tnozaki / NetBSD / issues / #167 - [OpenSSL-1.0.2] TNF local patch - CVE-2018-0737 RSA key generation cache timing vulnerability

Takehiko NOZAKI reporter

changed status to resolved

BUGFIX: Issue ~~#167~~ - CVE-2018-0737 RSA key generation cache timing vulnerability

cherry-picked from OpenSSL-1_0_2-stable branch: https://github.com/openssl/openssl/commit/9db724cfede4ba7a3668bff533973ee70145ec07 https://github.com/openssl/openssl/commit/011f82e66f4bf131c733fd41a8390039859aafb2 https://github.com/openssl/openssl/commit/6939eab03a6e23d2bd2c3f5e34fe1d48e542e787

original commit message:

Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07)

used ERR set/pop mark

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2)

consttime flag changed

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298)

RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Matt Caswell matt@openssl.org (cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)

→ <<cset 8d66249c744f5ed0cf448109ca8b45c646f50da3>>

2019-07-09T08:51:14+00:00

Comments (3)

Takehiko NOZAKI reporter
- edited description
- 2019-07-09T07:22:00+00:00
Takehiko NOZAKI reporter
openssl’s fix is here:

https://github.com/openssl/openssl/commit/9db724cfede4ba7a3668bff533973ee70145ec07
https://github.com/openssl/openssl/commit/011f82e66f4bf131c733fd41a8390039859aafb2
https://github.com/openssl/openssl/commit/6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
- 2019-07-09T07:22:44+00:00
Takehiko NOZAKI reporter
- changed status to resolved
BUGFIX: Issue ~~#167~~ - CVE-2018-0737 RSA key generation cache timing vulnerability

cherry-picked from OpenSSL-1_0_2-stable branch: https://github.com/openssl/openssl/commit/9db724cfede4ba7a3668bff533973ee70145ec07 https://github.com/openssl/openssl/commit/011f82e66f4bf131c733fd41a8390039859aafb2 https://github.com/openssl/openssl/commit/6939eab03a6e23d2bd2c3f5e34fe1d48e542e787

original commit message:

Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07)

used ERR set/pop mark

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2)

consttime flag changed

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Kurt Roeckx kurt@roeckx.be Reviewed-by: Matt Caswell matt@openssl.org (Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298)

RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz rsalz@openssl.org Reviewed-by: Matt Caswell matt@openssl.org (cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)

→ <<cset 8d66249c744f5ed0cf448109ca8b45c646f50da3>>
- 2019-07-09T08:51:14+00:00
Log in to comment