From 4e545c6a256fb1ab08cc5a3aabb00963dac3191b Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Thu, 10 Oct 2019 20:30:58 +0300 Subject: [PATCH] [ec_asn1.c] Avoid injecting seed when built-in matches An unintended consequence of https://github.com/openssl/openssl/pull/9808 is that when an explicit parameters curve is matched against one of the well-known builtin curves we automatically inherit also the associated seed parameter, even if the input parameters excluded such parameter. This later affects the serialization of such parsed keys, causing their input DER encoding and output DER encoding to differ due to the additional optional field. This does not cause problems internally but could affect external applications, as reported in https://github.com/openssl/openssl/pull/9811#issuecomment-536153288 This commit fixes the issue by conditionally clearing the seed field if the original input parameters did not include it. Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/10141) --- crypto/ec/ec_asn1.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 865130f67e..30b3ebfbe0 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -973,6 +973,20 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params) * 0x0 = OPENSSL_EC_EXPLICIT_CURVE */ EC_GROUP_set_asn1_flag(ret, 0x0); + + /* + * If the input params do not contain the optional seed field we make + * sure it is not added to the returned group. + * + * The seed field is not really used inside libcrypto anyway, and + * adding it to parsed explicit parameter keys would alter their DER + * encoding output (because of the extra field) which could impact + * applications fingerprinting keys by their DER encoding. + */ + if (params->curve->seed == NULL) { + if (EC_GROUP_set_seed(ret, NULL, 0) != 1) + goto err; + } } ok = 1; -- 2.25.1