Skip to content

[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it (1.0.2) #9799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bbbrumley wants to merge 2 commits into from
Closed

[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it (1.0.2) #9799

bbbrumley wants to merge 2 commits into from

Conversation

@bbbrumley
Copy link
Contributor

@bbbrumley bbbrumley commented Sep 7, 2019

Backport of #9727 to 1.0.2.

I still want to do some more testing, but it will have to wait until Sunday night. I thought I'd at least get the PR up for review.

@bbbrumley
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
c9992ec 
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.

CVE-2019-1547
mattcaswell
mattcaswell requested changes Sep 7, 2019
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a CHANGES entry

@romen romen mentioned this pull request Sep 7, 2019
Closed
@romen romen added the branch: 1.0.2 Applies to OpenSSL_1_0_2-stable branch (EOL) label Sep 7, 2019
@romen romen self-assigned this Sep 7, 2019
romen
romen approved these changes Sep 7, 2019
View reviewed changes
Copy link
Member

@romen romen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I also confirmed in gdb that the cofactor is correctly calculated and single point EC_POINT_mul() goes through ec_mul_consttime() as expected.

@romen
Copy link
Member

romen commented Sep 7, 2019

Needs a CHANGES entry

This has been fixed

@romen romen added the hold label Sep 7, 2019
@romen
Copy link
Member

romen commented Sep 7, 2019

I put the hold label just to remind us that @bbbrumley wanted to do more testing before merging.

@bbbrumley
Copy link
Contributor Author

bbbrumley commented Sep 8, 2019

Thanks @romen for cleaning up my PRs. Enjoy your vacation :)

I carved out some time this morning to finish testing this.

The "hack test" with the assert from the other PR went swell again. I also verified the codepath in gdb that it early exits to ladder. Basically confirming what @romen did above.

I wanted to still test manually with a few custom PEMs, since 1.0.2 doesn't have robust evp_test support. That testing also went swell.

So ... ready to go from my behalf.

@romen romen added approval: review pending This pull request needs review by a committer and removed hold labels Sep 8, 2019
@romen romen requested a review from mattcaswell September 9, 2019 00:12
This was referenced Sep 9, 2019
Closed
Closed
@mattcaswell mattcaswell added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Sep 9, 2019
@mattcaswell
Copy link
Member

mattcaswell commented Sep 9, 2019

Pushed. Thanks.

@mattcaswell mattcaswell closed this Sep 9, 2019
levitte pushed a commit that referenced this pull request Sep 9, 2019
@bbbrumley @mattcaswell
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it
21c856b 
The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.

CVE-2019-1547

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from #9799)
@dvandra dvandra mentioned this pull request Oct 3, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattcaswell mattcaswell mattcaswell approved these changes

+1 more reviewer

@romen romen romen approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@romen romen

Labels

approval: done This pull request has the required number of approvals branch: 1.0.2 Applies to OpenSSL_1_0_2-stable branch (EOL)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bbbrumley @romen @mattcaswell