summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_record.c
diff options
context:
space:
mode:
authortb <>2019-09-29 10:09:09 +0000
committertb <>2019-09-29 10:09:09 +0000
commit5d19ba5fbb605cdab0233383db708bad870da750 (patch)
tree7038bcba7697df93634b39c0eb7b52cbdc952be7 /src/lib/libssl/tls13_record.c
parent5f24aac68172fe082be82e041834d6d8f2ff3592 (diff)
downloadopenbsd-5d19ba5fbb605cdab0233383db708bad870da750.tar.gz
openbsd-5d19ba5fbb605cdab0233383db708bad870da750.tar.bz2
openbsd-5d19ba5fbb605cdab0233383db708bad870da750.zip
If a NULL or zero cofactor is passed to EC_GROUP_set_generator(),
try to compute it using Hasse's bound. This works as long as the cofactor is small enough. Port of Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1 (old license) tests & ok inoguchi input & ok jsing commit 30c22fa8b1d840036b8e203585738df62a03cec8 Author: Billy Brumley <bbrumley@gmail.com> Date: Thu Sep 5 21:25:37 2019 +0300 [crypto/ec] for ECC parameters with NULL or zero cofactor, compute it The cofactor argument to EC_GROUP_set_generator is optional, and SCA mitigations for ECC currently use it. So the library currently falls back to very old SCA-vulnerable code if the cofactor is not present. This PR allows EC_GROUP_set_generator to compute the cofactor for all curves of cryptographic interest. Steering scalar multiplication to more SCA-robust code. This issue affects persisted private keys in explicit parameter form, where the (optional) cofactor field is zero or absent. It also affects curves not built-in to the library, but constructed programatically with explicit parameters, then calling EC_GROUP_set_generator with a nonsensical value (NULL, zero). The very old scalar multiplication code is known to be vulnerable to local uarch attacks, outside of the OpenSSL threat model. New results suggest the code path is also vulnerable to traditional wall clock timing attacks. CVE-2019-1547 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9781)
Diffstat (limited to 'src/lib/libssl/tls13_record.c')
0 files changed, 0 insertions, 0 deletions