
if (curve->load_mask & ECC_CURVE_FIELD_GX)
@@ -1847,9 +1832,7 @@ static int wc_ecc_curve_load(const ecc_set_type* dp, ecc_curve_spec** pCurve,
18471832
#ifdef ECC_CACHE_CURVE
18481833
curve->prime = &curve->prime_lcl;
18491834
curve->Af = &curve->Af_lcl;
1850-
#ifdef USE_ECC_B_PARAM
1851-
curve->Bf = &curve->Bf_lcl;
1852-
#endif
1835+
curve->Bf = &curve->Bf_lcl;
18531836
curve->order = &curve->order_lcl;
18541837
curve->Gx = &curve->Gx_lcl;
18551838
curve->Gy = &curve->Gy_lcl;
@@ -1868,11 +1851,9 @@ static int wc_ecc_curve_load(const ecc_set_type* dp, ecc_curve_spec** pCurve,
18681851
if (load_items & ECC_CURVE_FIELD_AF)
18691852
ret += wc_ecc_curve_cache_load_item(curve, dp->Af, &curve->Af,
18701853
ECC_CURVE_FIELD_AF);
1871-
#ifdef USE_ECC_B_PARAM
18721854
if (load_items & ECC_CURVE_FIELD_BF)
18731855
ret += wc_ecc_curve_cache_load_item(curve, dp->Bf, &curve->Bf,
18741856
ECC_CURVE_FIELD_BF);
1875-
#endif
18761857
if (load_items & ECC_CURVE_FIELD_ORDER)
18771858
ret += wc_ecc_curve_cache_load_item(curve, dp->order, &curve->order,
18781859
ECC_CURVE_FIELD_ORDER);
@@ -4762,6 +4743,7 @@ int wc_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, byte* out,
47624743
return ECC_BAD_ARG_E;
47634744
}
47644745

4746+
47654747
#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
47664748
/* For SECP256R1 use hardware */
47674749
if (private_key->dp->id == ECC_SECP256R1) {
@@ -5274,7 +5256,6 @@ int wc_ecc_shared_secret_ex(ecc_key* private_key, ecc_point* point,
52745256
#endif /* !WOLFSSL_ATECC508A && !WOLFSSL_CRYPTOCELL && !WOLFSSL_KCAPI_ECC */
52755257
#endif /* HAVE_ECC_DHE */
52765258

5277-
#ifdef USE_ECC_B_PARAM
52785259
/* Checks if a point p lies on the curve with index curve_idx */
52795260
int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx)
52805261
{
@@ -5309,7 +5290,6 @@ int wc_ecc_point_is_on_curve(ecc_point *p, int curve_idx)
53095290

53105291
return err;
53115292
}
5312-
#endif /* USE_ECC_B_PARAM */
53135293

53145294
#if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
53155295
!defined(WOLFSSL_CRYPTOCELL) && \
@@ -9969,8 +9949,6 @@ int wc_ecc_export_x963_ex(ecc_key* key, byte* out, word32* outLen,
99699949
#endif /* HAVE_ECC_KEY_EXPORT */
99709950

99719951

9972-
#ifdef HAVE_ECC_CHECK_PUBKEY_ORDER
9973-
99749952
/* is ecc point on curve described by dp ? */
99759953
static int _ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
99769954
{
@@ -10147,6 +10125,8 @@ int wc_ecc_is_point(ecc_point* ecp, mp_int* a, mp_int* b, mp_int* prime)
1014710125
return err;
1014810126
}
1014910127

10128+
#ifdef HAVE_ECC_CHECK_PUBKEY_ORDER
10129+
1015010130
#if (FIPS_VERSION_GE(5,0) || defined(WOLFSSL_VALIDATE_ECC_KEYGEN) || \
1015110131
(defined(WOLFSSL_VALIDATE_ECC_IMPORT) && !defined(WOLFSSL_SP_MATH))) && \
1015210132
!defined(WOLFSSL_KCAPI_ECC) || defined(WOLFSSL_CAAM)
@@ -10514,14 +10494,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
1051410494
int err = MP_OKAY;
1051510495
#if defined(HAVE_ECC_CHECK_PUBKEY_ORDER) && !defined(WOLFSSL_SP_MATH)
1051610496
mp_int* b = NULL;
10517-
#ifdef USE_ECC_B_PARAM
10518-
DECLARE_CURVE_SPECS(4);
10519-
#else
10520-
#ifndef WOLFSSL_SMALL_STACK
10521-
mp_int b_lcl;
10522-
#endif
10523-
DECLARE_CURVE_SPECS(3);
10524-
#endif /* USE_ECC_B_PARAM */
10497+
DECLARE_CURVE_SPECS(4);
1052510498
#endif
1052610499

1052710500
ASSERT_SAVED_VECTOR_REGISTERS();
@@ -10573,21 +10546,7 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
1057310546
#endif
1057410547

1057510548
#ifndef WOLFSSL_SP_MATH
10576-
#ifdef USE_ECC_B_PARAM
10577-
ALLOC_CURVE_SPECS(4, err);
10578-
#else
10579-
ALLOC_CURVE_SPECS(3, err);
10580-
#ifndef WOLFSSL_SMALL_STACK
10581-
b = &b_lcl;
10582-
#else
10583-
b = (mp_int*)XMALLOC(sizeof(mp_int), key->heap, DYNAMIC_TYPE_ECC);
10584-
if (b == NULL) {
10585-
FREE_CURVE_SPECS();
10586-
return MEMORY_E;
10587-
}
10588-
#endif
10589-
XMEMSET(b, 0, sizeof(mp_int));
10590-
#endif
10549+
ALLOC_CURVE_SPECS(4, err);
1059110550

1059210551
#ifdef WOLFSSL_CAAM
1059310552
/* keys can be black encrypted ones which can not be checked like plain text
@@ -10612,22 +10571,10 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
1061210571
/* load curve info */
1061310572
if (err == MP_OKAY)
1061410573
err = wc_ecc_curve_load(key->dp, &curve, (ECC_CURVE_FIELD_PRIME |
10615-
ECC_CURVE_FIELD_AF | ECC_CURVE_FIELD_ORDER
10616-
#ifdef USE_ECC_B_PARAM
10617-
| ECC_CURVE_FIELD_BF
10618-
#endif
10619-
));
10574+
ECC_CURVE_FIELD_AF | ECC_CURVE_FIELD_ORDER | ECC_CURVE_FIELD_BF));
1062010575

10621-
#ifndef USE_ECC_B_PARAM
10622-
/* load curve b parameter */
10623-
if (err == MP_OKAY)
10624-
err = mp_init(b);
10625-
if (err == MP_OKAY)
10626-
err = mp_read_radix(b, key->dp->Bf, MP_RADIX_HEX);
10627-
#else
1062810576
if (err == MP_OKAY)
1062910577
b = curve->Bf;
10630-
#endif
1063110578

1063210579
/* SP 800-56Ar3, section 5.6.2.3.3, process step 2 */
1063310580
/* SP 800-56Ar3, section 5.6.2.3.4, process step 2 */
@@ -10684,11 +10631,6 @@ static int _ecc_validate_public_key(ecc_key* key, int partial, int priv)
1068410631

1068510632
wc_ecc_curve_free(curve);
1068610633

10687-
#ifndef USE_ECC_B_PARAM
10688-
mp_clear(b);
10689-
WC_FREE_VAR_EX(b, key->heap, DYNAMIC_TYPE_ECC);
10690-
#endif
10691-
1069210634
FREE_CURVE_SPECS();
1069310635

1069410636
#else
@@ -11012,16 +10954,75 @@ int wc_ecc_import_x963_ex2(const byte* in, word32 inLen, ecc_key* key,
1101210954
!defined(WOLFSSL_CRYPTOCELL) && \
1101310955
(!defined(WOLF_CRYPTO_CB_ONLY_ECC) || defined(WOLFSSL_QNX_CAAM) || \
1101410956
defined(WOLFSSL_IMXRT1170_CAAM))
11015-
if (untrusted) {
11016-
/* Only do quick checks. */
11017-
if ((err == MP_OKAY) && wc_ecc_point_is_at_infinity(&key->pubkey)) {
10957+
if ((err == MP_OKAY) && untrusted) {
10958+
/* Reject point at infinity. */
10959+
if (wc_ecc_point_is_at_infinity(&key->pubkey)) {
1101810960
err = ECC_INF_E;
1101910961
}
11020-
#ifdef USE_ECC_B_PARAM
11021-
if ((err == MP_OKAY) && (key->idx != ECC_CUSTOM_IDX)) {
10962+
/* Verify the point lies on the curve (y^2 = x^3 + ax + b mod p) */
10963+
if ((err == MP_OKAY) && (key->idx != ECC_CUSTOM_IDX)) {
10964+
#ifdef WOLFSSL_HAVE_SP_ECC
10965+
#ifndef WOLFSSL_SP_NO_256
10966+
if (ecc_sets[key->idx].id == ECC_SECP256R1) {
10967+
err = sp_ecc_is_point_256(key->pubkey.x, key->pubkey.y);
10968+
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SP_SM2)
10969+
if (err != MP_OKAY && curve_id < 0) {
10970+
/* Retry with SM2 curve when P-256 returns invalid.
10971+
* Only when no explicit curve was requested (curve_id < 0).
10972+
* Needed because SM2 keys can be mis-identified as
10973+
* SECP256R1 during parsing. */
10974+
err = sp_ecc_is_point_sm2_256(key->pubkey.x,
10975+
key->pubkey.y);
10976+
if (err == MP_OKAY) {
10977+
err = wc_ecc_set_curve(key, key->dp->size,
10978+
ECC_SM2P256V1);
10979+
}
10980+
}
10981+
#endif
10982+
}
10983+
else
10984+
#endif
10985+
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SP_SM2)
10986+
if (ecc_sets[key->idx].id == ECC_SM2P256V1) {
10987+
err = sp_ecc_is_point_sm2_256(key->pubkey.x, key->pubkey.y);
10988+
}
10989+
else
10990+
#endif
10991+
#ifdef WOLFSSL_SP_384
10992+
if (ecc_sets[key->idx].id == ECC_SECP384R1) {
10993+
err = sp_ecc_is_point_384(key->pubkey.x, key->pubkey.y);
10994+
}
10995+
else
10996+
#endif
10997+
#ifdef WOLFSSL_SP_521
10998+
if (ecc_sets[key->idx].id == ECC_SECP521R1) {
10999+
err = sp_ecc_is_point_521(key->pubkey.x, key->pubkey.y);
11000+
}
11001+
else
11002+
#endif
11003+
{
11004+
err = wc_ecc_point_is_on_curve(&key->pubkey, key->idx);
11005+
}
11006+
#else
1102211007
err = wc_ecc_point_is_on_curve(&key->pubkey, key->idx);
11008+
#if defined(WOLFSSL_SM2)
11009+
if (err != MP_OKAY && curve_id < 0) {
11010+
/* Retry with SM2 curve when P-256 returns invalid.
11011+
* Only when no explicit curve was requested (curve_id < 0).
11012+
* Needed because SM2 keys can be mis-identified as
11013+
* SECP256R1 during parsing. */
11014+
int sm2_idx = wc_ecc_get_curve_idx(ECC_SM2P256V1);
11015+
if (sm2_idx != ECC_CURVE_INVALID) {
11016+
err = wc_ecc_point_is_on_curve(&key->pubkey, sm2_idx);
11017+
if (err == MP_OKAY) {
11018+
err = wc_ecc_set_curve(key, WOLFSSL_SM2_KEY_BITS / 8,
11019+
ECC_SM2P256V1);
11020+
}
11021+
}
11022+
}
11023+
#endif
11024+
#endif /* WOLFSSL_HAVE_SP_ECC */
1102311025
}
11024-
#endif /* USE_ECC_B_PARAM */
1102511026
}
1102611027
#endif
1102711028
(void)untrusted;
@@ -11048,7 +11049,8 @@ int wc_ecc_import_x963_ex2(const byte* in, word32 inLen, ecc_key* key,
1104811049
int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key,
1104911050
int curve_id)
1105011051
{
11051-
return wc_ecc_import_x963_ex2(in, inLen, key, curve_id, 0);
11052+
/* treat as untrusted: validate the point is on the curve */
11053+
return wc_ecc_import_x963_ex2(in, inLen, key, curve_id, 1);
1105211054
}
1105311055

1105411056
WOLFSSL_ABI

wolfcrypt/test/test.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38221,6 +38221,7 @@ static wc_test_ret_t ecc_encrypt_e2e_test(WC_RNG* rng, ecc_key* userA, ecc_key*
3822138221

3822238222
#ifdef WOLFSSL_ECIES_OLD
3822338223
tmpKey->dp = userA->dp;
38224+
tmpKey->idx = userA->idx;
3822438225
ret = wc_ecc_copy_point(&userA->pubkey, &tmpKey->pubkey);
3822538226
if (ret != 0) {
3822638227
ret = WC_TEST_RET_ENC_EC(ret); goto done;

0 commit comments

Comments
 (0)