-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it (1.1.0) #9795
Conversation
The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved, assumed the CHANGES
entry is moved at the top if its section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved assuming the CHANGES nit is fixed.
…compute it Add CVE to CHANGES entry
…pute it The numeric error code for `EC_R_UNKNOWN_COFACTOR` should be `164` to maintain ABI compatibility between 1.1.0 and 1.1.1
I know @bbbrumley is busy until Sunday night, and I am authorized to apply changes to his PR for this level of triviality, so in the interest of expediting the review process in view of the upcoming release day, I took the liberty of pushing the required changes. |
I have also personally confirmed the manual "hack testing" done by @bbbrumley I will now proceed to merge |
The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #9795)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #9795)
Why does the CHANGES addition have to go at the top? Is chronology within a release important? After all, many more CHANGES entries are going to appear before the official release; does it matter if an entry is the 32nd or the 45th? |
I don't understand what disturbs you; isn't it common practice to add new CHANGES entries at the top? |
Every time I rebase, I have to fix a merge conflict to put my entry back on the top because there's a new top entry and the context-diff gets confused. If I just let it slide down, then future CHANGES rebasing will not cause a problem. |
Oh, now I understand your point. Nice trick. Still I prefer that new entries appear at the top in the order in which the pull requests were merged. Also, your nice trick has a little flaw: letting your entry sink down when rebasing only guarantuees a conflict-free experience if nobody else uses the same strategy. Because otherwise new entries on master will also appear at lower places and conflict with your entry. So an improved strategy would be: while rebasing a pull request on master, let the entry sink down, but when the pull request gets finally merged, the entry should be moved back to the top. Unfortunately, only committers could do this last step. |
(I wrote 'master', but of course the same reasoning applies to the stable branches) |
So your saying it only works for me? That's fine :) |
Sorry, no. It works only until you tell other people. Which you just did. 😆 |
Backport of #9727 to 1.1.0. The test there isn't at all compatible with 1.1.0. So to test this, I did the following:
hack test
Ignored the passed cofactor, always computed it, then added an assert:
Then
make test
went swell.EVP test
I added two explicit parameter PEMs with no cofactor to the EVP tests. The two key pairs are from RFC 6979 for P-256 and P-384. Unfortunately my team's tooling only currently supports NIST curves over prime fields.
gdb
I checked the codepath in
gdb
to make sure it's taking the proper early exit to the ladder.