File 0001-RT-4242-reject-invalid-EC-point-coordinates.patch of Package compat-openssl098.29205
From 1e2012b7ff4a5f12273446b281775faa5c8a1858 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Fri, 3 Jun 2016 14:42:04 +0200
Subject: [PATCH] RT 4242: reject invalid EC point coordinates
We already test in EC_POINT_oct2point that points are on the curve. To
be on the safe side, move this check to
EC_POINT_set_affine_coordinates_* so as to also check point coordinates
received through some other method.
We do not check projective coordinates, though, as
- it's unlikely that applications would be receiving this primarily
internal representation from untrusted sources, and
- it's possible that the projective setters are used in a setting where
performance matters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
crypto/ec/ec2_oct.c | 10 ++---
crypto/ec/ec_lib.c | 20 +++++++++-
crypto/ec/ecp_oct.c | 10 ++---
test/ectest.c | 96 ++++++++++++++++++++++++++++++++++++++++++---
4 files changed, 116 insertions(+), 20 deletions(-)
Index: openssl-0.9.8j/crypto/ec/ec_lib.c
===================================================================
--- openssl-0.9.8j.orig/crypto/ec/ec_lib.c
+++ openssl-0.9.8j/crypto/ec/ec_lib.c
@@ -853,7 +853,15 @@ int EC_POINT_set_affine_coordinates_GFp(
ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
- return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
+ if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
+ return 0;
+
+ if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
+ ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,
+ EC_R_POINT_IS_NOT_ON_CURVE);
+ return 0;
+ }
+ return 1;
}
@@ -870,7 +878,15 @@ int EC_POINT_set_affine_coordinates_GF2m
ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
- return group->meth->point_set_affine_coordinates(group, point, x, y, ctx);
+ if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx))
+ return 0;
+
+ if (EC_POINT_is_on_curve(group, point, ctx) <= 0) {
+ ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GF2M,
+ EC_R_POINT_IS_NOT_ON_CURVE);
+ return 0;
+ }
+ return 1;
}
Index: openssl-0.9.8j/crypto/ec/ectest.c
===================================================================
--- openssl-0.9.8j.orig/crypto/ec/ectest.c
+++ openssl-0.9.8j/crypto/ec/ectest.c
@@ -202,7 +202,7 @@ void prime_field_tests()
EC_GROUP *group;
EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z;
+ BIGNUM *x, *y, *z, *yplusone;
unsigned char buf[100];
size_t i, len;
int k;
@@ -263,7 +263,9 @@ void prime_field_tests()
x = BN_new();
y = BN_new();
z = BN_new();
- if (!x || !y || !z) ABORT;
+ yplusone = BN_new();
+ if (x == NULL || y == NULL || z == NULL || yplusone == NULL)
+ ABORT;
if (!BN_hex2bn(&x, "D")) ABORT;
if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
@@ -362,6 +364,14 @@ void prime_field_tests()
if (!BN_hex2bn(&x, "4A96B5688EF573284664698968C38BB913CBFC82")) ABORT;
if (!BN_hex2bn(&y, "23a628553168947d59dcc912042351377ac5fb32")) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT;
@@ -421,6 +431,15 @@ void prime_field_tests()
if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 192) ABORT;
fprintf(stdout, " ok\n");
@@ -467,6 +486,15 @@ void prime_field_tests()
if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 224) ABORT;
fprintf(stdout, " ok\n");
@@ -514,6 +542,15 @@ void prime_field_tests()
if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 256) ABORT;
fprintf(stdout, " ok\n");
@@ -566,6 +603,15 @@ void prime_field_tests()
"7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 384) ABORT;
fprintf(stdout, " ok\n");
@@ -624,6 +670,15 @@ void prime_field_tests()
"7086A272C24088BE94769FD16650")) ABORT;
if (0 != BN_cmp(y, z)) ABORT;
+ if (!BN_add(yplusone, y, BN_value_one()))
+ ABORT;
+ /*
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not,
+ * and therefore setting the coordinates should fail.
+ */
+ if (EC_POINT_set_affine_coordinates_GFp(group, P, x, yplusone, ctx))
+ ABORT;
+
fprintf(stdout, "verify degree ...");
if (EC_GROUP_get_degree(group) != 521) ABORT;
fprintf(stdout, " ok\n");
@@ -648,6 +703,10 @@ void prime_field_tests()
/* more tests using the last curve */
+ /* Restore the point that got mangled in the (x, y + 1) test. */
+ if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx))
+ ABORT;
+
if (!EC_POINT_copy(Q, P)) ABORT;
if (EC_POINT_is_at_infinity(group, Q)) ABORT;
if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
@@ -749,6 +808,7 @@ void prime_field_tests()
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z);
+ BN_free(yplusone);
if (P_160) EC_GROUP_free(P_160);
if (P_192) EC_GROUP_free(P_192);
@@ -763,6 +823,13 @@ void prime_field_tests()
#ifdef OPENSSL_EC_BIN_PT_COMP
#define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
if (!BN_hex2bn(&x, _x)) ABORT; \
+ if (!BN_hex2bn(&y, _y)) ABORT; \
+ if (!BN_add(yplusone, y, BN_value_one())) ABORT; \
+ /* \
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \
+ * and therefore setting the coordinates should fail. \
+ */ \
+ if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \
if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
if (!BN_hex2bn(&z, _order)) ABORT; \
@@ -781,6 +848,12 @@ void prime_field_tests()
#define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \
if (!BN_hex2bn(&x, _x)) ABORT; \
if (!BN_hex2bn(&y, _y)) ABORT; \
+ if (!BN_add(yplusone, y, BN_value_one())) ABORT; \
+ /* \
+ * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, \
+ * and therefore setting the coordinates should fail. \
+ */ \
+ if (EC_POINT_set_affine_coordinates_GF2m(group, P, x, yplusone, ctx)) ABORT; \
if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \
if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \
if (!BN_hex2bn(&z, _order)) ABORT; \
@@ -824,7 +897,7 @@ void char2_field_tests()
EC_GROUP *C2_K163 = NULL, *C2_K233 = NULL, *C2_K283 = NULL, *C2_K409 = NULL, *C2_K571 = NULL;
EC_GROUP *C2_B163 = NULL, *C2_B233 = NULL, *C2_B283 = NULL, *C2_B409 = NULL, *C2_B571 = NULL;
EC_POINT *P, *Q, *R;
- BIGNUM *x, *y, *z, *cof;
+ BIGNUM *x, *y, *z, *cof, *yplusone;
unsigned char buf[100];
size_t i, len;
int k;
@@ -837,7 +910,8 @@ void char2_field_tests()
p = BN_new();
a = BN_new();
b = BN_new();
- if (!p || !a || !b) ABORT;
+ if (p == NULL || a == NULL || b == NULL)
+ ABORT;
if (!BN_hex2bn(&p, "13")) ABORT;
if (!BN_hex2bn(&a, "3")) ABORT;
@@ -885,7 +959,9 @@ void char2_field_tests()
y = BN_new();
z = BN_new();
cof = BN_new();
- if (!x || !y || !z || !cof) ABORT;
+ yplusone = BN_new();
+ if (x == NULL || y == NULL || z == NULL || cof == NULL || yplusone == NULL)
+ ABORT;
if (!BN_hex2bn(&x, "6")) ABORT;
/* Change test based on whether binary point compression is enabled or not. */
@@ -1236,6 +1312,7 @@ void char2_field_tests()
EC_POINT_free(Q);
EC_POINT_free(R);
BN_free(x); BN_free(y); BN_free(z); BN_free(cof);
+ BN_free(yplusone);
if (C2_K163) EC_GROUP_free(C2_K163);
if (C2_B163) EC_GROUP_free(C2_B163);
Index: openssl-0.9.8j/crypto/ec/ec2_smpl.c
===================================================================
--- openssl-0.9.8j.orig/crypto/ec/ec2_smpl.c
+++ openssl-0.9.8j/crypto/ec/ec2_smpl.c
@@ -654,14 +654,12 @@ int ec_GF2m_simple_oct2point(const EC_GR
}
}
+ /*
+ * EC_POINT_set_affine_coordinates_GF2m is responsible for checking that
+ * the point is on the curve.
+ */
if (!EC_POINT_set_affine_coordinates_GF2m(group, point, x, y, ctx)) goto err;
}
-
- if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
- {
- ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
- goto err;
- }
ret = 1;
Index: openssl-0.9.8j/crypto/ec/ecp_smpl.c
===================================================================
--- openssl-0.9.8j.orig/crypto/ec/ecp_smpl.c
+++ openssl-0.9.8j/crypto/ec/ecp_smpl.c
@@ -980,15 +980,13 @@ int ec_GFp_simple_oct2point(const EC_GRO
}
}
+ /*
+ * EC_POINT_set_affine_coordinates_GFp is responsible for checking that
+ * the point is on the curve.
+ */
if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
}
- if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
- {
- ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
- goto err;
- }
-
ret = 1;
err:
