From eccf37f6fe6b3af4c75ac6f2f432947c858fddcb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 19 Oct 2014 17:52:02 -0700 Subject: Fixes #1416 -- replaced assertions with error checking in EC key from numbers. Includes tests. --- cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- tests/hazmat/primitives/test_ec.py | 22 ++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 567f1648..f1cf908a 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -1005,8 +1005,11 @@ class Backend(object): res = get_func(group, point, check_x, check_y, bn_ctx) assert res == 1 - assert self._lib.BN_cmp(bn_x, check_x) == 0 - assert self._lib.BN_cmp(bn_y, check_y) == 0 + if self._lib.BN_cmp(bn_x, check_x) != 0: + raise ValueError("Invalid EC key.") + + if self._lib.BN_cmp(bn_y, check_y) != 0: + raise ValueError("Invalid EC key.") res = self._lib.EC_KEY_set_public_key(ctx, point) assert res == 1 diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 887520de..1b3bb9b3 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -274,6 +274,28 @@ class TestECDSAVectors(object): with pytest.raises(ValueError): numbers.private_key(backend) + numbers = ec.EllipticCurvePrivateNumbers( + 357646505660320080863666618182642070958081774038609089496899025506, + ec.EllipticCurvePublicNumbers( + -4725080841032702313157360200834589492768638177232556118553296, + 1120253292479243545483756778742719537373113335231773536789915, + ec.SECP256R1(), + ) + ) + with pytest.raises(ValueError): + numbers.private_key(backend) + + numbers = ec.EllipticCurvePrivateNumbers( + 357646505660320080863666618182642070958081774038609089496899025506, + ec.EllipticCurvePublicNumbers( + 47250808410327023131573602008345894927686381772325561185532964, + -1120253292479243545483756778742719537373113335231773536789915, + ec.SECP256R1(), + ) + ) + with pytest.raises(ValueError): + numbers.private_key(backend) + @pytest.mark.parametrize( "vector", load_vectors_from_file( -- cgit v1.2.3 From b796621b2888f8573bfd42ed895c03667e3d5cb8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 19 Oct 2014 18:42:01 -0700 Subject: Do these checks in pure python eagerly. We get errors in different places, depending on py2k vs. py3k if we don't. --- cryptography/hazmat/backends/openssl/backend.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index f1cf908a..bb1a3f3d 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -984,6 +984,11 @@ class Backend(object): values. """ + if x < 0 or y < 0: + raise ValueError( + "Invalid EC key. Both x and y must be non-negative." + ) + bn_x = self._int_to_bn(x) bn_y = self._int_to_bn(y) @@ -1005,11 +1010,8 @@ class Backend(object): res = get_func(group, point, check_x, check_y, bn_ctx) assert res == 1 - if self._lib.BN_cmp(bn_x, check_x) != 0: - raise ValueError("Invalid EC key.") - - if self._lib.BN_cmp(bn_y, check_y) != 0: - raise ValueError("Invalid EC key.") + assert self._lib.BN_cmp(bn_x, check_x) == 0 + assert self._lib.BN_cmp(bn_y, check_y) == 0 res = self._lib.EC_KEY_set_public_key(ctx, point) assert res == 1 -- cgit v1.2.3