diff options
| author | tb <> | 2022-04-07 17:37:25 +0000 |
|---|---|---|
| committer | tb <> | 2022-04-07 17:37:25 +0000 |
| commit | 8d808b1fad425472f16e190aa9c72037b7efe75a (patch) | |
| tree | d24b9a5f8727ef577e3036c13bcebc52ae475072 | |
| parent | 491cd486a581a71008b2ca3b70aeb7c2ef32b32b (diff) | |
| download | openbsd-8d808b1fad425472f16e190aa9c72037b7efe75a.tar.gz openbsd-8d808b1fad425472f16e190aa9c72037b7efe75a.tar.bz2 openbsd-8d808b1fad425472f16e190aa9c72037b7efe75a.zip | |
Avoid infinite loop for custom curves of order 1
If a private key encoded with EC parameters happens to have
order 1 and is used for ECDSA signatures, this causes an
infinite loop since a random integer x in the interval [0,1)
will be 0, so do ... while (x == 0); will loop indefinitely.
Found and reported with a reproducer by Hanno Boeck.
Helpful comments and analysis from David Benjamin.
ok beck jsing
| -rw-r--r-- | src/lib/libcrypto/ec/ec_lib.c | 6 | ||||
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecs_ossl.c | 7 |
2 files changed, 9 insertions, 4 deletions
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c index 888f1edfcf..4ec17d5d5d 100644 --- a/src/lib/libcrypto/ec/ec_lib.c +++ b/src/lib/libcrypto/ec/ec_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ec_lib.c,v 1.44 2022/03/29 14:03:12 tb Exp $ */ | 1 | /* $OpenBSD: ec_lib.c,v 1.45 2022/04/07 17:37:25 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Originally written by Bodo Moeller for the OpenSSL project. | 3 | * Originally written by Bodo Moeller for the OpenSSL project. |
| 4 | */ | 4 | */ |
| @@ -348,10 +348,10 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, | |||
| 348 | } | 348 | } |
| 349 | 349 | ||
| 350 | /* | 350 | /* |
| 351 | * Require order >= 1 and enforce an upper bound of at most one bit more | 351 | * Require order > 1 and enforce an upper bound of at most one bit more |
| 352 | * than the field cardinality due to Hasse's theorem. | 352 | * than the field cardinality due to Hasse's theorem. |
| 353 | */ | 353 | */ |
| 354 | if (order == NULL || BN_is_zero(order) || BN_is_negative(order) || | 354 | if (order == NULL || BN_cmp(order, BN_value_one()) <= 0 || |
| 355 | BN_num_bits(order) > BN_num_bits(&group->field) + 1) { | 355 | BN_num_bits(order) > BN_num_bits(&group->field) + 1) { |
| 356 | ECerror(EC_R_INVALID_GROUP_ORDER); | 356 | ECerror(EC_R_INVALID_GROUP_ORDER); |
| 357 | return 0; | 357 | return 0; |
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 2429e36b59..0203b01bb5 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecs_ossl.c,v 1.23 2022/01/20 11:03:48 inoguchi Exp $ */ | 1 | /* $OpenBSD: ecs_ossl.c,v 1.24 2022/04/07 17:37:25 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project | 3 | * Written by Nils Larsch for the OpenSSL project |
| 4 | */ | 4 | */ |
| @@ -163,6 +163,11 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) | |||
| 163 | goto err; | 163 | goto err; |
| 164 | } | 164 | } |
| 165 | 165 | ||
| 166 | if (BN_cmp(order, BN_value_one()) <= 0) { | ||
| 167 | ECDSAerror(EC_R_INVALID_GROUP_ORDER); | ||
| 168 | goto err; | ||
| 169 | } | ||
| 170 | |||
| 166 | /* Preallocate space. */ | 171 | /* Preallocate space. */ |
| 167 | order_bits = BN_num_bits(order); | 172 | order_bits = BN_num_bits(order); |
| 168 | if (!BN_set_bit(k, order_bits) || | 173 | if (!BN_set_bit(k, order_bits) || |