oss-sec mailing list archives

OpenSSL: bug in modular exponentiation

From: Guido Vranken <guidovranken () gmail com>
Date: Tue, 20 Mar 2018 22:34:25 +0100
My bignum fuzzer (https://github.com/guidovranken/bignum-fuzzer)
running on Google's oss-fuzz recently found a bug in affecting
constant-time modular exponentiation.
OpenSSL does not treat this as a security vulnerability. This is a
heads-up to developers who rely on the affected code so they can
review the impact on their applications on a case-by-case basis.

The bug is located in a function written in assembly language and the
bug can only manifest on specific processors, most likely the same as
CVE-2017-3738 (see https://www.openssl.org/news/vulnerabilities.html):

"This only affects processors that support the AVX2 but not ADX
extensions like Intel Haswell (4th generation)"

As far as I know BoringSSL and LibreSSL are not affected.

You can use the PoC below the line to see if your system is affected.

A system that is affected:

$ cat /proc/cpuinfo | grep "avx2\|adx" -o | sort -u
avx2
$ ./a.out
result is 0
result is 
179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343

A system that is not affected:

$ cat /proc/cpuinfo | grep "avx2\|adx" -o | sort -u
adx
avx2
$ ./a.out
result is 0
result is 0

-------------------

#include <openssl/bn.h>

static void do_mod_exp(int consttime)
{
    BIGNUM *res, *A = NULL, *B = NULL, *C = NULL;
    BN_CTX *ctx = BN_CTX_new();
    char* bn_str = NULL;

    res = BN_new();
    BN_dec2bn(&A,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343");
    BN_dec2bn(&B,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222");
    BN_dec2bn(&C,
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000179769313486231590772930519078902473361797697894230657273430081157732675805500963132708477322407536021120113879871393357658789768814416622492847430639474124377767893424865485276302219601246094119453082952085005768838150682342462881473913110540827237163350510684586298239947245938479716304835356083471597445343");

    if ( consttime ) {
        BN_set_flags(A, BN_FLG_CONSTTIME);
    }
    BN_mod_exp(res, A, B, C, ctx);
    bn_str = BN_bn2dec(res);
    printf("result is %s\n", bn_str);
    OPENSSL_free(bn_str);
    BN_CTX_free(ctx);
    BN_free(A);
    BN_free(B);
    BN_free(C);
}

int main(void)
{
    do_mod_exp(0);
    do_mod_exp(1);
    return 0;
}
Current thread:

OpenSSL: bug in modular exponentiation Guido Vranken (Mar 20)
- Re: OpenSSL: bug in modular exponentiation zugtprgfwprz (Mar 22)
  - Re: OpenSSL: bug in modular exponentiation Guido Vranken (Mar 22)