Enforce that |EC_KEY| private key is in [0, group->order).

Change-Id: I16abea5769737c7edd1be717f9a4f38678af43ce
Reviewed-on: https://boringssl-review.googlesource.com/6564
Reviewed-by: Adam Langley <agl@google.com>

crypto/ec/ec_asn1.c

@@ -329,6 +329,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **inp, long len) {
     goto err;
   }
 
+  if (BN_cmp(ret->priv_key, EC_GROUP_get0_order(ret->group)) >= 0) {
+    OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
+    goto err;
+  }
+
   EC_POINT_free(ret->pub_key);
   ret->pub_key = EC_POINT_new(ret->group);
   if (ret->pub_key == NULL) {

crypto/ec/ec_key.c

@@ -249,7 +249,15 @@ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
   /* TODO(fork): duplicating the group seems wasteful but see
    * |EC_KEY_set_conv_form|. */
   key->group = EC_GROUP_dup(group);
-  return (key->group == NULL) ? 0 : 1;
+  if (key->group == NULL) {
+    return 0;
+  }
+  /* XXX: |BN_cmp| is not constant time. */
+  if (key->priv_key != NULL &&
+      BN_cmp(key->priv_key, EC_GROUP_get0_order(group)) >= 0) {
+    return 0;
+  }
+  return 1;
 }
 
 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) {
@@ -257,6 +265,12 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) {
 }
 
 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
+  /* XXX: |BN_cmp| is not constant time. */
+  if (key->group != NULL &&
+      BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0) {
+    OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
+    return 0;
+  }
   BN_clear_free(key->priv_key);
   key->priv_key = BN_dup(priv_key);
   return (key->priv_key == NULL) ? 0 : 1;
@@ -324,6 +338,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
    * check if generator * priv_key == pub_key
    */
   if (eckey->priv_key) {
+    /* XXX: |BN_cmp| is not constant time. */
     if (BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) {
       OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
       goto err;