From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001 From: Ken Zalewski Date: Sun, 9 Feb 2025 11:47:12 -0500 Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one vulnerability: CVE-2024-13176 --- CHANGES | 25 +++++++++++++++++++++++++ NEWS | 5 +++++ README | 2 +- crypto/bn/bn_exp.c | 21 +++++++++++++++------ crypto/ec/ec_lib.c | 6 +++--- include/crypto/bn.h | 3 +++ include/openssl/opensslv.h | 2 +- 7 files changed, 53 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 7d82f7a..66ae239 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,31 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025] + + *) Fix timing side-channel in ECDSA signature computation + + There is a timing signal of around 300 nanoseconds when the top word of + the inverted ECDSA nonce value is zero. This can happen with significant + probability only for some of the supported elliptic curves. In particular + the NIST P-521 curve is affected. To be able to measure this leak, the + attacker process must either be located in the same physical computer or + must have a very fast network connection with low latency. + + Attacks on ECDSA nonce are also known as Minerva attack. + + [CVE-2024-13176] + [Tomas Mraz] + + + Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024] + + *) Fix the version number for versions that require two letters. + + [V Petrischew] + [Ken Zalewski] + + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] *) Harden BN_GF2m_poly2arr against misuse diff --git a/NEWS b/NEWS index 7810ece..ab46ab1 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025] + + o Fix version number for versions that require two letters + o Fix timing side-channel in ECDSA signature computation + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] o Harden BN_GF2m_poly2arr against misuse diff --git a/README b/README index 6612eb0..a02895e 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.1.1zb 16 Oct 2024 + OpenSSL 1.1.1zb_p2 20 Jan 2025 Copyright (c) 1998-2023 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 517e3c2..0489658 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, * out by Colin Percival, * http://www.daemonology.net/hyperthreading-considered-harmful/) */ -int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, +int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { @@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, unsigned int t4 = 0; #endif - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); - if (!BN_is_odd(m)) { BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); return 0; @@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, goto err; } else #endif - if (!BN_from_montgomery(rr, &tmp, mont, ctx)) + if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) goto err; ret = 1; err: @@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, return ret; } +int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) +{ + bn_check_top(a); + bn_check_top(p); + bn_check_top(m); + if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) + return 0; + bn_correct_top(rr); + return 1; +} + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 08db89f..fef0c2f 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, if (!BN_sub(e, group->order, e)) goto err; /*- - * Exponent e is public. - * No need for scatter-gather or BN_FLG_CONSTTIME. + * Although the exponent is public we want the result to be + * fixed top. */ - if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) + if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) goto err; ret = 1; diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 250914c..10cfc84 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); */ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); +int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont); int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index ddf42b6..1568415 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x101011bfL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 20 Jan 2025" /*- * The macros below are to be used for shared library (.so, .dll, ...)