diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2015-10-28 23:18:43 -0400 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2015-10-28 23:18:43 -0400 |
| commit | eb5e0ae4c3f97925ba9787fa1b6a30b7b68b5056 (patch) | |
| tree | e9debfe136011dd17547b674060876824ff6b661 | |
| parent | 46a07705f1b9b6a4228eb56620f394675d4612f3 (diff) | |
| download | cryptography-eb5e0ae4c3f97925ba9787fa1b6a30b7b68b5056.tar.gz cryptography-eb5e0ae4c3f97925ba9787fa1b6a30b7b68b5056.tar.bz2 cryptography-eb5e0ae4c3f97925ba9787fa1b6a30b7b68b5056.zip | |
Error cleanly if the public and private keys to an ECDH key exchange are on different curves
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ec.py | 5 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_ec.py | 28 |
2 files changed, 32 insertions, 1 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index cfd559ae..16df37af 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -182,6 +182,11 @@ class _EllipticCurvePrivateKey(object): _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM ) + if type(peer_public_key.curve) is not type(self.curve): + raise ValueError( + "peer_public_key and self are not on the same curve" + ) + group = self._backend._lib.EC_KEY_get0_group(self._ec_key) z_len = (self._backend._lib.EC_GROUP_get_degree(group) + 7) // 8 self._backend.openssl_assert(z_len > 0) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index d420e9c9..d086e999 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -844,7 +844,7 @@ class TestECDSAVerification(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) -class TestECDHVectors(object): +class TestECDH(object): @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -916,3 +916,29 @@ class TestECDHVectors(object): exceptions._Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM ): key.exchange(None, key.public_key()) + + def test_exchange_non_matching_curve(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + _skip_curve_unsupported(backend, ec.SECP384R1()) + + key = load_vectors_from_file( + os.path.join( + "asymmetric", "PKCS8", "ec_private_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read().encode(), None, backend + ) + ) + public_key = ec.EllipticCurvePublicNumbers( + int( + "3411592940847846511444973873421894778212895963519463384397662" + "6983900466205627792914181900767401599528349662185720855" + ), + int( + "3632819834244394334395622140197408878581471655319641017478501" + "4862750487889436098934993486739984469019130932307943998" + ), + ec.SECP384R1(), + ).public_key(backend) + + with pytest.raises(ValueError): + key.exchange(ec.ECDH(), public_key) |