RustCrypto Elliptic Curves SM2 PKE Decryption Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the SM2 Public Key Encryption (PKE) decryption process of the RustCrypto Elliptic Curves library, specifically in versions 0.14.0-pre.0 and 0.14.0-rc.0. The issue arises when an invalid elliptic curve point (C1) is decoded and the resulting value is unwrapped without proper validation. Although the coordinates may be syntactically correct, they can fail to lie on the SM2 curve, leading to a panic when the code attempts to unwrap the result. This vulnerability can be exploited by crafting a ciphertext that includes an invalid C1 point, causing the decryption process to crash.

Impact

Exploitation of this vulnerability can cause a panic in the decryption process, disrupting the executing thread or process. This denial-of-service condition can be triggered by any service that accepts ciphertext and uses the affected library, potentially leading to a crash or similar interruption.

Reproduction

The vulnerability can be reproduced by using the `DecryptingKey::decrypt_der` method with an ASN.1 DER `Cipher` structure that contains an invalid C1 point. This can be done by setting the X and Y coordinates to arbitrary 32-byte values that are valid in length but do not lie on the SM2 curve. When the `decrypt_der` method is called with this crafted input, the process will panic, demonstrating the denial-of-service condition.

Remediation

Users can update to the patched version of the library, which is available in the official GitHub repository. The patch replaces the `unwrap()` call with proper error handling, ensuring that invalid points are managed gracefully without causing a panic.