git.openssl.org Git - openssl.git/commit

author	Billy Brumley <bbrumley@gmail.com>
	Fri, 6 Sep 2019 16:34:53 +0000 (19:34 +0300)
committer	Nicola Tuveri <nic.tuv@gmail.com>
	Sat, 7 Sep 2019 09:46:19 +0000 (12:46 +0300)
commit	7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
tree	f4475ba713dd13b308f2963f1cc7a64e9308603d	tree \| snapshot
parent	207a56437916a715bcf6e299c868c75a17ad8fc0	commit \| diff

[crypto/ec] for ECC parameters with NULL or zero cofactor, compute it

The cofactor argument to EC_GROUP_set_generator is optional, and SCA
mitigations for ECC currently use it. So the library currently falls
back to very old SCA-vulnerable code if the cofactor is not present.

This PR allows EC_GROUP_set_generator to compute the cofactor for all
curves of cryptographic interest. Steering scalar multiplication to more
SCA-robust code.

This issue affects persisted private keys in explicit parameter form,
where the (optional) cofactor field is zero or absent.

It also affects curves not built-in to the library, but constructed
programatically with explicit parameters, then calling
EC_GROUP_set_generator with a nonsensical value (NULL, zero).

The very old scalar multiplication code is known to be vulnerable to
local uarch attacks, outside of the OpenSSL threat model. New results
suggest the code path is also vulnerable to traditional wall clock
timing attacks.

CVE-2019-1547

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9795)

CHANGES		diff \| blob \| history
crypto/ec/ec_err.c		diff \| blob \| history
crypto/ec/ec_lib.c		diff \| blob \| history
include/openssl/ec.h		diff \| blob \| history