On Wed, 11 Nov 2020 at 14:14, Nicola Tuveri <[email protected]> wrote:
> > In particular in 1.1.1, the key created as depicted in #12612 that > triggered this discussion (Matt posted a useful reproducer among the > first comments), is indeed capable of signing in the used pattern, but > the pattern is conveniently omitting the validation pass that should > be required in any serious use of the API. > The private key is a random or pseudo-random 256-bit integer. How do you propose to "validate" that? > `EVP_PKEY_check()` > (https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_check.html) is > one of the many places in 1.1.1 where both the documentation and the > behavior assume that an `EVP_PKEY` object is a keypair. > Even in the version used by the user that posted the issue, running > `EVP_PKEY_check()` on the created key would have revealed that the > user was abusing the API. > I was not "abusing the API" as you put it, merely pointing out that the public key is not a required item for performing ECDSA signature generation. This is a mathematical fact of life that you are going to have to learn to live with. > >8 > > Omitting the `EVP_PKEY_check()` in the reproducer and the user > application, would for example allow me to write a DoS attack: the > secret scalar could easily be hand-picked to trigger an endless loop > in the sign operation. > Nonsense. Each iteration involves a new PRN, which by definition you cannot predict. --RWF
