Fix ECC validation regression

Author: Frauschi

tests/api/test_ecc.c

@@ -772,6 +772,71 @@ int test_wc_ecc_import_x963(void)
     return EXPECT_RESULT();
 } /* END wc_ecc_import_x963 */
 
+/*
+ * testing wc_ecc_import_x963() rejects an off-curve public point.
+ *
+ * Regression coverage for the invalid-curve attack: the legacy wrapper
+ * wc_ecc_import_x963_ex must pass untrusted=1 to wc_ecc_import_x963_ex2
+ * so that ECIES, PKCS#7 KARI, and EVP ECDH callers validate that the
+ * imported point actually lies on the curve. Without that, an attacker
+ * can feed a point from a weak twist and leak the victim's private
+ * scalar modulo small primes (Biehl-Meyer-Müller).
+ */
+int test_wc_ecc_import_x963_off_curve(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_IMPORT) && \
+    defined(HAVE_ECC_KEY_EXPORT) && !defined(WC_NO_RNG) && \
+    !defined(NO_ECC256) && !defined(NO_ECC_SECP)
+    ecc_key key;
+    ecc_key pubKey;
+    WC_RNG  rng;
+    byte    x963[ECC_ASN963_MAX_BUF_SZ];
+    word32  x963Len = (word32)sizeof(x963);
+    int     ret;
+
+    XMEMSET(&key, 0, sizeof(ecc_key));
+    XMEMSET(&pubKey, 0, sizeof(ecc_key));
+    XMEMSET(&rng, 0, sizeof(WC_RNG));
+    XMEMSET(x963, 0, x963Len);
+
+    ExpectIntEQ(wc_ecc_init(&key), 0);
+    ExpectIntEQ(wc_ecc_init(&pubKey), 0);
+    ExpectIntEQ(wc_InitRng(&rng), 0);
+
+    /* Generate a valid P-256 key pair and export in X9.63 format. */
+    ret = wc_ecc_make_key_ex(&rng, 32, &key, ECC_SECP256R1);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key.asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    ExpectIntEQ(ret, 0);
+
+    PRIVATE_KEY_UNLOCK();
+    ExpectIntEQ(wc_ecc_export_x963(&key, x963, &x963Len), 0);
+    PRIVATE_KEY_LOCK();
+
+    /* X9.63 uncompressed form is 0x04 || X || Y. Flipping a single bit
+     * in Y yields a point that is no longer on the curve with
+     * overwhelming probability. */
+    ExpectIntEQ(x963Len, 1 + 2 * 32);
+    if (x963Len == 1 + 2 * 32) {
+        x963[x963Len - 1] ^= 0x01;
+    }
+
+    /* Importing an off-curve point must fail. */
+    ExpectIntNE(wc_ecc_import_x963(x963, x963Len, &pubKey), 0);
+
+    DoExpectIntEQ(wc_FreeRng(&rng), 0);
+    wc_ecc_free(&pubKey);
+    wc_ecc_free(&key);
+
+#ifdef FP_ECC
+    wc_ecc_fp_free();
+#endif
+#endif
+    return EXPECT_RESULT();
+} /* END test_wc_ecc_import_x963_off_curve */
+
 /*
  * testing wc_ecc_import_private_key()
  */

tests/api/test_ecc.h

@@ -39,6 +39,7 @@ int test_wc_ecc_shared_secret(void);
 int test_wc_ecc_export_x963(void);
 int test_wc_ecc_export_x963_ex(void);
 int test_wc_ecc_import_x963(void);
+int test_wc_ecc_import_x963_off_curve(void);
 int test_wc_ecc_import_private_key(void);
 int test_wc_ecc_export_private_only(void);
 int test_wc_ecc_rs_to_sig(void);
@@ -76,6 +77,7 @@ int test_wc_EccPrivateKeyToDer(void);
     TEST_DECL_GROUP("ecc", test_wc_ecc_export_x963),                    \
     TEST_DECL_GROUP("ecc", test_wc_ecc_export_x963_ex),                 \
     TEST_DECL_GROUP("ecc", test_wc_ecc_import_x963),                    \
+    TEST_DECL_GROUP("ecc", test_wc_ecc_import_x963_off_curve),          \
     TEST_DECL_GROUP("ecc", test_wc_ecc_import_private_key),             \
     TEST_DECL_GROUP("ecc", test_wc_ecc_export_private_only),            \
     TEST_DECL_GROUP("ecc", test_wc_ecc_rs_to_sig),                      \

wolfcrypt/src/ecc.c

@@ -11217,7 +11217,8 @@ int wc_ecc_import_x963_ex2(const byte* in, word32 inLen, ecc_key* key,
 int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key,
                           int curve_id)
 {
-    return wc_ecc_import_x963_ex2(in, inLen, key, curve_id, 0);
+    /* treat as untrusted: validate the point is on the curve */
+    return wc_ecc_import_x963_ex2(in, inLen, key, curve_id, 1);
 }
 
 WOLFSSL_ABI