From 8402cd5f75f8c2f60d8bd39775b24b03dd8b3b38 Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Thu, 21 Mar 2019 20:09:02 +1000
Subject: added code to validate EC named curve parameters

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8555)
---
 apps/ecparam.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'apps')

diff --git a/apps/ecparam.c b/apps/ecparam.c
index 24fda049b7..0c893a3977 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -30,7 +30,7 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
     OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
-    OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE,
+    OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
     OPT_R_ENUM
 } OPTION_CHOICE;
 
@@ -43,6 +43,8 @@ const OPTIONS ecparam_options[] = {
     {"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
     {"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
     {"check", OPT_CHECK, '-', "Validate the ec parameters"},
+    {"check_named", OPT_CHECK_NAMED, '-',
+     "Check that named EC curve parameters have not been modified"},
     {"list_curves", OPT_LIST_CURVES, '-',
      "Prints a list of all curve 'short names'"},
     {"no_seed", OPT_NO_SEED, '-',
@@ -90,7 +92,7 @@ int ecparam_main(int argc, char **argv)
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
     int ret = 1, private = 0;
     int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
-    int text = 0, i, genkey = 0;
+    int text = 0, i, genkey = 0, check_named = 0;
 
     prog = opt_init(argc, argv, ecparam_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -127,6 +129,9 @@ int ecparam_main(int argc, char **argv)
         case OPT_CHECK:
             check = 1;
             break;
+        case OPT_CHECK_NAMED:
+            check_named = 1;
+            break;
         case OPT_LIST_CURVES:
             list_curves = 1;
             break;
@@ -266,6 +271,16 @@ int ecparam_main(int argc, char **argv)
             goto end;
     }
 
+    if (check_named) {
+        BIO_printf(bio_err, "validating named elliptic curve parameters: ");
+        if (EC_GROUP_check_named_curve(group, 0) <= 0) {
+            BIO_printf(bio_err, "failed\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
+        BIO_printf(bio_err, "ok\n");
+    }
+
     if (check) {
         BIO_printf(bio_err, "checking elliptic curve parameters: ");
         if (!EC_GROUP_check(group, NULL)) {
-- 
cgit v1.2.3