Skip to content

Commit 8c6c9a2

Browse files
author
tb
committed
Bound cofactor in EC_GROUP_set_generator()
Instead of bounding only bounding the group order, also bound the cofactor using Hasse's theorem. This could probably be made a lot tighter since all curves of cryptographic interest have small cofactors, but for now this is good enough. A timeout found by oss-fuzz creates a "group" with insane parameters over a 40-bit field: the order is 14464, and the cofactor has 4196223 bits (which is obviously impossible by Hasse's theorem). These led to running an expensive loop in ec_GFp_simple_mul_ct() millions of times. Fixes oss-fuzz #46056 Diagnosed and fix joint with jsing ok inoguchi jsing (previous version)
1 parent be831b4 commit 8c6c9a2

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

src/lib/libcrypto/ec/ec_lib.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: ec_lib.c,v 1.43 2022/03/29 13:48:40 tb Exp $ */
1+
/* $OpenBSD: ec_lib.c,v 1.44 2022/03/29 14:03:12 tb Exp $ */
22
/*
33
* Originally written by Bodo Moeller for the OpenSSL project.
44
*/
@@ -385,6 +385,12 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
385385
} else if (!ec_guess_cofactor(group))
386386
return 0;
387387

388+
/* Use Hasse's theorem to bound the cofactor. */
389+
if (BN_num_bits(&group->cofactor) > BN_num_bits(&group->field) + 1) {
390+
ECerror(EC_R_INVALID_GROUP_ORDER);
391+
return 0;
392+
}
393+
388394
return 1;
389395
}
390396

0 commit comments

Comments
 (0)