Added helper to initialize EC key using affine coordinates

[igus68]

This PR implements an alternative approach to providing initialisation of an EC public key from its affine coordinates:
it adds the function which converts the affine coordinates of an EC point to an octet string conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard. This octet string can further be passed to the OSSL_PARAM_BLD_push_octet_string() function.

Fixes #16270

Additionally, it fixes the null pointer dereference in the EVP_EC_gen macro and adds explicit handling of the situation when NULL is passed to EVP_PKEY_Q_keygen() instead of the curve name.

Checklist

• documentation is added or updated
• tests are added or updated

[t8m]

Please move this to evp.h

And I would move the EVP_EC_gen() there as well.

[igus68]

Done

[t8m]

Nit: please use lowercase for x and y.

[igus68]

Done

[t8m]

I would move this and EVP_EC_gen() to a separate manual page.

[igus68]

Done

[t8m]

You will need to move this into another file (a new one?) in crypto/evp

[igus68]

crypto/evp/ec_support.c looks to be a proper one. Moved.

[slontis]

@aisle-analyzer

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 2 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	Integer overflow and potential buffer overflow in EVP_EC_affine2oct() via unchecked field_len
2	🔵 Low	NULL pointer dereference in public EVP_EC_gen() macro via strstr(curve, "")

Each finding is detailed in a separate comment below.

---

Analyzed PR: #30597 at commit 685c1cc

_{Last updated on: 2026-04-09T22:21:46Z}

[aisle-research-bot]

2. 🔵 NULL pointer dereference in public EVP_EC_gen() macro via strstr(curve, "")

Property	Value
Severity	Low
CWE	CWE-476

Description

The public macro EVP_EC_gen(curve) expands to a call that unconditionally evaluates strstr(curve, ""):

• If a caller passes curve == NULL (e.g., from language bindings or application code that propagates optional/unchecked inputs), strstr(NULL, "") dereferences a NULL pointer and will crash the process.
• This is reachable before OpenSSL can raise an error, because the crash happens during macro argument evaluation.
• The macro also casts away const ((char *)), which can encourage UB if EVP_PKEY_Q_keygen or downstream code ever attempted to modify the string.

Vulnerable code:

#define EVP_EC_gen(curve) \
    EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)(strstr(curve, "")))

While passing NULL may be considered API misuse, OpenSSL APIs commonly handle NULL parameters by returning errors. Here it results in an immediate application-level denial of service.

Recommendation

Replace the macro with a real function (or an inline function) that validates inputs before calling the variadic API.

Example (header):

static ossl_inline EVP_PKEY *EVP_EC_gen(const char *curve)
{
    if (curve == NULL) {
        ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
        return NULL;
    }
    return EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)curve);
}

If you must keep the macro for ABI/API reasons, avoid evaluating curve inside strstr() and avoid discarding const; at minimum guard against NULL:

#define EVP_EC_gen(curve) \
    EVP_PKEY_Q_keygen(NULL, NULL, "EC", (char *)((curve) != NULL ? (curve) : ""))

(Prefer the function form so NULL can produce a proper OpenSSL error rather than silently using an empty string.)

_{Last updated on: 2026-04-09T22:21:48Z}

[slontis]

Just 2026 maybe?

[igus68]

Description of EVP_EC_gen() is not new, it was moved from EC_KEY_new.pod
I'm not sure what the copyright dates should be in this case.

[igus68]

In practice, overflow is impossible here because field_len is a signed int and the result is converted to size_t, so the result will always be correct. But I agree that from the perspective of the formal specification it is undefined behaviour. So I added an explicit cast of field_len to size_t.

[igus68]

I spent a considerable amount of time finding out why this strange construction "(char *)(strstr(curve, ""))" is necessary in the EVP_EC_gen macro, so I described it in a comment for future generations. And I fixed this NULL dereference

[mattcaswell]

Should field_len really be a size_t? I'm not sure why we should be accepting a signed type here.

[igus68]

We use int for lengths in other functions:
int BN_num_bytes(const BIGNUM *a);
int EC_GROUP_get_degree(const EC_GROUP *group);
BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
etc

[mattcaswell]

Yes, we do. I think those were a bad idea too. No need to make the hole bigger since this is a completely new API.

[igus68]

If we are starting a new life, what type is best here? Although field_len is technically used to determine the size of allocated memory, logically it's a mathematical group parameter that has nothing to do with memory or addressing. Therefore, I'd rather use an unsigned int.

[mattcaswell]

Personally I still think a size_t is most appropriate for lengths and sizes of things. It is ultimately used to determine the amount of memory to allocate.

[igus68]

As agreed, changed to size_t.

[mattcaswell]

What are OSSL_PARAM_BLD_push_EC_affine_point are OSSL_PARAM_BLD_push_EC_affine_point_ex? From an earlier iteration of this PR?

[igus68]

Yes, you are right. Fixed.

[mattcaswell]

Suggested change

	* Added `EVP_EC_affine2oct()` converts affine coordinates of an EC point
	* Added `EVP_EC_affine2oct()` that converts the affine coordinates of an EC point

[igus68]

Fixed

[t8m]

@igus68 this needs a rebase

[igus68]

@igus68 this needs a rebase
Done

[t8m]

ping @slontis @mattcaswell for second review

[mattcaswell]

LGTM. One minor suggested improvement below.

[mattcaswell]

Suggested change

	them call EVP_EC_affine2oct() to convert affine coordinates to
	them call L<EVP_EC_affine2oct(3)> to convert affine coordinates to

[openssl-machine]

This pull request is ready to merge

[t8m]

Merged to the master branch with tweaked commit messages.

Thank you.