oss-sec mailing list archives
Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Thu, 12 Jan 2017 08:38:43 +0530
On 01/10/2017 09:47 PM, Dan McDonald wrote:
On Jan 10, 2017, at 10:50 AM, Cesar Pereida Garcia <cesar.pereidagarcia () tut fi> wrote: Mitigation: Users of OpenSSL with the affected versions should apply the patch available in the manuscript at [1].You should just mail the patch to this list. I'm having a hard time copying/pasting the uuencoded blob from your paper, Cesar.
This is the patch from the whitepaper: Date: Fri, 16 Dec 2016 12:02:19 +0200 Subject: [PATCH] ECDSA vulnerable to cache-timing attack. BN_mod_inverse fails to take constant-time path, thus leaking nonce's information. --- crypto/ecdsa/ecs_ossl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 4c5fa6b..72e7c05 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, if (!BN_add(k, k, order)) goto err; + BN_set_flags(k, BN_FLG_CONSTTIME); + /* compute r the x-coordinate of generator * k */ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); -- 2.7.4 -- Huzaifa Sidhpurwala / Red Hat Product Security Team
Current thread:
- CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Cesar Pereida Garcia (Jan 10)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Dan McDonald (Jan 10)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Huzaifa Sidhpurwala (Jan 11)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Casper Thomsen (Jan 12)
- Re: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL) Dan McDonald (Jan 10)