From 06f2a4989b4bcd415451aa06cb1c734a71d293ce Mon Sep 17 00:00:00 2001 From: qmuntal Date: Mon, 25 Nov 2024 20:55:11 +0100 Subject: [PATCH] add ECDH key validations for OpenSSL 3 --- ecdh.go | 15 ++++++++++++++- shims.h | 2 ++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ecdh.go b/ecdh.go index 9d4d8dbd..1cf02318 100644 --- a/ecdh.go +++ b/ecdh.go @@ -205,7 +205,20 @@ func newECDHPkey3(nid C.int, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, e return nil, err } defer C.go_openssl_OSSL_PARAM_free(params) - return newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params) + pkey, err := newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params) + if err != nil { + return nil, err + } + if isPrivate { + if C.go_openssl_EVP_PKEY_private_check(pkey) != 1 { + return nil, errors.New("crypto/ecdh: invalid private key") + } + } else { + if C.go_openssl_EVP_PKEY_public_check_quick(pkey) != 1 { + return nil, errors.New("crypto/ecdh: invalid public key") + } + } + return pkey, nil } func pointMult(group C.GO_EC_GROUP_PTR, priv C.GO_BIGNUM_PTR) (C.GO_EC_POINT_PTR, error) { diff --git a/shims.h b/shims.h index 003f3cef..e4381754 100644 --- a/shims.h +++ b/shims.h @@ -310,6 +310,8 @@ DEFINEFUNC(int, EVP_PKEY_sign, (GO_EVP_PKEY_CTX_PTR arg0, unsigned char *arg1, s DEFINEFUNC(int, EVP_PKEY_derive_init, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \ DEFINEFUNC(int, EVP_PKEY_derive_set_peer, (GO_EVP_PKEY_CTX_PTR ctx, GO_EVP_PKEY_PTR peer), (ctx, peer)) \ DEFINEFUNC(int, EVP_PKEY_derive, (GO_EVP_PKEY_CTX_PTR ctx, unsigned char *key, size_t *keylen), (ctx, key, keylen)) \ +DEFINEFUNC(int, EVP_PKEY_public_check_quick, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \ +DEFINEFUNC(int, EVP_PKEY_private_check, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \ DEFINEFUNC_LEGACY_1_0(void*, EVP_PKEY_get0, (GO_EVP_PKEY_PTR pkey), (pkey)) \ DEFINEFUNC_LEGACY_1_1(GO_EC_KEY_PTR, EVP_PKEY_get0_EC_KEY, (GO_EVP_PKEY_PTR pkey), (pkey)) \ DEFINEFUNC_LEGACY_1_1(GO_DSA_PTR, EVP_PKEY_get0_DSA, (GO_EVP_PKEY_PTR pkey), (pkey)) \