cb16f17b36
Currently we only check that the underlying EC_METHODs match, which avoids the points being in different forms, but not that the points are on the same curves. (We fixed the APIs early on so off-curve EC_POINTs cannot be created.) In particular, this comes up with folks implementating Java's crypto APIs with ECDH_compute_key. These APIs are both unfortunate and should not be mimicked, as they allow folks to mismatch the groups on the two multiple EC_POINTs. Instead, ECDH APIs should take the public value as a byte string. Thanks also to Java's poor crypto APIs, we must support custom curves, which makes this particularly gnarly. This CL makes EC_GROUP_cmp work with custom curves and adds an additional subtle requirement to EC_GROUP_set_generator. Annoyingly, this change is additionally subtle because we now have a reference cycle to hack around. Change-Id: I2efbc4bd5cb65fee5f66527bd6ccad6b9d5120b9 Reviewed-on: https://boringssl-review.googlesource.com/22245 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> |
||
|---|---|---|
| .. | ||
| asm | ||
| ec_key.c | ||
| ec_montgomery.c | ||
| ec_test.cc | ||
| ec.c | ||
| internal.h | ||
| oct.c | ||
| p224-64.c | ||
| p256-64.c | ||
| p256-x86_64_test.cc | ||
| p256-x86_64_tests.txt | ||
| p256-x86_64-table.h | ||
| p256-x86_64.c | ||
| p256-x86_64.h | ||
| simple.c | ||
| util-64.c | ||
| wnaf.c | ||