From 30c22fa8b1d840036b8e203585738df62a03cec8 Mon Sep 17 00:00:00 2001

From: Billy Brumley <bbrumley@gmail.com>

Date: Thu, 5 Sep 2019 21:25:37 +0300

Subject: [PATCH] [crypto/ec] for ECC parameters with NULL or zero cofactor,

 compute it

The cofactor argument to EC_GROUP_set_generator is optional, and SCA

mitigations for ECC currently use it. So the library currently falls

back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all

curves of cryptographic interest. Steering scalar multiplication to more

SCA-robust code.

This issue affects persisted private keys in explicit parameter form,

where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed

programatically with explicit parameters, then calling

EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to

local uarch attacks, outside of the OpenSSL threat model. New results

suggest the code path is also vulnerable to traditional wall clock

timing attacks.

CVE-2019-1547

Reviewed-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>

(Merged from https://github.com/openssl/openssl/pull/9781)

---

 crypto/ec/ec_lib.c | 103 ++++++++++++++++++++++++++++++++++++++++++---

 1 file changed, 96 insertions(+), 7 deletions(-)

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c

index 8cab5a5061..1289c8608e 100644

--- a/crypto/ec/ec_lib.c

+++ b/crypto/ec/ec_lib.c

@@ -265,6 +265,67 @@ int EC_METHOD_get_field_type(const EC_METHOD *meth)

 static int ec_precompute_mont_data(EC_GROUP *);

+/*-

+ * Try computing cofactor from the generator order (n) and field cardinality (q).

+ * This works for all curves of cryptographic interest.

+ *

+ * Hasse thm: q + 1 - 2*sqrt(q) <= n*h <= q + 1 + 2*sqrt(q)

+ * h_min = (q + 1 - 2*sqrt(q))/n

+ * h_max = (q + 1 + 2*sqrt(q))/n

+ * h_max - h_min = 4*sqrt(q)/n

+ * So if n > 4*sqrt(q) holds, there is only one possible value for h:

+ * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil

+ *

+ * Otherwise, zero cofactor and return success.

+ */

+static int ec_guess_cofactor(EC_GROUP *group) {

+    int ret = 0;

+    BN_CTX *ctx = NULL;

+    BIGNUM *q = NULL;

+

+    /*-

+     * If the cofactor is too large, we cannot guess it.

+     * The RHS of below is a strict overestimate of lg(4 * sqrt(q))

+     */

+    if (BN_num_bits(group->order) <= (BN_num_bits(group->field) + 1) / 2 + 3) {

+        /* default to 0 */

+        BN_zero(group->cofactor);

+        /* return success */

+        return 1;

+    }

+

+    if ((ctx = BN_CTX_new()) == NULL)

+        return 0;

+

+    BN_CTX_start(ctx);

+    if ((q = BN_CTX_get(ctx)) == NULL)

+        goto err;

+

+    /* set q = 2**m for binary fields; q = p otherwise */

+    if (group->meth->field_type == NID_X9_62_characteristic_two_field) {

+        BN_zero(q);

+        if (!BN_set_bit(q, BN_num_bits(group->field) - 1))

+            goto err;

+    } else {

+        if (!BN_copy(q, group->field))

+            goto err;

+    }

+

+    /* compute h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2)/n \rfloor */

+    if (!BN_rshift1(group->cofactor, group->order) /* n/2 */

+        || !BN_add(group->cofactor, group->cofactor, q) /* q + n/2 */

+        /* q + 1 + n/2 */

+        || !BN_add(group->cofactor, group->cofactor, BN_value_one())

+        /* (q + 1 + n/2)/n */

+        || !BN_div(group->cofactor, NULL, group->cofactor, group->order, ctx))

+        goto err;

+    ret = 1;

+ err:

+    BN_CTX_end(ctx);

+    BN_CTX_free(ctx);

+    return ret;

+}

+

 int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,

                            const BIGNUM *order, const BIGNUM *cofactor)

 {

@@ -273,6 +334,34 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,

         return 0;

     }

+    /* require group->field >= 1 */

+    if (group->field == NULL || BN_is_zero(group->field)

+        || BN_is_negative(group->field)) {

+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_FIELD);

+        return 0;

+    }

+

+    /*-

+     * - require order >= 1

+     * - enforce upper bound due to Hasse thm: order can be no more than one bit

+     *   longer than field cardinality

+     */

+    if (order == NULL || BN_is_zero(order) || BN_is_negative(order)

+        || BN_num_bits(order) > BN_num_bits(group->field) + 1) {

+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_INVALID_GROUP_ORDER);

+        return 0;

+    }

+

+    /*-

+     * Unfortunately the cofactor is an optional field in many standards.

+     * Internally, the lib uses 0 cofactor as a marker for "unknown cofactor".

+     * So accept cofactor == NULL or cofactor >= 0.

+     */

+    if (cofactor != NULL && BN_is_negative(cofactor)) {

+        ECerr(EC_F_EC_GROUP_SET_GENERATOR, EC_R_UNKNOWN_COFACTOR);

+        return 0;

+    }

+

     if (group->generator == NULL) {

         group->generator = EC_POINT_new(group);

         if (group->generator == NULL)

@@ -281,17 +370,17 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,

     if (!EC_POINT_copy(group->generator, generator))

         return 0;

-    if (order != NULL) {

-        if (!BN_copy(group->order, order))

-            return 0;

-    } else

-        BN_zero(group->order);

+    if (!BN_copy(group->order, order))

+        return 0;

-    if (cofactor != NULL) {

+    /* Either take the provided positive cofactor, or try to compute it */

+    if (cofactor != NULL && !BN_is_zero(cofactor)) {

         if (!BN_copy(group->cofactor, cofactor))

             return 0;

-    } else

+    } else if (!ec_guess_cofactor(group)) {

         BN_zero(group->cofactor);

+        return 0;

+    }

     /*

      * Some groups have an order with

-- 

2.20.1