Date: Mon, 12 Nov 2018 11:34:22 +0200 From: Billy Brumley <bbrumley@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures > > If you are a package maintainer, and are putting together a patch set > > for this, please reach out to me. My team can help test. > > > <snip> > > Could you please confirm the following commits are sufficient to fix CVE-2018-5407? Some more technical advice below. Hope it helps! BBB # 1.0.1 That is EOL. Try your luck with porting the 1.0.2 solution. Shameless self plug: read Section 2 https://eprint.iacr.org/2018/354 for a related discussion about EOL issues and security in the context of OpenSSL. # 1.0.2 Wait until this gets merged into OpenSSL_1_0_2-stable : https://github.com/openssl/openssl/pull/7593 # 1.1.0 up to and including 1.1.0h So I went through the process to patch this myself: https://github.com/bbbrumley/openssl/tree/bbb_ecc_fix_110h Ofc I have no idea what 1.1.0 version you started with, or what patches you're applying. So take this as more of a HOWTO build and test your own patchset. ## CVE-2018-5407 git checkout OpenSSL_1_1_0h -b bbb_ecc_fix_110h git cherry-pick aab7c770353b1dc4ba045938c8fb446dd1c4531e git cherry-pick f06437c751d6f6ec7f4176518e2897f44dd58eb0 git cherry-pick 33588c930d39d67d1128794dc7c85bae71af24ad git cherry-pick f916a735bcdce496cebc7653a8ad2e72b333405a git cherry-pick b43ad53119c0ac2ecfa6e4356210ccda57e0d16b git cherry-pick 2172133d0dc58256bf776da074c0d1944fef15cb git cherry-pick cc39f9250957dfe6e9f1b62a4eca1863e8451483 git cherry-pick 7b3e775a6a78650bbd3e8e19a5aa12981880402b git cherry-pick 5eee95a54de6854e60886c8e662a902184b12d04 git cherry-pick 875ba8b21ecc65ad9a6bdc66971e50461660fcbb git checkout --theirs CHANGES git add CHANGES git cherry-pick --continue git checkout OpenSSL_1_1_0h -- CHANGES git add CHANGES git commit -m "revert changelog diffs" git rebase -i OpenSSL_1_1_0h (I skipped 926b21117df939241f1cd63f2f9e3ab87819f0ed because it is not related to CVE-2018-5407. See https://github.com/openssl/openssl/issues/6302 For a lengthy discussion. I'm not familiar enough with the issue to give advice if you need to pick it up or not.) All of them cherry pick cleanly except for the last one, but it's only a trivial conflict with the changelog. I checked the scalar multiplication code paths in ecdsatest with gdb (break ec_mult.c:423), and indeed they are early exiting to the new function when signing. A lot of new regression testing went into 1.1.1. Some of it was backported 1.1.0: https://github.com/openssl/openssl/commits/OpenSSL_1_1_0-stable/test So I fetched these KATs: https://raw.githubusercontent.com/openssl/openssl/23fe5c582a83bce394a3cdf0bc8f6f4f2eb71ebb/test/recipes/30-test_evp_data/evppkey_ecc.txt To run those tests, you also need to pick up this bug fix for evp_test.c (this is for testing, not part of the CVE-2018-5407 fix) : git cherry-pick e35e5941e0b2f7af1cd56f07ee8d4eaf2b445132 Then rebuilt, and ran $ test/evp_test /path/to/evppkey_ecc.txt 484 tests completed with 0 errors, 0 skipped All of those (positive and negative) tests pass; they are for ECC keygen and ECDH. I checked the scalar multiplication code paths with gdb (break ec_mult.c:423), and indeed they all early exit to the new function. ## CVE-2018-0735 Apply this small fix on top: git cherry-pick 56fb454d281a023b3f950d969693553d3f3ceea1 git cherry-pick 003f1bfd185267cc67ac9dc521a27d7a2af0d0ee git rebase -i HEAD~2 Then ofc rerun all the regression testing ("make test", as well as the custom EVP tests described above.)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.