Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Jan 2017 08:38:43 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-7056 ECDSA P-256 timing attack key
 recovery (OpenSSL, LibreSSL, BoringSSL)

On 01/10/2017 09:47 PM, Dan McDonald wrote:
> 
>> On Jan 10, 2017, at 10:50 AM, Cesar Pereida Garcia <cesar.pereidagarcia@....fi> wrote:
>>
>> Mitigation:
>> Users of OpenSSL with the affected versions should apply
>> the patch available in the manuscript at [1].
> 
> You should just mail the patch to this list.  I'm having a hard time copying/pasting the uuencoded blob from your paper, Cesar.
> 

This is the patch from the whitepaper:

Date: Fri, 16 Dec 2016 12:02:19 +0200
Subject: [PATCH] ECDSA vulnerable to cache-timing attack. BN_mod_inverse
fails
 to take constant-time path, thus leaking nonce's information.

---
 crypto/ecdsa/ecs_ossl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 4c5fa6b..72e7c05 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX
*ctx_in, BIGNUM **kinvp,
             if (!BN_add(k, k, order))
                 goto err;

+        BN_set_flags(k, BN_FLG_CONSTTIME);
+
         /* compute r the x-coordinate of generator * k */
         if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
             ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
-- 
2.7.4




-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ