Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 22 Mar 2018 14:12:25 +0100
From: Guido Vranken <>
Subject: Re: OpenSSL: bug in modular exponentiation

> Interesting -- could you confirm that the effect of this bug is a
> miscalculation? Or is it breaking the constant-time assertion?

It is a miscalculation. Note that in the PoC, the 'A' and 'C' bignums
are the same. So modular exponentiation A ** B MOD C is the same as A
** B MOD A in this case, and this should always result in zero,
because A ** B by definition results in a multiple of A, and A MOD A =

I don't know if this bug makes any difference to execution time.

> Do you have a pointer as to where this was discussed?

It was found with Google oss-fuzz, which sends bug reports
automatically to me and the OpenSSL team. The OpenSSL team later
shared their thoughts with me via e-mail.

> Do you consider it a security vulnerability?

The OpenSSL team tends to assign severity according to the extent
their SSL library is impacted. But OpenSSL is in very widespread use
and the use of its bignum library is probably not even limited to
cryptographic applications alone. I don't consider it a security
vulnerability per se as I don't know of any approach towards
exploitation, but as with every API whose operation is not concomitant
with the expected behavior, it has the potential to give rise to
corner cases in specific use cases.

Various cryptographic functions in OpenSSL like Diffie-Hellman use
constant-time modular exponentiation, and with the recent bug in the
same assembly code they said the following about this:

"No EC algorithms are affected. Analysis suggests that attacks against
RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH1024 are
considered just feasible, because most of the work necessary to deduce
information about a private key may be performed offline. The amount
of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have
to share the DH1024 private key among multiple clients, which is no
longer an option since CVE-2016-0701"

But this particular bug is not harmful, according to the team.

> Can you give advice to developers of how to mitigate this kind of issue?

Either don't use constant-time modular exponentiation or compile with
assembly disabled (./config no-asm). There's probably also a way to
specifically disable the offending assembly code, but I don't know how
to do that off-hand.

> Is it regarded a WONTFIX by OpenSSL or is it going to be fixed (just not
> treated as security-criticial)? If so, do you know the fix version?

They've told me that they want to fix it. But I don't know the ETA.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.